From a3315e8e160b4a94b9187d0518ebc8fb0b2fbfc4 Mon Sep 17 00:00:00 2001
From: bomuux <bomuux@gmail.com>
Date: Mon, 22 Nov 2021 16:17:49 +0100
Subject: [PATCH 1/2] contact/note.php always restricted for external users

Case of external user :
1- restrictedArea always block the access,
2- if this weren't the case, the following code is obviously wrong : fetching a Contact from a Societe id...
---
 htdocs/contact/note.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/htdocs/contact/note.php b/htdocs/contact/note.php
index 1cb76b5336e..6ced85a5735 100644
--- a/htdocs/contact/note.php
+++ b/htdocs/contact/note.php
@@ -36,9 +36,9 @@ $langs->load("companies");
 
 // Security check
 $id = GETPOST('id', 'int');
-if ($user->socid) {
-	$id = $user->socid;
-}
+//if ($user->socid) {
+//	$id = $user->socid;
+//}
 $result = restrictedArea($user, 'contact', $id, 'socpeople&societe');
 
 $object = new Contact($db);

From 5e55bb20e3c45ecda423b8daff73fdc5b6ebda93 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 30 Nov 2021 12:21:21 +0100
Subject: [PATCH 2/2] Update note.php

---
 htdocs/contact/note.php | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/htdocs/contact/note.php b/htdocs/contact/note.php
index 6ced85a5735..7c722d31211 100644
--- a/htdocs/contact/note.php
+++ b/htdocs/contact/note.php
@@ -34,18 +34,22 @@ $action = GETPOST('action', 'aZ09');
 // Load translation files required by the page
 $langs->load("companies");
 
-// Security check
 $id = GETPOST('id', 'int');
-//if ($user->socid) {
-//	$id = $user->socid;
-//}
-$result = restrictedArea($user, 'contact', $id, 'socpeople&societe');
 
 $object = new Contact($db);
 if ($id > 0) {
 	$object->fetch($id);
 }
 
+// Security check
+if ($user->socid > 0) {
+	if ($object->fk_soc > 0 && $object->fk_soc != $user->socid) {
+		accessforbidden();
+	}
+}
+$result = restrictedArea($user, 'contact', $id, 'socpeople&societe');
+
+
 $permissionnote = $user->rights->societe->creer; // Used by the include of actions_setnotes.inc.php
 
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context