amlioration de la scurit
This commit is contained in:
Regis Houssin
parent
699b2cc9ad
commit
c908b037d0
@ -61,7 +61,7 @@ if (!$user->rights->commercial->client->voir && $socidp && !$user->societe_id >
|
||||
{
|
||||
$sql = "SELECT sc.fk_soc, s.client";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s";
|
||||
$sql .= " WHERE fk_soc = ".$socidp." AND fk_user = ".$user->id." AND s.client = 1";
|
||||
$sql .= " WHERE sc.fk_soc = ".$socidp." AND sc.fk_user = ".$user->id." AND s.client = 1";
|
||||
|
||||
if ( $db->query($sql) )
|
||||
{
|
||||
|
||||
@ -55,7 +55,7 @@ if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0
|
||||
//print "eeeee".$socid."rr".$user->societe_id."oo".$user->rights->commercial->client->voir;
|
||||
$sql = "SELECT sc.fk_soc, s.client";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s";
|
||||
$sql .= " WHERE fk_soc = ".$socid." AND fk_user = ".$user->id." AND s.client = 1";
|
||||
$sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id." AND s.client = 1";
|
||||
|
||||
if ( $db->query($sql) )
|
||||
{
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
/* Copyright (C) 2004-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2004-2005 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2004 Benoit Mortier <benoit.mortier@opensides.be>
|
||||
* Copyright (C) 2005 Regis Houssin <regis.houssin@cap-networks.com>
|
||||
* Copyright (C) 2005-2006 Regis Houssin <regis.houssin@cap-networks.com>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -39,6 +39,27 @@ $langs->load("users");
|
||||
$error = array();
|
||||
$socid=$_GET["socid"]?$_GET["socid"]:$_POST["socid"];
|
||||
|
||||
// Protection quand utilisateur externe
|
||||
$contactid = isset($_GET["id"])?$_GET["id"]:'';
|
||||
|
||||
if ($user->societe_id > 0)
|
||||
{
|
||||
$socid = $user->societe_id;
|
||||
}
|
||||
|
||||
// Protection restriction commercial
|
||||
if (!$user->rights->commercial->client->voir && $contactid && !$user->societe_id > 0)
|
||||
{
|
||||
$sql = "SELECT sc.fk_soc, sp.fk_soc";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."socpeople as sp";
|
||||
$sql .= " WHERE sp.idp = ".$contactid." AND sc.fk_soc = sp.fk_soc AND fk_user = ".$user->id;
|
||||
|
||||
if ( $db->query($sql) )
|
||||
{
|
||||
if ( $db->num_rows() == 0) accessforbidden();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if ($_GET["action"] == 'create_user' && $user->admin)
|
||||
{
|
||||
|
||||
@ -52,7 +52,7 @@ if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0
|
||||
{
|
||||
$sql = "SELECT sc.fk_soc, s.client";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s";
|
||||
$sql .= " WHERE fk_soc = ".$socid." AND fk_user = ".$user->id." AND s.client = 1";
|
||||
$sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id." AND s.client = 1";
|
||||
|
||||
if ( $db->query($sql) )
|
||||
{
|
||||
|
||||
@ -54,7 +54,7 @@ if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0
|
||||
{
|
||||
$sql = "SELECT sc.fk_soc, s.fournisseur";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s";
|
||||
$sql .= " WHERE fk_soc = ".$socid." AND fk_user = ".$user->id." AND s.fournisseur = 1";
|
||||
$sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id." AND s.fournisseur = 1";
|
||||
|
||||
if ( $db->query($sql) )
|
||||
{
|
||||
|
||||
@ -63,7 +63,7 @@ if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0
|
||||
{
|
||||
$sql = "SELECT sc.fk_soc";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc";
|
||||
$sql .= " WHERE fk_soc = ".$socid." AND fk_user = ".$user->id;
|
||||
$sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id;
|
||||
|
||||
if ( $db->query($sql) )
|
||||
{
|
||||
|
||||
@ -48,7 +48,7 @@ if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0
|
||||
{
|
||||
$sql = "SELECT sc.fk_soc, s.client";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s";
|
||||
$sql .= " WHERE fk_soc = ".$socid." AND fk_user = ".$user->id." AND s.client = 1";
|
||||
$sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id." AND s.client = 1";
|
||||
|
||||
if ( $db->query($sql) )
|
||||
{
|
||||
|
||||
@ -47,7 +47,7 @@ if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0
|
||||
{
|
||||
$sql = "SELECT sc.fk_soc, s.client";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s";
|
||||
$sql .= " WHERE fk_soc = ".$socid." AND fk_user = ".$user->id." AND s.client = 1";
|
||||
$sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id." AND s.client = 1";
|
||||
|
||||
if ( $db->query($sql) )
|
||||
{
|
||||
|
||||
@ -47,7 +47,7 @@ if (!$user->rights->commercial->client->voir && $socidp && !$user->societe_id >
|
||||
{
|
||||
$sql = "SELECT sc.fk_soc, s.client";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s";
|
||||
$sql .= " WHERE fk_soc = ".$socidp." AND fk_user = ".$user->id." AND s.client = 1";
|
||||
$sql .= " WHERE sc.fk_soc = ".$socidp." AND sc.fk_user = ".$user->id." AND s.client = 1";
|
||||
|
||||
if ( $db->query($sql) )
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user