diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index cf0fa1cd697..2dceee2831c 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -846,8 +846,8 @@ class Categorie extends CommonObject $objs = array(); - $tmpclass = $this->MAP_OBJ_CLASS[$type]; - $obj = new $tmpclass($this->db); + $classnameforobj = $this->MAP_OBJ_CLASS[$type]; + $obj = new $classnameforobj($this->db); $sql = "SELECT c.fk_".(empty($this->MAP_CAT_FK[$type]) ? $type : $this->MAP_CAT_FK[$type]); $sql .= " FROM ".MAIN_DB_PREFIX."categorie_".(empty($this->MAP_CAT_TABLE[$type]) ? $type : $this->MAP_CAT_TABLE[$type])." as c"; @@ -875,8 +875,11 @@ class Categorie extends CommonObject } else { - $obj = new $this->MAP_OBJ_CLASS[$type]($this->db); + $classnameforobj = $this->MAP_OBJ_CLASS[$type]; + + $obj = new $classnameforobj($this->db); $obj->fetch($rec['fk_'.(empty($this->MAP_CAT_FK[$type]) ? $type : $this->MAP_CAT_FK[$type])]); + $objs[] = $obj; } } diff --git a/htdocs/core/boxes/box_contacts.php b/htdocs/core/boxes/box_contacts.php index caea252c571..7141728c23d 100644 --- a/htdocs/core/boxes/box_contacts.php +++ b/htdocs/core/boxes/box_contacts.php @@ -94,7 +94,7 @@ class box_contacts extends ModeleBoxes $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON sp.fk_soc = s.rowid"; if (!$user->rights->societe->client->voir && !$user->socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql .= " WHERE sp.entity IN (".getEntity('socpeople').")"; - if (!$user->rights->societe->client->voir && !$user->socid) $sql .= " AND sp.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; + if (!$user->rights->societe->client->voir && !$user->socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; if ($user->socid) $sql .= " AND sp.fk_soc = ".$user->socid; $sql .= " ORDER BY sp.tms DESC"; $sql .= $this->db->plimit($max, 0); diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php index 3eeaea46858..46e85707497 100644 --- a/htdocs/core/class/html.formfile.class.php +++ b/htdocs/core/class/html.formfile.class.php @@ -360,7 +360,7 @@ class FormFile // Add entity in $param if not already exists if (!preg_match('/entity\=[0-9]+/', $param)) { - $param .= 'entity='.(!empty($object->entity) ? $object->entity : $conf->entity); + $param .= ($param ? '&' : '').'entity='.(!empty($object->entity) ? $object->entity : $conf->entity); } $printer = 0; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index fbcffd8894f..e84bb14b4a2 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -8668,7 +8668,7 @@ function dolGetButtonTitle($label, $helpText = '', $iconClass = 'fa fa-file', $u $attr['class'] .= ' classfortooltip'; } - if (empty($id)) { + if (!empty($id)) { $attr['id'] = $id; } diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 72713393025..92728286cd5 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -1,6 +1,7 @@ * Copyright (C) 2008-2017 Regis Houssin + * Copyright (C) 2020 Ferran Marcet * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -551,6 +552,18 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } + + if ($feature == 'agenda')// Also check myactions rights + { + if ($objectid > 0 && empty($user->rights->agenda->allactions->read)) { + require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php'; + $action = new ActionComm($db); + $action->fetch($objectid); + if ($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id, $action->userassigned))) { + return false; + } + } + } } elseif (in_array($feature, $checkproject)) {