From 496907d448cc744203a948296f59dc1bda8f41ca Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sun, 1 Jul 2018 10:14:27 +0200 Subject: [PATCH 01/12] Fix: changelog --- ChangeLog | 47 +++++++++++++++++++++++------------------------ 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/ChangeLog b/ChangeLog index fac6c0a3c06..4adf6192acd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,28 @@ English Dolibarr ChangeLog -------------------------------------------------------------- +***** ChangeLog for 8.0.0 compared to 7.0.3 ***** + +WARNING: + +Following changes may create regressions for some external modules, but were necessary to make Dolibarr better: +* Remove old deprecated hook 'insertExtraFields'. Triggers must be used for action on CRUD events. +* Hook 'maildao' was renamed into 'mail' into the method sendfile that send emails, and method was renamed from + 'doaction' into 'sendMail'. +* Rename trigger CONTRACT_SERVICE_ACTIVATE into LINECONTRACT_ACTIVATE and + CONTRACT_SERVICE_CLOSE into LINECONTRACT_CLOSE +* Remove triggers *_CLONE. The trigger CREATE with context 'createfromclone' is already called so this is + a duplicated feature. Cloning is not a business event, the business event is CREATE, so no trigger required. +* PHP 5.3 is no more supported. Minimum PHP is now 5.4+ +* Remove the old deprecated code of doActions and getInstanceDao in canvas. The doActions of standard hooks are + already available and are better. +* Removed method fetch_prods() and get_each_prod() not used, keep only get_arbo_each_prod() that is better. +* The hook contaxt commcard has been renamed thirdpartycomm +* The hook contaxt thirdpartycard has been renamed thirdpartycontact +* Remove method Categorie:get_nb_categories() that was not used. +* Hook getnomurltooltip provide a duplicate feature compared to hook getNomUrl so all hooks getnomurltooltip + are now replaced with hook getNomUrl. + ***** ChangeLog for 7.0.3 compared to 7.0.2 ***** FIX: 7.0 task contact card without withproject parameters FIX: #8722 @@ -40,29 +62,6 @@ FIX: supplier order: product supplier ref not saved on addline FIX: test is_erasable() must be done before call function delete() too to avoid delete invoice with &action=delete in url FIX: wrong var name $search_month_lim -***** ChangeLog for 8.0.0 compared to 7.0.0 ***** - -WARNING: - -Following changes may create regressions for some external modules, but were necessary to make Dolibarr better: -* Remove old deprecated hook 'insertExtraFields'. Triggers must be used for action on CRUD events. -* Hook 'maildao' was renamed into 'mail' into the method sendfile that send emails, and method was renamed from - 'doaction' into 'sendMail'. -* Rename trigger CONTRACT_SERVICE_ACTIVATE into LINECONTRACT_ACTIVATE and - CONTRACT_SERVICE_CLOSE into LINECONTRACT_CLOSE -* Remove triggers *_CLONE. The trigger CREATE with context 'createfromclone' is already called so this is - a duplicated feature. Cloning is not a business event, the business event is CREATE, so no trigger required. -* PHP 5.3 is no more supported. Minimum PHP is now 5.4+ -* Remove the old deprecated code of doActions and getInstanceDao in canvas. The doActions of standard hooks are - already available and are better. -* Removed method fetch_prods() and get_each_prod() not used, keep only get_arbo_each_prod() that is better. -* The hook contaxt commcard has been renamed thirdpartycomm -* The hook contaxt thirdpartycard has been renamed thirdpartycontact -* Remove method Categorie:get_nb_categories() that was not used. -* Hook getnomurltooltip provide a duplicate feature compared to hook getNomUrl so all hooks getnomurltooltip - are now replaced with hook getNomUrl. - - ***** ChangeLog for 7.0.2 compared to 7.0.1 ***** FIX: #8023 FIX: #8259 can't update contact birthday with REST API @@ -220,7 +219,7 @@ FIX: Use of undefined constant _ROWS_2 FIX: warning when adding ECM files using old photo path -***** ChangeLog for 7.0.0 compared to 6.0.5 ***** +***** ChangeLog for 7.0.0 compared to 6.0.7 ***** For users: NEW: Add a preview icon after files that can be previewed (pdf + images) NEW: When payment is registered, PDF of invoices are also regenerated so payments From d699667722277461fb592815626c454108d82a53 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sun, 1 Jul 2018 11:06:47 +0200 Subject: [PATCH 02/12] Fix: possibility to overload permissions (multicompany sharing) --- htdocs/comm/propal/card.php | 128 +++++++++++++++++++----------------- 1 file changed, 68 insertions(+), 60 deletions(-) diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php index 817115d93af..4a6fa7f47f6 100644 --- a/htdocs/comm/propal/card.php +++ b/htdocs/comm/propal/card.php @@ -108,9 +108,21 @@ if ($id > 0 || ! empty($ref)) { // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('propalcard','globalcard')); -$permissionnote = $user->rights->propale->creer; // Used by the include of actions_setnotes.inc.php -$permissiondellink=$user->rights->propale->creer; // Used by the include of actions_dellink.inc.php -$permissiontoedit = $user->rights->propale->creer; // Used by the include of actions_lineupdown.inc.php +$usercanread = $user->rights->propal->lire; +$usercancreate = $user->rights->propal->creer; +$usercanclose = $user->rights->propal->cloturer; +$usercandelete = $user->rights->propal->supprimer; +$usercanvalidate = ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && $usercancreate) || (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->propal->propal_advance->validate))); +$usercansend = (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user->rights->propal->propal_advance->send); + +$usercancreateorder = $user->rights->commande->creer; +$usercancreateinvoice = $user->rights->facture->creer; +$usercancreatecontract = $user->rights->contrat->creer; +$usercancreateintervention = $user->rights->ficheinter->creer; + +$permissionnote = $usercancreate; // Used by the include of actions_setnotes.inc.php +$permissiondellink = $usercancreate; // Used by the include of actions_dellink.inc.php +$permissiontoedit = $usercancreate; // Used by the include of actions_lineupdown.inc.php /* @@ -140,7 +152,7 @@ if (empty($reshook)) include DOL_DOCUMENT_ROOT.'