From e74e83248994bf777ad1383eacb0de66bb9e441e Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Thu, 7 Jun 2007 15:59:19 +0000 Subject: [PATCH] =?UTF-8?q?Fix:=20mise=20en=20fonction=20de=20la=20v=E9rif?= =?UTF-8?q?ication=20des=20droits=20d'acc=E8s=20users,=20clients=20et=20co?= =?UTF-8?q?mmerciaux?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- htdocs/comm/adresse_livraison.php | 36 ++----------------------------- htdocs/comm/clients.php | 10 ++------- htdocs/comm/contact.php | 16 +++----------- htdocs/comm/fiche.php | 24 ++------------------- htdocs/docsoc.php | 2 +- htdocs/lib/functions.inc.php | 12 ++++++++--- htdocs/societe.php | 2 +- htdocs/socnote.php | 21 ++---------------- 8 files changed, 22 insertions(+), 101 deletions(-) diff --git a/htdocs/comm/adresse_livraison.php b/htdocs/comm/adresse_livraison.php index 273dcbe01cc..0a72cf9fa57 100644 --- a/htdocs/comm/adresse_livraison.php +++ b/htdocs/comm/adresse_livraison.php @@ -32,19 +32,8 @@ require("pre.inc.php"); require_once(DOL_DOCUMENT_ROOT."/lib/company.lib.php"); require_once(DOL_DOCUMENT_ROOT."/comm/adresse_livraison.class.php"); -$user->getrights('societe'); -$user->getrights('commercial'); - $langs->load("companies"); $langs->load("commercial"); - -if (! $user->rights->societe->creer) -{ - if ($_GET["action"] == 'create' || $_POST["action"] == 'create') - { - accessforbidden(); - } -} $idl = isset($_GET["idl"])?$_GET["idl"]:''; $origin = isset($_GET["origin"])?$_GET["origin"]:''; @@ -52,29 +41,8 @@ $originid = isset($_GET["originid"])?$_GET["originid"]:''; $socid = isset($_GET["socid"])?$_GET["socid"]:''; if (! $socid && ($_REQUEST["action"] != 'create' && $_REQUEST["action"] != 'add' && $_REQUEST["action"] != 'update')) accessforbidden(); -// Sécurité accés client -if ($user->societe_id > 0) -{ - $_GET["action"] = ''; - $_POST["action"] = ''; - $socid = $user->societe_id; -} - -// Protection restriction commercial -if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0) -{ - $sql = "SELECT sc.fk_soc"; - $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id; - - if ( $db->query($sql) ) - { - if ( $db->num_rows() == 0) accessforbidden(); - } -} - - - +// Sécurité d'accès client et commerciaux +$socid = restrictedArea($user, 'societe', $socid); /* * Actions diff --git a/htdocs/comm/clients.php b/htdocs/comm/clients.php index 96ba9d36233..5b7186b68dc 100644 --- a/htdocs/comm/clients.php +++ b/htdocs/comm/clients.php @@ -29,14 +29,8 @@ require("./pre.inc.php"); -if (!$user->rights->societe->lire) accessforbidden(); - -// Sécurité accés client -if ($user->societe_id > 0) -{ - $action = ''; - $socid = $user->societe_id; -} +// Sécurité d'accès client et commerciaux +$socid = restrictedArea($user, 'societe'); $page=$_GET["page"]; $sortorder=$_GET["sortorder"]; diff --git a/htdocs/comm/contact.php b/htdocs/comm/contact.php index 2233447b3be..c2947d63a9b 100644 --- a/htdocs/comm/contact.php +++ b/htdocs/comm/contact.php @@ -41,21 +41,11 @@ if ($page < 0) { $page = 0 ; } $limit = $conf->liste_limit; $offset = $limit * $page ; -$socid=$_GET["socid"]; +$socid = isset($_GET["socid"])?$_GET["socid"]:''; $type=$_GET["type"]; - -/* - * Sécurité accés client - */ -if ($user->societe_id > 0) -{ - $action = ''; - $socid = $user->societe_id; -} -if (!$user->rights->societe->lire) accessforbidden(); - - +// Sécurité d'accès client et commerciaux +$socid = restrictedArea($user, 'societe'); llxHeader('','Contacts'); diff --git a/htdocs/comm/fiche.php b/htdocs/comm/fiche.php index 6878f993d48..6bf0aa86f22 100644 --- a/htdocs/comm/fiche.php +++ b/htdocs/comm/fiche.php @@ -44,30 +44,10 @@ $langs->load("bills"); $langs->load("contracts"); if ($conf->fichinter->enabled) $langs->load("interventions"); -$user->getrights("commercial"); -if (!$user->rights->societe->lire) accessforbidden(); - $socid = isset($_GET["socid"])?