From d72d40c4b5a51d9540cd8c1882d3d63b19cb6d62 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Thu, 30 Apr 2009 14:51:27 +0000
Subject: [PATCH] Todo: le champ type "password" modifie la valeur du mot de
 passe (test en mode crypte) !!

---
 htdocs/includes/login/functions_dolibarr.php |  6 ++++--
 htdocs/user.class.php                        | 10 +++++-----
 htdocs/user/fiche.php                        | 12 +++++++-----
 3 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/htdocs/includes/login/functions_dolibarr.php b/htdocs/includes/login/functions_dolibarr.php
index e6848bf26d5..44aec699d61 100644
--- a/htdocs/includes/login/functions_dolibarr.php
+++ b/htdocs/includes/login/functions_dolibarr.php
@@ -43,10 +43,12 @@ function check_user_password_dolibarr($usertotest,$passwordtotest)
 		// If test username/password asked, we define $test=false and $login var if ok, set $_SESSION["dol_loginmesg"] if ko
 		$table = MAIN_DB_PREFIX."user";
 		$usernamecol = 'login';
+		$entitycol = 'entity';
 		
 		$sql ='SELECT pass, pass_crypted';
-		$sql.=' from '.$table;
-		$sql.=' where '.$usernamecol." = '".addslashes($_POST["username"])."'";
+		$sql.=' FROM '.$table;
+		$sql.=' WHERE '.$usernamecol." = '".addslashes($_POST["username"])."'";
+		$sql.=' AND '.$entitycol." IN (0,".$_POST["entity"].")";
 
 		dol_syslog("functions_dolibarr::check_user_password_dolibarr sql=".$sql);
 		$resql=$db->query($sql);
diff --git a/htdocs/user.class.php b/htdocs/user.class.php
index a89042ef964..f6e75d666aa 100644
--- a/htdocs/user.class.php
+++ b/htdocs/user.class.php
@@ -153,18 +153,19 @@ class User extends CommonObject
 		$sql.= " ".$this->db->pdate("u.datelastlogin")." as datel,";
 		$sql.= " ".$this->db->pdate("u.datepreviouslogin")." as datep";
 		$sql.= " FROM ".MAIN_DB_PREFIX."user as u";
+		$sql.= " WHERE u.entity IN (0,".$conf->entity.")";
 		if ($sid)
 		{
 			// permet une recherche du user par son SID ActiveDirectory ou Samba
-			$sql .= " WHERE (u.ldap_sid = '".$sid."' || u.login = '".addslashes($login)."') LIMIT 1";
+			$sql.= " AND (u.ldap_sid = '".$sid."' || u.login = '".addslashes($login)."') LIMIT 1";
 		}
 		else if ($login)
 		{
-			$sql .= " WHERE u.login = '".addslashes($login)."'";
+			$sql.= " AND u.login = '".addslashes($login)."'";
 		}
 		else
 		{
-			$sql .= " WHERE u.rowid = ".$this->id;
+			$sql.= " AND u.rowid = ".$this->id;
 		}
 
 		dol_syslog("User::Fetch sql=".$sql, LOG_DEBUG);
@@ -1013,14 +1014,13 @@ class User extends CommonObject
 		{
 			$nbrowsaffected+=$this->db->affected_rows($resql);
 
-			// Mise a jour mot de passe
+			// Mise a jour mot de passe	
 			if ($this->pass)
 			{
 				if ($this->pass != $this->pass_indatabase && $this->pass != $this->pass_indatabase_crypted)
 				{
 					// Si mot de passe saisi et different de celui en base
 					$result=$this->setPassword($user,$this->pass,0,$notrigger);
-
 					if (! $nbrowsaffected) $nbrowsaffected++;
 				}
 			}
diff --git a/htdocs/user/fiche.php b/htdocs/user/fiche.php
index 74cd85f0405..9e2424baea1 100644
--- a/htdocs/user/fiche.php
+++ b/htdocs/user/fiche.php
@@ -236,7 +236,7 @@ if ($_POST["action"] == 'update' && ! $_POST["cancel"] && $caneditfield)
 		$edituser->nom           = $_POST["nom"];
 		$edituser->prenom        = $_POST["prenom"];
 		$edituser->login         = $_POST["login"];
-		$edituser->pass          = $_POST["pass"];
+		$edituser->pass          = $_POST["password"];
 		$edituser->admin         = $_POST["admin"];
 		$edituser->office_phone  = $_POST["office_phone"];
 		$edituser->office_fax    = $_POST["office_fax"];
@@ -260,22 +260,23 @@ if ($_POST["action"] == 'update' && ! $_POST["cancel"] && $caneditfield)
 				$message.='<div class="error">'.$edituser->error.'</div>';
 			}
 		}
+		// Todo: doublon avec la fonction update qui fait deja appel a setPassword
+		/*
 		if ($ret >= 0 && isset($_POST["password"]) && $_POST["password"] !='')
 		{
-			$ret=$edituser->setPassword($user,$_POST["password"],1);
+			$ret=$edituser->setPassword($user,$_POST["password"]);
 			if ($ret < 0)
 			{
 				$message.='<div class="error">'.$edituser->error.'</div>';
 			}
 		}
-
+		*/
 		if (isset($_FILES['photo']['tmp_name']) && trim($_FILES['photo']['tmp_name']))
 		{
 			// If photo is provided
 			if (! is_dir($conf->user->dir_output))
 			{
 				create_exdir($conf->user->dir_output);
-							print 'photo ok='.$conf->user->dir_output.'<br>';;
 			}
 			if (is_dir($conf->user->dir_output))
 			{
@@ -1273,7 +1274,8 @@ else
 			}
 			else if ($caneditpassword)
 			{
-				$text='<input size="12" maxlength="32" type="password" class="flat" name="pass" value="'.$fuser->pass.'">';
+				// Todo: le champ type "password" modifie la valeur du mot de passe (test en mode crypte) !!
+				$text='<input size="12" maxlength="32" type="text" class="flat" name="password" value="'.$fuser->pass.'">';
 				if ($dolibarr_main_authentication && $dolibarr_main_authentication == 'http')
 				{
 					$text=$html->textwithwarning($text,$langs->trans("DolibarrInHttpAuthenticationSoPasswordUseless",$dolibarr_main_authentication));