/core/actions_lineupdown.inc.php'; // Must be include, not include_once // Action clone object - if ($action == 'confirm_clone' && $confirm == 'yes') + if ($action == 'confirm_clone' && $confirm == 'yes' && $usercancreate) { if (! GETPOST('socid', 3)) { @@ -191,7 +203,7 @@ if (empty($reshook)) } // Delete proposal - else if ($action == 'confirm_delete' && $confirm == 'yes' && $user->rights->propal->supprimer) + else if ($action == 'confirm_delete' && $confirm == 'yes' && $usercandelete) { $result = $object->delete($user); if ($result > 0) { @@ -204,7 +216,7 @@ if (empty($reshook)) } // Remove line - else if ($action == 'confirm_deleteline' && $confirm == 'yes' && $user->rights->propal->creer) + else if ($action == 'confirm_deleteline' && $confirm == 'yes' && $usercancreate) { $result = $object->deleteline($lineid); // reorder lines @@ -228,10 +240,7 @@ if (empty($reshook)) } // Validation - else if ($action == 'confirm_validate' && $confirm == 'yes' && - ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->propal->creer)) - || (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->propal->propal_advance->validate))) - ) + else if ($action == 'confirm_validate' && $confirm == 'yes' && $usercanvalidate) { $result = $object->valid($user); if ($result >= 0) @@ -258,7 +267,7 @@ if (empty($reshook)) } } - else if ($action == 'setdate' && $user->rights->propal->creer) + else if ($action == 'setdate' && $usercancreate) { $datep = dol_mktime(12, 0, 0, $_POST['remonth'], $_POST['reday'], $_POST['reyear']); @@ -273,13 +282,13 @@ if (empty($reshook)) dol_print_error($db, $object->error); } } - else if ($action == 'setecheance' && $user->rights->propal->creer) + else if ($action == 'setecheance' && $usercancreate) { $result = $object->set_echeance($user, dol_mktime(12, 0, 0, $_POST['echmonth'], $_POST['echday'], $_POST['echyear'])); if ($result < 0) dol_print_error($db, $object->error); } - else if ($action == 'setdate_livraison' && $user->rights->propal->creer) + else if ($action == 'setdate_livraison' && $usercancreate) { $result = $object->set_date_livraison($user, dol_mktime(12, 0, 0, $_POST['date_livraisonmonth'], $_POST['date_livraisonday'], $_POST['date_livraisonyear'])); if ($result < 0) @@ -287,7 +296,7 @@ if (empty($reshook)) } // Positionne ref client - else if ($action == 'setref_client' && $user->rights->propal->creer) + else if ($action == 'setref_client' && $usercancreate) { $result = $object->set_ref_client($user, GETPOST('ref_client')); if ($result < 0) @@ -297,13 +306,13 @@ if (empty($reshook)) } // Set incoterm - elseif ($action == 'set_incoterms' && !empty($conf->incoterm->enabled)) + elseif ($action == 'set_incoterms' && !empty($conf->incoterm->enabled) && $usercancreate) { $result = $object->setIncoterms(GETPOST('incoterm_id', 'int'), GETPOST('location_incoterms', 'alpha')); } // Create proposal - else if ($action == 'add' && $user->rights->propal->creer) + else if ($action == 'add' && $usercancreate) { $object->socid = $socid; $object->fetch_thirdparty(); @@ -597,7 +606,7 @@ if (empty($reshook)) } // Classify billed - else if ($action == 'classifybilled' && $user->rights->propal->cloturer) + else if ($action == 'classifybilled' && $usercanclose) { $result=$object->cloture($user, 4, ''); if ($result < 0) @@ -608,7 +617,7 @@ if (empty($reshook)) } // Close proposal - else if ($action == 'setstatut' && $user->rights->propal->cloturer && ! GETPOST('cancel','alpha')) + else if ($action == 'setstatut' && $usercanclose && ! GETPOST('cancel','alpha')) { if (! (GETPOST('statut','int') > 0)) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("CloseAs")), null, 'errors'); @@ -628,7 +637,7 @@ if (empty($reshook)) } // Reopen proposal - else if ($action == 'confirm_reopen' && $user->rights->propal->cloturer && ! GETPOST('cancel','alpha')) + else if ($action == 'confirm_reopen' && $usercanclose && ! GETPOST('cancel','alpha')) { // prevent browser refresh from reopening proposal several times if ($object->statut == Propal::STATUS_SIGNED || $object->statut == Propal::STATUS_NOTSIGNED || $object->statut == Propal::STATUS_BILLED) @@ -653,7 +662,7 @@ if (empty($reshook)) // Go back to draft - if ($action == 'modif' && $user->rights->propal->creer) + if ($action == 'modif' && $usercancreate) { $object->set_draft($user); @@ -671,7 +680,7 @@ if (empty($reshook)) } } - else if ($action == "setabsolutediscount" && $user->rights->propal->creer) { + else if ($action == "setabsolutediscount" && $usercancreate) { if ($_POST["remise_id"]) { if ($object->id > 0) { $result = $object->insert_discount($_POST["remise_id"]); @@ -683,7 +692,7 @@ if (empty($reshook)) } // Add line - else if ($action == 'addline' && $user->rights->propal->creer) { + else if ($action == 'addline' && $usercancreate) { // Set if we used free entry or predefined product $predef=''; @@ -1046,7 +1055,7 @@ if (empty($reshook)) } // Update a line within proposal - else if ($action == 'updateligne' && $user->rights->propal->creer && GETPOST('save')) + else if ($action == 'updateligne' && $usercancreate && GETPOST('save')) { // Define info_bits $info_bits = 0; @@ -1183,62 +1192,62 @@ if (empty($reshook)) } } - else if ($action == 'updateligne' && $user->rights->propal->creer && GETPOST('cancel','alpha')) + else if ($action == 