$_GET["socid"]:''; -if ($socid == '') accessforbidden(); -// Protection quand utilisateur externe -if ($user->societe_id > 0) -{ - $socid = $user->societe_id; -} - -// Protection restriction commercial -if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0) -{ - $sql = "SELECT sc.fk_soc, s.client"; - $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s"; - $sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id." AND s.client = 1"; - - if ( $db->query($sql) ) - { - if ( $db->num_rows() == 0) accessforbidden(); - } -} +// Sécurité d'accès client et commerciaux +$socid = restrictedArea($user, 'societe', $socid); $sortorder=$_GET["sortorder"]; $sortfield=$_GET["sortfield"]; diff --git a/htdocs/docsoc.php b/htdocs/docsoc.php index 0f6a60eff9c..ab479438177 100644 --- a/htdocs/docsoc.php +++ b/htdocs/docsoc.php @@ -39,7 +39,7 @@ $mesg = ""; $socid = isset($_GET["socid"])?$_GET["socid"]:''; // Sécurité d'accès client et commerciaux -$socid = restrictedArea($user, 'commercial', $socid, 'societe'); +$socid = restrictedArea($user, 'societe', $socid); /* * Actions diff --git a/htdocs/lib/functions.inc.php b/htdocs/lib/functions.inc.php index d282fd3721c..4a772da212b 100644 --- a/htdocs/lib/functions.inc.php +++ b/htdocs/lib/functions.inc.php @@ -1254,13 +1254,15 @@ function dol_loginfunction($notused,$pearstatus) * \param objectid ID du document * \param dbtable Table de la base correspondant au module (optionnel) */ - function restrictedArea($user, $modulename, $objectid='' , $dbtablename='') + function restrictedArea($user, $modulename, $objectid='', $dbtablename='', $list=0) { global $db; $user->getrights($modulename); $user->getrights('commercial'); + $socid = 0; + if ($modulename == 'societe' && $objectid) $socid = $objectid; //si dbtable non défini, même nom que le module if (!$dbtable) $dbtablename = $modulename; @@ -1283,7 +1285,7 @@ function dol_loginfunction($notused,$pearstatus) $_POST["action"] = ''; $socid = $user->societe_id; } - + if ($objectid) { if ($modulename == 'societe' && !$user->rights->commercial->client->voir && !$socid > 0) @@ -1292,7 +1294,7 @@ function dol_loginfunction($notused,$pearstatus) $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql .= " WHERE sc.fk_soc = ".$objectid." AND sc.fk_user = ".$user->id; } - else if ($objectid && (!$user->rights->commercial->client->voir || $socid > 0)) + else if (!$user->rights->commercial->client->voir || $socid > 0) { $sql = "SELECT sc.fk_soc, dbt.fk_soc"; $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX.$dbtablename." as dbt"; @@ -1312,6 +1314,10 @@ function dol_loginfunction($notused,$pearstatus) } } } + else if (!$objectid && $modulename == 'societe' && $list==0) + { + accessforbidden(); + } return $socid; } diff --git a/htdocs/societe.php b/htdocs/societe.php index 929554e7c1b..2aae951499d 100644 --- a/htdocs/societe.php +++ b/htdocs/societe.php @@ -37,7 +37,7 @@ $langs->load("customers"); $langs->load("suppliers"); // Sécurité d'accès client et commerciaux -$socid = restrictedArea($user, 'societe'); +$socid = restrictedArea($user, 'societe','','',1); $search_nom=isset($_GET["search_nom"])?$_GET["search_nom"]:$_POST["search_nom"]; $search_ville=isset($_GET["search_ville"])?$_GET["search_ville"]:$_POST["search_ville"]; diff --git a/htdocs/socnote.php b/htdocs/socnote.php index 1666b2a7ee4..ca8ecfea9de 100644 --- a/htdocs/socnote.php +++ b/htdocs/socnote.php @@ -35,28 +35,11 @@ $action = isset($_GET["action"])?$_GET["action"]:$_POST["action"]; $langs->load("companies"); -$user->getrights('commercial'); - // Protection quand utilisateur externe $socid = isset($_GET["socid"])?$_GET["socid"]:$_POST["socid"]; -if ($user->societe_id > 0) -{ - $socid = $user->societe_id; -} - -// Protection restriction commercial -if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0) -{ - $sql = "SELECT sc.fk_soc, s.client"; - $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s"; - $sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id." AND s.client = 1"; - - if ( $db->query($sql) ) - { - if ( $db->num_rows() == 0) accessforbidden(); - } -} +// Sécurité d'accès client et commerciaux +$socid = restrictedArea($user, 'societe', $socid); if ($_POST["action"] == 'add') {