diff --git a/htdocs/comm/fiche.php b/htdocs/comm/fiche.php index 40acfebd47c..61aecebfbcb 100644 --- a/htdocs/comm/fiche.php +++ b/htdocs/comm/fiche.php @@ -61,7 +61,7 @@ if (!$user->rights->commercial->client->voir && $socidp && !$user->societe_id > { $sql = "SELECT sc.fk_soc, s.client"; $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s"; - $sql .= " WHERE fk_soc = ".$socidp." AND fk_user = ".$user->id." AND s.client = 1"; + $sql .= " WHERE sc.fk_soc = ".$socidp." AND sc.fk_user = ".$user->id." AND s.client = 1"; if ( $db->query($sql) ) { diff --git a/htdocs/compta/fiche.php b/htdocs/compta/fiche.php index ef68508eb9e..e2fbabec97f 100644 --- a/htdocs/compta/fiche.php +++ b/htdocs/compta/fiche.php @@ -55,7 +55,7 @@ if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0 //print "eeeee".$socid."rr".$user->societe_id."oo".$user->rights->commercial->client->voir; $sql = "SELECT sc.fk_soc, s.client"; $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s"; - $sql .= " WHERE fk_soc = ".$socid." AND fk_user = ".$user->id." AND s.client = 1"; + $sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id." AND s.client = 1"; if ( $db->query($sql) ) { diff --git a/htdocs/contact/fiche.php b/htdocs/contact/fiche.php index 72d97fcec92..0aa169d8a1a 100644 --- a/htdocs/contact/fiche.php +++ b/htdocs/contact/fiche.php @@ -2,7 +2,7 @@ /* Copyright (C) 2004-2005 Rodolphe Quiedeville * Copyright (C) 2004-2005 Laurent Destailleur * Copyright (C) 2004 Benoit Mortier - * Copyright (C) 2005 Regis Houssin + * Copyright (C) 2005-2006 Regis Houssin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -39,6 +39,27 @@ $langs->load("users"); $error = array(); $socid=$_GET["socid"]?$_GET["socid"]:$_POST["socid"]; +// Protection quand utilisateur externe +$contactid = isset($_GET["id"])?$_GET["id"]:''; + +if ($user->societe_id > 0) +{ + $socid = $user->societe_id; +} + +// Protection restriction commercial +if (!$user->rights->commercial->client->voir && $contactid && !$user->societe_id > 0) +{ + $sql = "SELECT sc.fk_soc, sp.fk_soc"; + $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."socpeople as sp"; + $sql .= " WHERE sp.idp = ".$contactid." AND sc.fk_soc = sp.fk_soc AND fk_user = ".$user->id; + + if ( $db->query($sql) ) + { + if ( $db->num_rows() == 0) accessforbidden(); + } +} + if ($_GET["action"] == 'create_user' && $user->admin) { diff --git a/htdocs/docsoc.php b/htdocs/docsoc.php index 90ec0499bb8..ff90ef50a76 100644 --- a/htdocs/docsoc.php +++ b/htdocs/docsoc.php @@ -52,7 +52,7 @@ if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0 { $sql = "SELECT sc.fk_soc, s.client"; $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s"; - $sql .= " WHERE fk_soc = ".$socid." AND fk_user = ".$user->id." AND s.client = 1"; + $sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id." AND s.client = 1"; if ( $db->query($sql) ) { diff --git a/htdocs/fourn/fiche.php b/htdocs/fourn/fiche.php index 2e0e1f22776..13f19d2b942 100644 --- a/htdocs/fourn/fiche.php +++ b/htdocs/fourn/fiche.php @@ -54,7 +54,7 @@ if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0 { $sql = "SELECT sc.fk_soc, s.fournisseur"; $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s"; - $sql .= " WHERE fk_soc = ".$socid." AND fk_user = ".$user->id." AND s.fournisseur = 1"; + $sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id." AND s.fournisseur = 1"; if ( $db->query($sql) ) { diff --git a/htdocs/soc.php b/htdocs/soc.php index 157e186924b..4f2596ce913 100644 --- a/htdocs/soc.php +++ b/htdocs/soc.php @@ -63,7 +63,7 @@ if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0 { $sql = "SELECT sc.fk_soc"; $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE fk_soc = ".$socid." AND fk_user = ".$user->id; + $sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id; if ( $db->query($sql) ) { diff --git a/htdocs/societe/info.php b/htdocs/societe/info.php index 819a682ca48..00dd1f03187 100644 --- a/htdocs/societe/info.php +++ b/htdocs/societe/info.php @@ -48,7 +48,7 @@ if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0 { $sql = "SELECT sc.fk_soc, s.client"; $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s"; - $sql .= " WHERE fk_soc = ".$socid." AND fk_user = ".$user->id." AND s.client = 1"; + $sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id." AND s.client = 1"; if ( $db->query($sql) ) { diff --git a/htdocs/societe/notify/fiche.php b/htdocs/societe/notify/fiche.php index cbb9ddddb9f..e80e396f610 100644 --- a/htdocs/societe/notify/fiche.php +++ b/htdocs/societe/notify/fiche.php @@ -47,7 +47,7 @@ if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0 { $sql = "SELECT sc.fk_soc, s.client"; $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s"; - $sql .= " WHERE fk_soc = ".$socid." AND fk_user = ".$user->id." AND s.client = 1"; + $sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id." AND s.client = 1"; if ( $db->query($sql) ) { diff --git a/htdocs/socnote.php b/htdocs/socnote.php index edd60e256e7..3418ee4ed73 100644 --- a/htdocs/socnote.php +++ b/htdocs/socnote.php @@ -47,7 +47,7 @@ if (!$user->rights->commercial->client->voir && $socidp && !$user->societe_id > { $sql = "SELECT sc.fk_soc, s.client"; $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s"; - $sql .= " WHERE fk_soc = ".$socidp." AND fk_user = ".$user->id." AND s.client = 1"; + $sql .= " WHERE sc.fk_soc = ".$socidp." AND sc.fk_user = ".$user->id." AND s.client = 1"; if ( $db->query($sql) ) {