'updateligne' && $usercancreate && GETPOST('cancel','alpha')) { header('Location: ' . $_SERVER['PHP_SELF'] . '?id=' . $object->id); // Pour reaffichage de la fiche en cours d'edition exit(); } // Set project - else if ($action == 'classin' && $user->rights->propal->creer) { + else if ($action == 'classin' && $usercancreate) { $object->setProject(GETPOST('projectid','int')); } // Delai de livraison - else if ($action == 'setavailability' && $user->rights->propal->creer) { + else if ($action == 'setavailability' && $usercancreate) { $result = $object->set_availability($user, GETPOST('availability_id','int')); } // Origine de la propale - else if ($action == 'setdemandreason' && $user->rights->propal->creer) { + else if ($action == 'setdemandreason' && $usercancreate) { $result = $object->set_demand_reason($user, GETPOST('demand_reason_id','int')); } // Conditions de reglement - else if ($action == 'setconditions' && $user->rights->propal->creer) { + else if ($action == 'setconditions' && $usercancreate) { $result = $object->setPaymentTerms(GETPOST('cond_reglement_id', 'int')); } - else if ($action == 'setremisepercent' && $user->rights->propal->creer) { + else if ($action == 'setremisepercent' && $usercancreate) { $result = $object->set_remise_percent($user, $_POST['remise_percent']); } - else if ($action == 'setremiseabsolue' && $user->rights->propal->creer) { + else if ($action == 'setremiseabsolue' && $usercancreate) { $result = $object->set_remise_absolue($user, $_POST['remise_absolue']); } // Mode de reglement - else if ($action == 'setmode' && $user->rights->propal->creer) { + else if ($action == 'setmode' && $usercancreate) { $result = $object->setPaymentMethods(GETPOST('mode_reglement_id', 'int')); } // Multicurrency Code - else if ($action == 'setmulticurrencycode' && $user->rights->propal->creer) { + else if ($action == 'setmulticurrencycode' && $usercancreate) { $result = $object->setMulticurrencyCode(GETPOST('multicurrency_code', 'alpha')); } // Multicurrency rate - else if ($action == 'setmulticurrencyrate' && $user->rights->propal->creer) { + else if ($action == 'setmulticurrencyrate' && $usercancreate) { $result = $object->setMulticurrencyRate(price2num(GETPOST('multicurrency_tx'))); } // bank account - else if ($action == 'setbankaccount' && $user->rights->propal->creer) { + else if ($action == 'setbankaccount' && $usercancreate) { $result=$object->setBankAccount(GETPOST('fk_account', 'int')); } // shipping method - else if ($action == 'setshippingmethod' && $user->rights->propal->creer) { + else if ($action == 'setshippingmethod' && $usercancreate) { $result=$object->setShippingMethod(GETPOST('shipping_method_id', 'int')); } @@ -1261,7 +1270,7 @@ if (empty($reshook)) if ($error) $action = 'edit_extras'; } - if (! empty($conf->global->MAIN_DISABLE_CONTACTS_TAB) && $user->rights->propal->creer) + if (! empty($conf->global->MAIN_DISABLE_CONTACTS_TAB) && $usercancreate) { if ($action == 'addcontact') { @@ -1308,7 +1317,7 @@ if (empty($reshook)) // Actions to build doc $upload_dir = $conf->propal->multidir_output[$object->entity]; - $permissioncreate=$user->rights->propal->creer; + $permissioncreate=$usercancreate; include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php'; } @@ -1837,8 +1846,8 @@ if ($action == 'create') $morehtmlref='
'; // Ref customer - $morehtmlref.=$form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, $user->rights->propal->creer, 'string', '', 0, 1); - $morehtmlref.=$form->editfieldval("RefCustomer", 'ref_client', $object->ref_client, $object, $user->rights->propal->creer, 'string', '', null, null, '', 1); + $morehtmlref.=$form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, $usercancreate, 'string', '', 0, 1); + $morehtmlref.=$form->editfieldval("RefCustomer", 'ref_client', $object->ref_client, $object, $usercancreate, 'string', '', null, null, '', 1); // Thirdparty $morehtmlref.='
'.$langs->trans('ThirdParty') . ' : ' . $object->thirdparty->getNomUrl(1,'customer'); if (empty($conf->global->MAIN_DISABLE_OTHER_LINK) && $object->thirdparty->id > 0) $morehtmlref.=' ('.$langs->trans("OtherProposals").')'; @@ -1847,7 +1856,7 @@ if ($action == 'create') { $langs->load("projects"); $morehtmlref.='
'.$langs->trans('Project') . ' '; - if ($user->rights->propal->creer) + if ($usercancreate) { if ($action != 'classify') $morehtmlref.='' . img_edit($langs->transnoentitiesnoconv('SetProject')) . ' : '; @@ -1984,9 +1993,9 @@ if ($action == 'create') // Delivery date $langs->load('deliveries'); print ''; - print $form->editfieldkey($langs->trans('DeliveryDate'), 'date_livraison', $object->date_livraison, $object, $user->rights->propal->creer, 'datepicker'); + print $form->editfieldkey($langs->trans('DeliveryDate'), 'date_livraison', $object->date_livraison, $object, $usercancreate, 'datepicker'); print ''; - print $form->editfieldval($langs->trans('DeliveryDate'), 'date_livraison', $object->date_livraison, $object, $user->rights->propal->creer, 'datepicker'); + print $form->editfieldval($langs->trans('DeliveryDate'), 'date_livraison', $object->date_livraison, $object, $usercancreate, 'datepicker'); print ''; print ''; @@ -2016,7 +2025,7 @@ if ($action == 'create') print ''; - if ($action != 'editshippingmethod' && $user->rights->propal->creer) + if ($action != 'editshippingmethod' && $usercancreate) print ''; print '
'; print $langs->trans('SendingMethod'); print 'id.'">'.img_edit($langs->trans('SetShippingMode'),1).'
'; print ''; @@ -2128,7 +2137,7 @@ if ($action == 'create') print ''; - if ($action != 'editbankaccount' && $user->rights->propal->creer) + if ($action != 'editbankaccount' && $usercancreate) print ''; print '
'; print $langs->trans('BankAccount'); print 'id.'">'.img_edit($langs->trans('SetBankAccount'),1).'
