diff --git a/htdocs/variants/admin/admin.php b/htdocs/variants/admin/admin.php index f5467760a89..ade64ea6a7b 100644 --- a/htdocs/variants/admin/admin.php +++ b/htdocs/variants/admin/admin.php @@ -25,7 +25,7 @@ $langs->loadLangs(array("admin", "products")); $action = GETPOST('action', 'alphanohtml'); // Security check -if (!$user->admin || (empty($conf->product->enabled) && empty($conf->service->enabled))) { +if (!$user->admin || empty($conf->variants->enabled)) { accessforbidden(); } diff --git a/htdocs/variants/ajax/getCombinations.php b/htdocs/variants/ajax/getCombinations.php index adb227c2fd6..9c670fa07cc 100644 --- a/htdocs/variants/ajax/getCombinations.php +++ b/htdocs/variants/ajax/getCombinations.php @@ -36,7 +36,24 @@ require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; require_once DOL_DOCUMENT_ROOT.'/variants/class/ProductCombination.class.php'; -header('Content-Type: application/json'); +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + + +/* + * View + */ + +top_httphead('application/json'); $id = GETPOST('id', 'int'); diff --git a/htdocs/variants/ajax/get_attribute_values.php b/htdocs/variants/ajax/get_attribute_values.php index e61676339ee..1d4eab49773 100644 --- a/htdocs/variants/ajax/get_attribute_values.php +++ b/htdocs/variants/ajax/get_attribute_values.php @@ -36,7 +36,24 @@ require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; require_once DOL_DOCUMENT_ROOT.'/variants/class/ProductAttribute.class.php'; require_once DOL_DOCUMENT_ROOT.'/variants/class/ProductAttributeValue.class.php'; -header('Content-Type: application/json'); +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + + +/* + * View + */ + +top_httphead('application/json'); $id = GETPOST('id', 'int'); diff --git a/htdocs/variants/ajax/orderAttribute.php b/htdocs/variants/ajax/orderAttribute.php index c787517e5c7..1d9e1b8e892 100644 --- a/htdocs/variants/ajax/orderAttribute.php +++ b/htdocs/variants/ajax/orderAttribute.php @@ -37,6 +37,18 @@ if (!defined('NOREQUIRETRAN')) { require '../../main.inc.php'; +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + /* * View diff --git a/htdocs/variants/card.php b/htdocs/variants/card.php index 7a15a4ede97..ed70c6325e3 100644 --- a/htdocs/variants/card.php +++ b/htdocs/variants/card.php @@ -36,6 +36,18 @@ if ($object->fetch($id) < 1) { exit(); } +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + /* * Actions diff --git a/htdocs/variants/combinations.php b/htdocs/variants/combinations.php index 218ee874bd6..979ec261663 100644 --- a/htdocs/variants/combinations.php +++ b/htdocs/variants/combinations.php @@ -64,6 +64,18 @@ if ($id > 0 || $ref) { $selectedvariant = $_SESSION['addvariant_'.$object->id]; +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + /* * Actions diff --git a/htdocs/variants/create.php b/htdocs/variants/create.php index 8f3a1d28d9f..f87ad3ef504 100644 --- a/htdocs/variants/create.php +++ b/htdocs/variants/create.php @@ -24,6 +24,18 @@ $label = GETPOST('label', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); $action = GETPOST('action', 'alpha'); +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + /* * Actions diff --git a/htdocs/variants/create_val.php b/htdocs/variants/create_val.php index 22dc2a1a110..1ca647960e2 100644 --- a/htdocs/variants/create_val.php +++ b/htdocs/variants/create_val.php @@ -36,6 +36,18 @@ if ($object->fetch($id) < 1) { exit(); } +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + /* * Actions diff --git a/htdocs/variants/list.php b/htdocs/variants/list.php index dde43397671..bfe4dd0aa72 100644 --- a/htdocs/variants/list.php +++ b/htdocs/variants/list.php @@ -21,6 +21,18 @@ require DOL_DOCUMENT_ROOT.'/variants/class/ProductAttribute.class.php'; $action = GETPOST('action', 'aZ09'); $object = new ProductAttribute($db); +$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire; + +// Security check +if (empty($conf->variants->enabled)) { + accessforbidden('Module not enabled'); +} +if ($user->socid > 0) { // Protection if external user + accessforbidden(); +} +//$result = restrictedArea($user, 'variant'); +if (!$permissiontoread) accessforbidden(); + /*