Fix: mise en fonction de la v�rification des droits d'acc�s users, clients et commerciaux

2007-06-07 13:50:18 +00:00 · 2007-06-07 13:50:18 +00:00 · d5179f5c3a
commit d5179f5c3a
parent a713d94ecd
3 changed files with 34 additions and 63 deletions
--- a/htdocs/docsoc.php
+++ b/htdocs/docsoc.php
@ -34,32 +34,12 @@ require_once(DOL_DOCUMENT_ROOT."/lib/company.lib.php");
 $langs->load("companies");
 $langs->load('other');

-$user->getrights('commercial');
-
 $mesg = "";

-// Sécurité accés client
 $socid = isset($_GET["socid"])?$_GET["socid"]:'';
-if ($socid == '') accessforbidden();
-if ($user->societe_id > 0)
-{
-  $action = '';
-  $socid = $user->societe_id;
-}
-
-// Protection restriction commercial
-if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0)
-{
-  $sql = "SELECT sc.fk_soc, s.client";
-  $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s";
-  $sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id." AND s.client = 1";
-  
-  if ( $db->query($sql) )
-    {
-      if ( $db->num_rows() == 0) accessforbidden();
-    }
-}

+// Sécurité d'accès client et commerciaux
+$security = restrictedArea($user, 'commercial', $socid, 'societe');

 /*
 * Actions
--- a/htdocs/lib/functions.inc.php
+++ b/htdocs/lib/functions.inc.php
@ -1259,6 +1259,7 @@ function dol_loginfunction($notused,$pearstatus)
 	global $db;
 		
 	$user->getrights($modulename);
+ 	$user->getrights('commercial');
 	$socid = 0;
 	
 	//si dbtable non défini, même nom que le module
@ -1267,31 +1268,47 @@ function dol_loginfunction($notused,$pearstatus)
 	if (!$user->rights->$modulename->lire)
 	{
 		accessforbidden();
- 		return -1;
+ 	}
+ 	else if (!$user->rights->$modulename->creer)
+ 	{
+ 		if ($_GET["action"] == 'create' || $_POST["action"] == 'create')
+ 		{
+ 			accessforbidden();
+ 		}
 	}
 	
 	if ($user->societe_id > 0)
 	{
-    $socid = $user->societe_id;
+    $_GET["action"] = '';
+	  $_POST["action"] = '';
+    $user_socid = $user->societe_id;
  }
-
-  if ($objectid && (!$user->rights->commercial->client->voir || $socid > 0))
+  
+  if ($objectid)
  {
-  	$sql = "SELECT sc.fk_soc, dbt.fk_soc";
-  	$sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX.$dbtablename." as dbt";
-  	$sql .= " WHERE dbt.rowid = ".$objectid;
-    if (!$user->rights->commercial->client->voir && !$socid > 0)
-    {
-    	$sql .= " AND sc.fk_soc = dbt.fk_soc AND sc.fk_user = ".$user->id;
+  	if ($modulename == 'societe' && !$user->rights->commercial->client->voir && !$user_socid > 0)
+  	{
+  		$sql = "SELECT sc.fk_soc";
+      $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc";
+      $sql .= " WHERE sc.fk_soc = ".$objectid." AND sc.fk_user = ".$user->id;
+    }
+    else if ($objectid && (!$user->rights->commercial->client->voir || $user_socid > 0))
+    {
+  	  $sql = "SELECT sc.fk_soc, dbt.fk_soc";
+  	  $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX.$dbtablename." as dbt";
+  	  $sql .= " WHERE dbt.rowid = ".$objectid;
+      if (!$user->rights->commercial->client->voir && !$user_socid > 0)
+      {
+    	  $sql .= " AND sc.fk_soc = dbt.fk_soc AND sc.fk_user = ".$user->id;
+      }
+      if ($user_socid > 0) $sql .= " AND dbt.fk_soc = ".$user_socid;
    }
-    if ($socid > 0) $sql .= " AND dbt.fk_soc = ".$socid;

    if ($db->query($sql))
    {
      if ($db->num_rows() == 0)
      {
      	accessforbidden();
-      	return -2;
      }
    }
  }
--- a/htdocs/soc.php
+++ b/htdocs/soc.php
@ -33,42 +33,16 @@
 require("pre.inc.php");
 require_once(DOL_DOCUMENT_ROOT."/lib/company.lib.php");

-$user->getrights('societe');
-$user->getrights('commercial');
-
 $langs->load("companies");
 $langs->load("commercial");
 $langs->load("bills");

 $socid = isset($_GET["socid"])?$_GET["socid"]:'';

-// Sécurité accés client
-if (! $user->rights->societe->creer)
-{
-    if ($_GET["action"] == 'create' || $_POST["action"] == 'create')
-    {
-        accessforbidden();
-    }
-}
-if ($user->societe_id > 0) 
-{
-	$_GET["action"] = '';
-	$_POST["action"] = '';
-	$socid = $user->societe_id;
-}
+// Sécurité d'accès client et commerciaux
+$security = restrictedArea($user, 'societe', $socid);
+print $security;

-// Protection restriction commercial
-if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0)
-{
-  $sql = "SELECT sc.fk_soc";
-  $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc";
-  $sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id;
-  
-  if ( $db->query($sql) )
-    {
-      if ( $db->num_rows() == 0) accessforbidden();
-    }
-}
 // Initialisation de l'objet Societe
 $soc = new Societe($db);