'; print ''; @@ -2164,7 +2173,7 @@ if ($action == 'create') print '
'; print $langs->trans('IncotermLabel'); print ''; - if ($user->rights->propal->creer) print ''.img_edit().''; + if ($usercancreate) print ''.img_edit().''; else print ' '; print '
'; print ''; @@ -2293,7 +2302,7 @@ if ($action == 'create') $ret = $object->printObjectLines($action, $mysoc, $soc, $lineid, 1); // Form to add new line - if ($object->statut == Propal::STATUS_DRAFT && $user->rights->propal->creer && $action != 'selectlines') + if ($object->statut == Propal::STATUS_DRAFT && $usercancreate && $action != 'selectlines') { if ($action != 'editline') { @@ -2328,8 +2337,7 @@ if ($action == 'create') // Validate if ($object->statut == Propal::STATUS_DRAFT && $object->total_ttc >= 0 && count($object->lines) > 0) { - if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->propal->creer)) - || (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->propal->propal_advance->validate))) + if ($usercanvalidate) { print '
' . $langs->trans('Validate') . '
'; } @@ -2342,19 +2350,19 @@ if ($action == 'create') print '
' . $langs->trans("AddAction") . '
'; }*/ // Edit - if ($object->statut == Propal::STATUS_VALIDATED && $user->rights->propal->creer) { + if ($object->statut == Propal::STATUS_VALIDATED && $usercancreate) { print '
' . $langs->trans('Modify') . '
'; } // ReOpen - if (($object->statut == Propal::STATUS_SIGNED || $object->statut == Propal::STATUS_NOTSIGNED || $object->statut == Propal::STATUS_BILLED) && $user->rights->propal->cloturer) { + if (($object->statut == Propal::STATUS_SIGNED || $object->statut == Propal::STATUS_NOTSIGNED || $object->statut == Propal::STATUS_BILLED) && $usercanclose) { print '
global->MAIN_JUMP_TAG) ? '' : '#reopen') . '"'; print '>' . $langs->trans('ReOpen') . '
'; } // Send if ($object->statut == Propal::STATUS_VALIDATED || $object->statut == Propal::STATUS_SIGNED) { - if (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || $user->rights->propal->propal_advance->send) { + if ($usercansend) { print '
' . $langs->trans('SendMail') . '
'; } else print '
' . $langs->trans('SendMail') . '
'; @@ -2362,14 +2370,14 @@ if ($action == 'create') // Create an order if (! empty($conf->commande->enabled) && $object->statut == Propal::STATUS_SIGNED) { - if ($user->rights->commande->creer) { + if ($usercancreateorder) { print '
' . $langs->trans("AddOrder") . '
'; } } // Create an intervention if (! empty($conf->service->enabled) && ! empty($conf->ficheinter->enabled) && $object->statut == Propal::STATUS_SIGNED) { - if ($user->rights->ficheinter->creer) { + if ($usercancreateintervention) { $langs->load("interventions"); print '
' . $langs->trans("AddIntervention") . '
'; } @@ -2379,7 +2387,7 @@ if ($action == 'create') if ($conf->contrat->enabled && $object->statut == Propal::STATUS_SIGNED) { $langs->load("contracts"); - if ($user->rights->contrat->creer) { + if ($usercancreatecontract) { print '
' . $langs->trans('AddContract') . '
'; } } @@ -2387,7 +2395,7 @@ if ($action == 'create') // Create an invoice and classify billed if ($object->statut == Propal::STATUS_SIGNED) { - if (! empty($conf->facture->enabled) && $user->rights->facture->creer) + if (! empty($conf->facture->enabled) && $usercancreateinvoice) { print '
' . $langs->trans("AddBill") . '
'; } @@ -2400,18 +2408,18 @@ if ($action == 'create') } // Set accepted/refused - if ($object->statut == Propal::STATUS_VALIDATED && $user->rights->propal->cloturer) { + if ($object->statut == Propal::STATUS_VALIDATED && $usercanclose) { print '
global->MAIN_JUMP_TAG) ? '' : '#close') . '"'; print '>' . $langs->trans('SetAcceptedRefused') . '
'; } // Clone - if ($user->rights->propal->creer) { + if ($usercancreate) { print '
' . $langs->trans("ToClone") . '
'; } // Delete - if ($user->rights->propal->supprimer) { + if ($usercandelete) { print '
' . $langs->trans('Delete') . '
'; } @@ -2434,8 +2442,8 @@ if ($action == 'create') $filename = dol_sanitizeFileName($object->ref); $filedir = $conf->propal->multidir_output[$object->entity] . "/" . dol_sanitizeFileName($object->ref); $urlsource = $_SERVER["PHP_SELF"] . "?id=" . $object->id; - $genallowed = $user->rights->propal->lire; - $delallowed = $user->rights->propal->creer; + $genallowed = $usercanread; + $delallowed = $usercancreate; print $formfile->showdocuments('propal', $filename, $filedir, $urlsource, $genallowed, $delallowed, $object->modelpdf, 1, 0, 0, 28, 0, '', 0, '', $soc->default_lang, '', $object); From c0c8a70dd5f184bf00f87ba00c7c413cef71f8ba Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sun, 1 Jul 2018 12:21:51 +0200 Subject: [PATCH 03/12] Fix: permissions --- htdocs/comm/propal/card.php | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php index 4a6fa7f47f6..4658573dde2 100644 --- a/htdocs/comm/propal/card.php +++ b/htdocs/comm/propal/card.php @@ -1924,11 +1924,11 @@ if ($action == 'create') print ''; - if ($action != 'editdate' && ! empty($object->brouillon)) + if ($action != 'editdate' && ! empty($object->brouillon) && $usercancreate) print ''; print '
'; print $langs->trans('Date'); print 'id . '">' . img_edit($langs->trans('SetDate'), 1) . '
'; print ''; - if (! empty($object->brouillon) && $action == 'editdate') { + if (! empty($object->brouillon) && $action == 'editdate' && $usercancreate) { print '
'; print ''; print ''; @@ -1950,11 +1950,11 @@ if ($action == 'create') print ''; - if ($action != 'editecheance' && ! empty($object->brouillon)) + if ($action != 'editecheance' && ! empty($object->brouillon) && $usercancreate) print ''; print '
'; print $langs->trans('DateEndPropal'); print 'id . '">' . img_edit($langs->trans('SetConditions'), 1) . '
'; print ''; - if (! empty($object->brouillon) && $action == 'editecheance') { + if (! empty($object->brouillon) && $action == 'editecheance' && $usercancreate) { print ''; print ''; print ''; @@ -1978,11 +1978,11 @@ if ($action == 'create') print ''; - if ($action != 'editconditions' && ! empty($object->brouillon)) + if ($action != 'editconditions' && ! empty($object->brouillon) && $usercancreate) print ''; print '
'; print $langs->trans('PaymentConditionsShort'); print 'id . '">' . img_edit($langs->transnoentitiesnoconv('SetConditions'), 1) . '
