From ef8c6ec1171b953580c005660b995cbdefddfbbb Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 1 Apr 2021 11:18:35 +0200 Subject: [PATCH] FIX #yogosha5775 --- htdocs/product/ajax/products.php | 12 +++++++----- htdocs/societe/ajax/company.php | 25 ++++++++++++++++++++----- htdocs/societe/document.php | 14 +++++++------- htdocs/societe/note.php | 12 +++++++----- 4 files changed, 41 insertions(+), 22 deletions(-) diff --git a/htdocs/product/ajax/products.php b/htdocs/product/ajax/products.php index c620320fafe..901e2b387e3 100644 --- a/htdocs/product/ajax/products.php +++ b/htdocs/product/ajax/products.php @@ -63,7 +63,7 @@ $warehouseStatus = GETPOST('warehousestatus', 'alpha'); $hidepriceinlabel = GETPOST('hidepriceinlabel', 'int'); // Security check -$result = restrictedArea($user, 'produit|service', 0, 'product&product'); +restrictedArea($user, 'produit|service', 0, 'product&product'); /* @@ -219,13 +219,13 @@ if (!empty($action) && $action == 'fetch' && !empty($id)) { return; } - // Filter on product to search can be: - // Into an array with key $htmlname123 (we take first one found) + // Filter on the product to search can be: + // Into an array with key $htmlname123 (we take first one found). Which page use this ? // Into a var with name $htmlname can be 'prodid', 'productid', ... $match = preg_grep('/('.$htmlname.'[0-9]+)/', array_keys($_GET)); sort($match); - $idprod = (empty($match[0]) ? '' : $match[0]); // Take first param in GET with key answer + $idprod = (empty($match[0]) ? '' : $match[0]); // Take first key found into GET array with matching $htmlname123 if (GETPOST($htmlname, 'alpha') == '' && (!$idprod || !GETPOST($idprod, 'alpha'))) { print json_encode(array()); @@ -235,7 +235,9 @@ if (!empty($action) && $action == 'fetch' && !empty($id)) { // When used from jQuery, the search term is added as GET param "term". $searchkey = (($idprod && GETPOST($idprod, 'alpha')) ? GETPOST($idprod, 'alpha') : (GETPOST($htmlname, 'alpha') ? GETPOST($htmlname, 'alpha') : '')); - $form = new Form($db); + if (!is_object($form)) { + $form = new Form($db); + } if (empty($mode) || $mode == 1) { // mode=1: customer $arrayresult = $form->select_produits_list("", $htmlname, $type, 0, $price_level, $searchkey, $status, $finished, $outjson, $socid, '1', 0, '', $hidepriceinlabel, $warehouseStatus); diff --git a/htdocs/societe/ajax/company.php b/htdocs/societe/ajax/company.php index 86e6f68c16c..fc10bb3c688 100644 --- a/htdocs/societe/ajax/company.php +++ b/htdocs/societe/ajax/company.php @@ -51,6 +51,19 @@ $id = GETPOST('id', 'int'); $excludeids = GETPOST('excludeids', 'intcomma'); $showtype = GETPOST('showtype', 'int'); +$object = new Societe($db); +if ($id > 0) { + $object->fetch($id); +} + +// Security check +if ($user->socid > 0) { + unset($action); + $socid = $user->socid; + $object->id = $socid; +} +restrictedArea($user, 'societe', $object->id, '&societe'); + /* * View @@ -64,9 +77,7 @@ if (!empty($action) && $action == 'fetch' && !empty($id)) { $outjson = array(); - $object = new Societe($db); - $ret = $object->fetch($id); - if ($ret > 0) { + if ($object->id > 0) { $outref = $object->ref; $outname = $object->name; $outdesc = ''; @@ -87,12 +98,16 @@ if (!empty($action) && $action == 'fetch' && !empty($id)) { return; } + // Filter on the company to search can be: + // Into an array with key $htmlname123 (we take first one found). Which page use this ? + // Into a var with name $htmlname can be 'prodid', 'productid', ... $match = preg_grep('/('.$htmlname.'[0-9]+)/', array_keys($_GET)); sort($match); - $id = (!empty($match[0]) ? $match[0] : ''); + + $id = (!empty($match[0]) ? $match[0] : ''); // Take first key found into GET array with matching $htmlname123 // When used from jQuery, the search term is added as GET param "term". - $searchkey = (($id && GETPOST($id, 'alpha')) ?GETPOST($id, 'alpha') : (($htmlname && GETPOST($htmlname, 'alpha')) ?GETPOST($htmlname, 'alpha') : '')); + $searchkey = (($id && GETPOST($id, 'alpha')) ? GETPOST($id, 'alpha') : (($htmlname && GETPOST($htmlname, 'alpha')) ?GETPOST($htmlname, 'alpha') : '')); if (!$searchkey) { return; diff --git a/htdocs/societe/document.php b/htdocs/societe/document.php index 600cb03af1a..746d1c403c7 100644 --- a/htdocs/societe/document.php +++ b/htdocs/societe/document.php @@ -39,13 +39,6 @@ $confirm = GETPOST('confirm'); $id = (GETPOST('socid', 'int') ? GETPOST('socid', 'int') : GETPOST('id', 'int')); $ref = GETPOST('ref', 'alpha'); -// Security check -if ($user->socid > 0) { - unset($action); - $socid = $user->socid; -} -$result = restrictedArea($user, 'societe', $id, '&societe'); - // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST("sortfield", 'alpha'); @@ -84,6 +77,13 @@ if ($id > 0 || !empty($ref)) { $hookmanager->initHooks(array('thirdpartydocument', 'globalcard')); +// Security check +if ($user->socid > 0) { + unset($action); + $socid = $user->socid; +} +$result = restrictedArea($user, 'societe', $object->id, '&societe'); + /* * Actions diff --git a/htdocs/societe/note.php b/htdocs/societe/note.php index 22f235df7de..2ebe97848f2 100644 --- a/htdocs/societe/note.php +++ b/htdocs/societe/note.php @@ -33,12 +33,7 @@ $action = GETPOST('action', 'aZ09'); $langs->load("companies"); -// Security check $id = GETPOST('id') ?GETPOST('id', 'int') : GETPOST('socid', 'int'); -if ($user->socid) { - $id = $user->socid; -} -$result = restrictedArea($user, 'societe', $id, '&societe'); $object = new Societe($db); if ($id > 0) { @@ -50,6 +45,13 @@ $permissionnote = $user->rights->societe->creer; // Used by the include of actio // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('thirdpartynote', 'globalcard')); +// Security check +if ($user->socid > 0) { + unset($action); + $socid = $user->socid; +} +$result = restrictedArea($user, 'societe', $object->id, '&societe'); + /* * Actions