From e9d5ba5de3a2456fc80a859dbcf7b8c07f6ed21f Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 13 Jun 2022 10:58:21 +0200
Subject: [PATCH] Debug v16

---
 htdocs/intracommreport/card.php                 | 17 +++++++++++++++--
 .../class/intracommreport.class.php             |  5 ++---
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/htdocs/intracommreport/card.php b/htdocs/intracommreport/card.php
index e801416d63d..681320e0d75 100644
--- a/htdocs/intracommreport/card.php
+++ b/htdocs/intracommreport/card.php
@@ -68,6 +68,19 @@ $hookmanager->initHooks(array('intracommcard', 'globalcard'));
 
 $error = 0;
 
+$permissiontoread = $user->rights->intracommreport->read;
+$permissiontoadd = $user->rights->intracommreport->write;
+$permissiontodelete = $user->rights->intracommreport->delete;
+
+// Security check (enable the most restrictive one)
+//if ($user->socid > 0) accessforbidden();
+//if ($user->socid > 0) $socid = $user->socid;
+//$isdraft = (isset($object->status) && ($object->status == $object::STATUS_DRAFT) ? 1 : 0);
+//restrictedArea($user, $object->element, $object->id, $object->table_element, '', 'fk_soc', 'rowid', $isdraft);
+if (empty($conf->intracommreport->enabled)) accessforbidden();
+if (!$permissiontoread) accessforbidden();
+
+
 
 /*
  * 	Actions
@@ -80,7 +93,7 @@ if ($reshook < 0) {
 	setEventMessages($hookmanager->error, $hookmanager->errors, 'errors');
 }
 
-if ($user->rights->intracommreport->delete && $action == 'confirm_delete' && $confirm == 'yes') {
+if ($permissiontodelete && $action == 'confirm_delete' && $confirm == 'yes') {
 	$result = $object->delete($id, $user);
 	if ($result > 0) {
 		if (!empty($backtopage)) {
@@ -95,7 +108,7 @@ if ($user->rights->intracommreport->delete && $action == 'confirm_delete' && $co
 	}
 }
 
-if ($action == 'add' && $user->rights->intracommreport->write) {
+if ($action == 'add' && $permissiontoadd) {
 	$object->label = trim($label);
 	$object->type = trim($exporttype);
 	$object->type_declaration =  $type_declaration;
diff --git a/htdocs/intracommreport/class/intracommreport.class.php b/htdocs/intracommreport/class/intracommreport.class.php
index ef13649f8c8..c34ad5d8f58 100644
--- a/htdocs/intracommreport/class/intracommreport.class.php
+++ b/htdocs/intracommreport/class/intracommreport.class.php
@@ -124,7 +124,6 @@ class IntracommReport extends CommonObject
 	 */
 	public function getXML($mode = 'O', $type = 'introduction', $period_reference = '')
 	{
-
 		global $conf, $mysoc;
 
 		/**************Construction de quelques variables********************/
@@ -437,7 +436,8 @@ class IntracommReport extends CommonObject
 	 */
 	public function getNextDeclarationNumber()
 	{
-		$resql = $this->db->query('SELECT MAX(numero_declaration) as max_declaration_number FROM '.MAIN_DB_PREFIX.$this->table_element." WHERE exporttype='".$this->db->escape($this->exporttype)."'");
+		$sql = 'SELECT MAX(numero_declaration) as max_declaration_number FROM '.MAIN_DB_PREFIX.$this->table_element." WHERE exporttype='".$this->db->escape($this->exporttype)."'";
+		$resql = $this->db->query($sql);
 		if ($resql) {
 			$res = $this->db->fetch_object($resql);
 		}
@@ -463,7 +463,6 @@ class IntracommReport extends CommonObject
 	 */
 	public function generateXMLFile()
 	{
-
 		$name = $this->periode.'.xml';
 		$fname = sys_get_temp_dir().'/'.$name;
 		$f = fopen($fname, 'w+');