'; print ''; - if ($action == 'editconditions') { + if (! empty($object->brouillon) && $action == 'editconditions' && $usercancreate) { $form->form_conditions_reglement($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->cond_reglement_id, 'cond_reglement_id'); } else { $form->form_conditions_reglement($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->cond_reglement_id, 'none'); @@ -2006,11 +2006,11 @@ if ($action == 'create') if (! empty($conf->commande->enabled)) print ' (' . $langs->trans('AfterOrder') . ')'; print ''; - if ($action != 'editavailability' && ! empty($object->brouillon)) + if ($action != 'editavailability' && ! empty($object->brouillon) && $usercancreate) print 'id . '">' . img_edit($langs->transnoentitiesnoconv('SetAvailability'), 1) . ''; print ''; print ''; - if ($action == 'editavailability') { + if (! empty($object->brouillon) && $action == 'editavailability' && $usercancreate) { $form->form_availability($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->availability_id, 'availability_id', 1); } else { $form->form_availability($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->availability_id, 'none', 1); @@ -2029,7 +2029,7 @@ if ($action == 'create') print 'id.'">'.img_edit($langs->trans('SetShippingMode'),1).''; print ''; print ''; - if ($action == 'editshippingmethod') { + if ($action == 'editshippingmethod' && $usercancreate) { $form->formSelectShippingMethod($_SERVER['PHP_SELF'].'?id='.$object->id, $object->shipping_method_id, 'shipping_method_id', 1); } else { $form->formSelectShippingMethod($_SERVER['PHP_SELF'].'?id='.$object->id, $object->shipping_method_id, 'none'); @@ -2043,11 +2043,11 @@ if ($action == 'create') print ''; - if ($action != 'editdemandreason' && ! empty($object->brouillon)) + if ($action != 'editdemandreason' && ! empty($object->brouillon) && $usercancreate) print ''; print '
'; print $langs->trans('Source'); print 'id . '">' . img_edit($langs->transnoentitiesnoconv('SetDemandReason'), 1) . '
'; print ''; - if ($action == 'editdemandreason') { + if (! empty($object->brouillon) && $action == 'editdemandreason' && $usercancreate) { $form->formInputReason($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->demand_reason_id, 'demand_reason_id', 1); } else { $form->formInputReason($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->demand_reason_id, 'none'); @@ -2061,11 +2061,11 @@ if ($action == 'create') print ''; - if ($action != 'editmode' && ! empty($object->brouillon)) + if ($action != 'editmode' && ! empty($object->brouillon) && $usercancreate) print ''; print '
'; print $langs->trans('PaymentMode'); print 'id . '">' . img_edit($langs->transnoentitiesnoconv('SetMode'), 1) . '
'; print ''; - if ($action == 'editmode') { + if (! empty($object->brouillon) && $action == 'editmode' && $usercancreate) { $form->form_modes_reglement($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->mode_reglement_id, 'mode_reglement_id'); } else { $form->form_modes_reglement($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->mode_reglement_id, 'none'); @@ -2081,11 +2081,11 @@ if ($action == 'create') print ''; - if ($action != 'editmulticurrencycode' && ! empty($object->brouillon)) + if ($action != 'editmulticurrencycode' && ! empty($object->brouillon) && $usercancreate) print ''; print '
'; print fieldLabel('Currency','multicurrency_code'); print 'id . '">' . img_edit($langs->transnoentitiesnoconv('SetMultiCurrencyCode'), 1) . '
'; print ''; - if ($action == 'editmulticurrencycode') { + if (! empty($object->brouillon) && $action == 'editmulticurrencycode' && $usercancreate) { $form->form_multicurrency_code($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->multicurrency_code, 'multicurrency_code'); } else { $form->form_multicurrency_code($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->multicurrency_code, 'none'); @@ -2098,11 +2098,11 @@ if ($action == 'create') print ''; - if ($action != 'editmulticurrencyrate' && ! empty($object->brouillon) && $object->multicurrency_code && $object->multicurrency_code != $conf->currency) + if ($action != 'editmulticurrencyrate' && ! empty($object->brouillon) && $object->multicurrency_code && $object->multicurrency_code != $conf->currency && $usercancreate) print ''; print '
'; print fieldLabel('CurrencyRate','multicurrency_tx'); print 'id . '">' . img_edit($langs->transnoentitiesnoconv('SetMultiCurrencyCode'), 1) . '
'; print ''; - if ($action == 'editmulticurrencyrate' || $action == 'actualizemulticurrencyrate') { + if (! empty($object->brouillon) && ($action == 'editmulticurrencyrate' || $action == 'actualizemulticurrencyrate') && $usercancreate) { if($action == 'actualizemulticurrencyrate') { list($object->fk_multicurrency, $object->multicurrency_tx) = MultiCurrency::getIdAndTxFromCode($object->db, $object->multicurrency_code); } From df55bee8ae21fe3bb9a9d0f39f41ed9ee76cb5ab Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sun, 1 Jul 2018 15:33:10 +0200 Subject: [PATCH 04/12] Fix: missing "$disableremove" global --- htdocs/comm/propal/card.php | 2 +- htdocs/core/class/commonobject.class.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php index 4658573dde2..dfde7ce613f 100644 --- a/htdocs/comm/propal/card.php +++ b/htdocs/comm/propal/card.php @@ -2302,7 +2302,7 @@ if ($action == 'create') $ret = $object->printObjectLines($action, $mysoc, $soc, $lineid, 1); // Form to add new line - if ($object->statut == Propal::STATUS_DRAFT && $usercancreate && $action != 'selectlines') + if ($object->statut == Propal::STATUS_DRAFT && $usercancreate && $action != 'selectlines') { if ($action != 'editline') { diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index a165704c058..f920279547f 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -3838,7 +3838,7 @@ abstract class CommonObject { global $conf,$langs,$user,$object,$hookmanager; global $form,$bc,$bcdd; - global $object_rights, $disableedit, $disablemove; // TODO We should not use global var for this ! + global $object_rights, $disableedit, $disablemove, $disableremove; // TODO We should not use global var for this ! $object_rights = $this->getRights(); From 80adac12c099f4fef15ca814e2d79399bd66042b Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sun, 1 Jul 2018 16:01:30 +0200 Subject: [PATCH 05/12] Fix: use object entity ID instead current entity --- htdocs/core/lib/functions2.lib.php | 10 ++++++++-- htdocs/core/modules/propale/mod_propale_marbre.php | 5 ++++- htdocs/core/modules/propale/mod_propale_saphir.php | 5 ++++- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/htdocs/core/lib/functions2.lib.php b/htdocs/core/lib/functions2.lib.php index 80ba3039abe..e7eb9eb259d 100644 --- a/htdocs/core/lib/functions2.lib.php +++ b/htdocs/core/lib/functions2.lib.php @@ -708,9 +708,10 @@ function array2table($data,$tableMarkup=1,$tableoptions='',$troptions='',$tdopti * @param string $mode 'next' for next value or 'last' for last value * @param bool $bentityon Activate the entity filter. Default is true (for modules not compatible with multicompany) * @param User $objuser Object user we need data from. + * @param int $forceentity Entity id to force * @return string New value (numeric) or error message */ -function get_next_value($db,$mask,$table,$field,$where='',$objsoc='',$date='',$mode='next', $bentityon=true, $objuser=null) +function get_next_value($db,$mask,$table,$field,$where='',$objsoc='',$date='',$mode='next', $bentityon=true, $objuser=null, $forceentity=null) { global $conf,$user; @@ -987,7 +988,8 @@ function get_next_value($db,$mask,$table,$field,$where='',$objsoc='',$date='',$m $sql.= " AND ".$field." NOT LIKE '(PROV%)'"; if ($bentityon) // only if entity enable $sql.= " AND entity IN (".getEntity($sharetable).")"; - + else if (! empty($forceentity)) + $sql.= " AND entity = ".(int) $forceentity; if ($where) $sql.=$where; if ($sqlwhere) $sql.=' AND '.$sqlwhere; @@ -1035,6 +1037,8 @@ function get_next_value($db,$mask,$table,$field,$where='',$objsoc='',$date='',$m $sql.= " AND ".$field." NOT LIKE '%PROV%'"; if ($bentityon) // only if entity enable $sql.= " AND entity IN (".getEntity($sharetable).")"; + else if (! empty($forceentity)) + $sql.= " AND entity = ".(int) $forceentity; if ($where) $sql.=$where; if ($sqlwhere) $sql.=' AND '.$sqlwhere; @@ -1089,6 +1093,8 @@ function get_next_value($db,$mask,$table,$field,$where='',$objsoc='',$date='',$m $maskrefclient_sql.= " WHERE ".$field." LIKE '".$maskrefclient_maskLike."'"; if ($bentityon) // only if entity enable $maskrefclient_sql.= " AND entity IN (".getEntity($sharetable).")"; + else if (! empty($forceentity)) + $sql.= " AND entity = ".(int) $forceentity; if ($where) $maskrefclient_sql.=$where; //use the same optional where as general mask if ($sqlwhere) $maskrefclient_sql.=' AND '.$sqlwhere; //use the same sqlwhere as general mask $maskrefclient_sql.=' AND (SUBSTRING('.$field.', '.(strpos($maskwithnocode,$maskrefclient)+1).', '.dol_strlen($maskrefclient_maskclientcode).")='".$maskrefclient_clientcode."')"; diff --git a/htdocs/core/modules/propale/mod_propale_marbre.php b/htdocs/core/modules/propale/mod_propale_marbre.php index 13bbf9f3d84..0e1700da500 100644 --- a/htdocs/core/modules/propale/mod_propale_marbre.php +++ b/htdocs/core/modules/propale/mod_propale_marbre.php @@ -108,12 +108,15 @@ class mod_propale_marbre extends ModeleNumRefPropales { global $db,$conf; + // Use object entity ID + $entity = ((isset($propal->entity) && is_numeric($propal->entity)) ? $propal->entity : $conf->entity); + // D'abord on recupere la valeur max $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."propal"; $sql.= " WHERE ref LIKE '".$db->escape($this->prefix)."____-%'"; - $sql.= " AND entity = ".$conf->entity; + $sql.= " AND entity = ".$entity; $resql=$db->query($sql); if ($resql) diff --git a/htdocs/core/modules/propale/mod_propale_saphir.php b/htdocs/core/modules/propale/mod_propale_saphir.php index ec0b0b241e2..7cea713aeaf 100644 --- a/htdocs/core/modules/propale/mod_propale_saphir.php +++ b/htdocs/core/modules/propale/mod_propale_saphir.php @@ -124,9 +124,12 @@ class mod_propale_saphir extends ModeleNumRefPropales return 0; } + // Use object entity ID + $entity = ((isset($propal->entity) && is_numeric($propal->entity)) ? $propal->entity : $conf->entity); + $date = $propal->date; - $numFinal=get_next_value($db,$mask,'propal','ref','',$objsoc,$date); + $numFinal=get_next_value($db,$mask,'propal','ref','',$objsoc,$date,'next',false,null,$entity); return $numFinal; } From 05c666c18bb667079cbb59f898d3f6df3c55eb8a Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sun, 1 Jul 2018 17:06:19 +0200 Subject: [PATCH 06/12] Fix: use numbering model corresponding to the entity of the object --- htdocs/comm/propal/class/propal.class.php | 13 ++++++++++--- htdocs/core/modules/propale/mod_propale_saphir.php | 8 +++++++- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 703ed95a1b2..c32f206ec52 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -3347,12 +3347,19 @@ class Propal extends CommonObject global $conf,$langs; $langs->load("propal"); - if (! empty($conf->global->PROPALE_ADDON)) + $constant = 'PROPALE_ADDON_'.$this->entity; + + if (! empty($conf->global->$constant)) { + $classname = $conf->global->$constant; // for multicompany proposal sharing + } else { + $classname = $conf->global->PROPALE_ADDON; + } + + if (! empty($classname)) { $mybool=false; - $file = $conf->global->PROPALE_ADDON.".php"; - $classname = $conf->global->PROPALE_ADDON; + $file = $classname.".php"; // Include file with class $dirmodels = array_merge(array('/'), (array) $conf->modules_parts['models']); diff --git a/htdocs/core/modules/propale/mod_propale_saphir.php b/htdocs/core/modules/propale/mod_propale_saphir.php index 7cea713aeaf..54d894c20b5 100644 --- a/htdocs/core/modules/propale/mod_propale_saphir.php +++ b/htdocs/core/modules/propale/mod_propale_saphir.php @@ -115,8 +115,14 @@ class mod_propale_saphir extends ModeleNumRefPropales require_once DOL_DOCUMENT_ROOT .'/core/lib/functions2.lib.php'; + $constant = 'PROPALE_SAPHIR_MASK_'.$propal->entity; + // On defini critere recherche compteur - $mask=$conf->global->PROPALE_SAPHIR_MASK; + if (! empty($conf->global->$constant)) { + $mask = $conf->global->$constant; // for multicompany proposal sharing + } else { + $mask = $conf->global->PROPALE_SAPHIR_MASK; + } if (! $mask) { From 8f124efc15a395e6d54c177aac80b9dd8af0fadb Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sun, 1 Jul 2018 17:48:01 +0200 Subject: [PATCH 07/12] Fix: wrong mysql resource name --- htdocs/core/class/html.form.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 9a9d3279e03..627723d1f18 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -6233,7 +6233,7 @@ class Form print ''; while ($i < $num) { - $objp = $this->db->fetch_object($resqlorderlist); + $objp = $this->db->fetch_object($resqllist); $var = ! $var; print ''; From f13dd9c9bde515968079ddb2b7688712dd2b7545 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sun, 1 Jul 2018 18:22:18 +0200 Subject: [PATCH 08/12] Fix: missing hook parameter --- htdocs/core/class/html.form.class.php | 1 + 1 file changed, 1 insertion(+) diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 627723d1f18..3eeb76ba1e6 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -6012,6 +6012,7 @@ class Form // Bypass the default method $hookmanager->initHooks(array('commonobject')); $parameters=array( + 'morehtmlright' => $morehtmlright, 'compatibleImportElementsList' =>& $compatibleImportElementsList, ); $reshook=$hookmanager->executeHooks('showLinkedObjectBlock',$parameters,$object,$action); // Note that $action and $object may have been modified by hook From 26495fb6983b9684a63aa88b97b826b0f3fd9ec3 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sun, 1 Jul 2018 18:49:37 +0200 Subject: [PATCH 09/12] Fix: !!!! Dont't use entity if you use rowid in fetch or others !!!! --- htdocs/comm/propal/class/propal.class.php | 7 +++++-- htdocs/commande/class/commande.class.php | 6 ++++-- htdocs/compta/facture/class/facture.class.php | 6 ++++-- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index c32f206ec52..8cbc4ca220e 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -1335,8 +1335,11 @@ class Propal extends CommonObject $sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_input_reason as dr ON p.fk_input_reason = dr.rowid'; $sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_incoterms as i ON p.fk_incoterms = i.rowid'; $sql.= " WHERE p.fk_statut = c.id"; - $sql.= " AND p.entity IN (".getEntity('propal').")"; - if ($ref) $sql.= " AND p.ref='".$ref."'"; + + if ($ref) { + $sql.= " AND p.entity IN (".getEntity('propal').")"; // Dont't use entity if you use rowid + $sql.= " AND p.ref='".$ref."'"; + } else $sql.= " AND p.rowid=".$rowid; dol_syslog(get_class($this)."::fetch", LOG_DEBUG); diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index a9970a95a51..17e4387c4de 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -1591,8 +1591,10 @@ class Commande extends CommonOrder $sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_availability as ca ON c.fk_availability = ca.rowid'; $sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_input_reason as dr ON c.fk_input_reason = ca.rowid'; $sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_incoterms as i ON c.fk_incoterms = i.rowid'; - $sql.= " WHERE c.entity IN (".getEntity('commande').")"; - if ($id) $sql.= " AND c.rowid=".$id; + + if ($id) $sql.= " WHERE c.rowid=".$id; + else $sql.= " WHERE c.entity IN (".getEntity('commande').")"; // Dont't use entity if you use rowid + if ($ref) $sql.= " AND c.ref='".$this->db->escape($ref)."'"; if ($ref_ext) $sql.= " AND c.ref_ext='".$this->db->escape($ref_ext)."'"; if ($ref_int) $sql.= " AND c.ref_int='".$this->db->escape($ref_int)."'"; diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index b7d86cf630a..c6e43206c78 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -1274,8 +1274,10 @@ class Facture extends CommonInvoice $sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_payment_term as c ON f.fk_cond_reglement = c.rowid'; $sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_paiement as p ON f.fk_mode_reglement = p.id'; $sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_incoterms as i ON f.fk_incoterms = i.rowid'; - $sql.= ' WHERE f.entity IN ('.getEntity('facture').')'; - if ($rowid) $sql.= " AND f.rowid=".$rowid; + + if ($rowid) $sql.= " WHERE f.rowid=".$rowid; + else $sql.= ' WHERE f.entity IN ('.getEntity('facture').')'; // Dont't use entity if you use rowid + if ($ref) $sql.= " AND f.facnumber='".$this->db->escape($ref)."'"; if ($ref_ext) $sql.= " AND f.ref_ext='".$this->db->escape($ref_ext)."'"; if ($ref_int) $sql.= " AND f.ref_int='".$this->db->escape($ref_int)."'"; From 233ad2945ce51ee3ad88e93d3e52c31d34dde09b Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sun, 1 Jul 2018 20:03:08 +0200 Subject: [PATCH 10/12] Fix: missing hook parameter --- htdocs/core/class/html.form.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 3eeb76ba1e6..6958ec34fe9 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -6186,7 +6186,7 @@ class Form // Can complete the possiblelink array $hookmanager->initHooks(array('commonobject')); - $parameters=array(); + $parameters=array('listofidcompanytoscan' => $listofidcompanytoscan); $reshook=$hookmanager->executeHooks('showLinkToObjectBlock',$parameters,$object,$action); // Note that $action and $object may have been modified by hook if (empty($reshook)) { From df718cca5c93e579e7ce20d115e39389becbbab8 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Mon, 2 Jul 2018 10:09:56 +0200 Subject: [PATCH 11/12] Fix: better sql request with multicompany transverse mode --- htdocs/core/class/commonobject.class.php | 26 ++++++++++++++++--- htdocs/core/lib/security.lib.php | 33 +++++++++++++++++++----- 2 files changed, 49 insertions(+), 10 deletions(-) diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index f920279547f..9d020ab8dd4 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -1500,7 +1500,7 @@ abstract class CommonObject */ function load_previous_next_ref($filter, $fieldid, $nodbprefix=0) { - global $user; + global $conf, $user; if (! $this->table_element) { @@ -1520,6 +1520,9 @@ abstract class CommonObject $sql = "SELECT MAX(te.".$fieldid.")"; $sql.= " FROM ".(empty($nodbprefix)?MAIN_DB_PREFIX:'').$this->table_element." as te"; + if ($this->element == 'user' && ! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) { + $sql.= ",".MAIN_DB_PREFIX."usergroup_user as ug"; + } if (isset($this->ismultientitymanaged) && $this->ismultientitymanaged == 2) $sql.= ", ".MAIN_DB_PREFIX."societe as s"; // If we need to link to societe to limit select to entity else if ($this->restrictiononfksoc == 1 && $this->element != 'societe' && !$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe as s"; // If we need to link to societe to limit select to socid else if ($this->restrictiononfksoc == 2 && $this->element != 'societe' && !$user->rights->societe->client->voir && !$socid) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON te.fk_soc = s.rowid"; // If we need to link to societe to limit select to socid @@ -1534,7 +1537,14 @@ abstract class CommonObject } if (isset($this->ismultientitymanaged) && $this->ismultientitymanaged == 2) $sql.= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to entity else if ($this->restrictiononfksoc == 1 && $this->element != 'societe' && !$user->rights->societe->client->voir && !$socid) $sql.= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to socid - if (isset($this->ismultientitymanaged) && $this->ismultientitymanaged == 1) $sql.= ' AND te.entity IN ('.getEntity($this->element).')'; + if (isset($this->ismultientitymanaged) && $this->ismultientitymanaged == 1) { + if ($this->element == 'user' && ! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) { + $sql.= " AND (ug.fk_user = te.rowid"; + $sql.= " AND ug.entity IN (".getEntity($this->element)."))"; + } else { + $sql.= ' AND te.entity IN ('.getEntity($this->element).')'; + } + } if ($this->restrictiononfksoc == 1 && $socid && $this->element != 'societe') $sql.= ' AND te.fk_soc = ' . $socid; if ($this->restrictiononfksoc == 2 && $socid && $this->element != 'societe') $sql.= ' AND (te.fk_soc = ' . $socid.' OR te.fk_soc IS NULL)'; if ($this->restrictiononfksoc && $socid && $this->element == 'societe') $sql.= ' AND te.rowid = ' . $socid; @@ -1552,6 +1562,9 @@ abstract class CommonObject $sql = "SELECT MIN(te.".$fieldid.")"; $sql.= " FROM ".(empty($nodbprefix)?MAIN_DB_PREFIX:'').$this->table_element." as te"; + if ($this->element == 'user' && ! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) { + $sql.= ",".MAIN_DB_PREFIX."usergroup_user as ug"; + } if (isset($this->ismultientitymanaged) && $this->ismultientitymanaged == 2) $sql.= ", ".MAIN_DB_PREFIX."societe as s"; // If we need to link to societe to limit select to entity else if ($this->restrictiononfksoc == 1 && $this->element != 'societe' && !$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe as s"; // If we need to link to societe to limit select to socid else if ($this->restrictiononfksoc == 2 && $this->element != 'societe' && !$user->rights->societe->client->voir && !$socid) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON te.fk_soc = s.rowid"; // If we need to link to societe to limit select to socid @@ -1566,7 +1579,14 @@ abstract class CommonObject } if (isset($this->ismultientitymanaged) && $this->ismultientitymanaged == 2) $sql.= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to entity else if ($this->restrictiononfksoc == 1 && $this->element != 'societe' && !$user->rights->societe->client->voir && !$socid) $sql.= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to socid - if (isset($this->ismultientitymanaged) && $this->ismultientitymanaged == 1) $sql.= ' AND te.entity IN ('.getEntity($this->element).')'; + if (isset($this->ismultientitymanaged) && $this->ismultientitymanaged == 1) { + if ($this->element == 'user' && ! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) { + $sql.= " AND (ug.fk_user = te.rowid"; + $sql.= " AND ug.entity IN (".getEntity($this->element)."))"; + } else { + $sql.= ' AND te.entity IN ('.getEntity($this->element).')'; + } + } if ($this->restrictiononfksoc == 1 && $socid && $this->element != 'societe') $sql.= ' AND te.fk_soc = ' . $socid; if ($this->restrictiononfksoc == 2 && $socid && $this->element != 'societe') $sql.= ' AND (te.fk_soc = ' . $socid.' OR te.fk_soc IS NULL)'; if ($this->restrictiononfksoc && $socid && $this->element == 'societe') $sql.= ' AND te.rowid = ' . $socid; diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index d157cafd5f8..9fa5fb8b7c3 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -470,13 +470,32 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh { $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql.= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; - if (($feature == 'user' || $feature == 'usergroup') && ! empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && ! $user->entity) + if (($feature == 'user' || $feature == 'usergroup') && ! empty($conf->multicompany->enabled)) { - $sql.= " AND dbt.entity IS NOT NULL"; + if (! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) + { + if ($conf->entity == 1 && $user->admin && ! $user->entity) + { + $sql.= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql.= " AND dbt.entity IS NOT NULL"; + } + else + { + $sql.= ",".MAIN_DB_PREFIX."usergroup_user as ug"; + $sql.= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql.= " AND (ug.fk_user = dbt.rowid"; + $sql.= " AND ug.entity IN (".getEntity('user')."))"; + $sql.= " OR dbt.entity = 0"; // Show always superadmin + } + } + else { + $sql.= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; + } } else { + $sql.= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } } @@ -510,12 +529,12 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh else if (in_array($feature,$checkother)) // Test on entity and link to societe. Allowed if link is empty (Ex: contacts...). { // If external user: Check permission for external users - if ($user->societe_id > 0) + if ($user->socid > 0) { $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; - $sql.= " AND dbt.fk_soc = ".$user->societe_id; + $sql.= " AND dbt.fk_soc = ".$user->socid; } // If internal user: Check permission for internal users that are restricted on their objects else if (! empty($conf->societe->enabled) && ($user->rights->societe->lire && ! $user->rights->societe->client->voir)) @@ -578,13 +597,13 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh else if (! in_array($feature,$nocheck)) // By default (case of $checkdefault), we check on object entity + link to third party on field $dbt_keyfield { // If external user: Check permission for external users - if ($user->societe_id > 0) + if ($user->socid > 0) { if (empty($dbt_keyfield)) dol_print_error('','Param dbt_keyfield is required but not defined'); $sql = "SELECT COUNT(dbt.".$dbt_keyfield.") as nb"; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= " WHERE dbt.rowid IN (".$objectid.")"; - $sql.= " AND dbt.".$dbt_keyfield." = ".$user->societe_id; + $sql.= " AND dbt.".$dbt_keyfield." = ".$user->socid; } // If internal user: Check permission for internal users that are restricted on their objects else if (! empty($conf->societe->enabled) && ($user->rights->societe->lire && ! $user->rights->societe->client->voir)) From 9709207a4f5c429855e126700e8a6b9a36fd3c97 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Mon, 2 Jul 2018 10:18:16 +0200 Subject: [PATCH 12/12] Fix: superadmin can show all users in master entity --- htdocs/core/class/commonobject.class.php | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index 9d020ab8dd4..1dfc9c90718 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -1539,8 +1539,12 @@ abstract class CommonObject else if ($this->restrictiononfksoc == 1 && $this->element != 'societe' && !$user->rights->societe->client->voir && !$socid) $sql.= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to socid if (isset($this->ismultientitymanaged) && $this->ismultientitymanaged == 1) { if ($this->element == 'user' && ! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) { - $sql.= " AND (ug.fk_user = te.rowid"; - $sql.= " AND ug.entity IN (".getEntity($this->element)."))"; + if (! empty($user->admin) && empty($user->entity) && $conf->entity == 1) { + $sql.= " AND te.entity IS NOT NULL"; // Show all users + } else { + $sql.= " AND ug.fk_user = te.rowid"; + $sql.= " AND ug.entity IN (".getEntity($this->element).")"; + } } else { $sql.= ' AND te.entity IN ('.getEntity($this->element).')'; } @@ -1581,8 +1585,12 @@ abstract class CommonObject else if ($this->restrictiononfksoc == 1 && $this->element != 'societe' && !$user->rights->societe->client->voir && !$socid) $sql.= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to socid if (isset($this->ismultientitymanaged) && $this->ismultientitymanaged == 1) { if ($this->element == 'user' && ! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) { - $sql.= " AND (ug.fk_user = te.rowid"; - $sql.= " AND ug.entity IN (".getEntity($this->element)."))"; + if (! empty($user->admin) && empty($user->entity) && $conf->entity == 1) { + $sql.= " AND te.entity IS NOT NULL"; // Show all users + } else { + $sql.= " AND ug.fk_user = te.rowid"; + $sql.= " AND ug.entity IN (".getEntity($this->element).")"; + } } else { $sql.= ' AND te.entity IN ('.getEntity($this->element).')'; }