From 17397d635cc76c1c1bf2ed3f2d8b0f67b4273bb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnter=20Lukas?= <gl@gl.co.at>
Date: Sun, 5 Feb 2023 08:24:09 +0100
Subject: [PATCH 1/8] #23783

---
 htdocs/comm/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/comm/index.php b/htdocs/comm/index.php
index a57c7232885..cdcac66f54b 100644
--- a/htdocs/comm/index.php
+++ b/htdocs/comm/index.php
@@ -699,7 +699,7 @@ if (!empty($conf->societe->enabled) && $user->rights->societe->lire) {
 /*
  * Last suppliers
  */
-if (((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SUPPLIERMOD)) || !empty($conf->supplier_order->enabled) || !empty($conf->supplier_invoice->enabled)) && $user->rights->societe->lire) {
+if (((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SUPPLIERMOD)) || !empty($conf->supplier_order->enabled) || !empty($conf->supplier_invoice->enabled)) && $user->rights->fournisseur->lire) {
 	$sql = "SELECT s.rowid as socid, s.nom as name, s.name_alias";
 	$sql .= ", s.code_client, s.code_compta, s.client";
 	$sql .= ", s.code_fournisseur, s.code_compta_fournisseur, s.fournisseur";

From d8ff9468afa0342237acfd2088ce5e3f6c783887 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnter=20Lukas?= <gl@gl.co.at>
Date: Sun, 5 Feb 2023 08:35:45 +0100
Subject: [PATCH 2/8] Update index.php

---
 htdocs/comm/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/comm/index.php b/htdocs/comm/index.php
index cdcac66f54b..a57c7232885 100644
--- a/htdocs/comm/index.php
+++ b/htdocs/comm/index.php
@@ -699,7 +699,7 @@ if (!empty($conf->societe->enabled) && $user->rights->societe->lire) {
 /*
  * Last suppliers
  */
-if (((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SUPPLIERMOD)) || !empty($conf->supplier_order->enabled) || !empty($conf->supplier_invoice->enabled)) && $user->rights->fournisseur->lire) {
+if (((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SUPPLIERMOD)) || !empty($conf->supplier_order->enabled) || !empty($conf->supplier_invoice->enabled)) && $user->rights->societe->lire) {
 	$sql = "SELECT s.rowid as socid, s.nom as name, s.name_alias";
 	$sql .= ", s.code_client, s.code_compta, s.client";
 	$sql .= ", s.code_fournisseur, s.code_compta_fournisseur, s.fournisseur";

From f5600fdffc780de458ebedfc40c616b52e39485c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnter=20Lukas?= <gl@gl.co.at>
Date: Sun, 5 Feb 2023 08:38:46 +0100
Subject: [PATCH 3/8] Update index.php

---
 htdocs/comm/index.php | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/htdocs/comm/index.php b/htdocs/comm/index.php
index a57c7232885..167005cf2f4 100644
--- a/htdocs/comm/index.php
+++ b/htdocs/comm/index.php
@@ -60,19 +60,11 @@ if (isset($user->socid) && $user->socid > 0) {
 	$socid = $user->socid;
 }
 
+restrictedArea($user, 'societe', $socid, '&societe', '', 'fk_soc', 'rowid', 0);
+
 $max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT;
 $now = dol_now();
 
-// Security check
-$socid = GETPOST("socid", 'int');
-if ($user->socid > 0) {
-	$action = '';
-	$id = $user->socid;
-} else {
-	$id = 0;
-}
-restrictedArea($user, 'societe', $id, '&societe', '', 'fk_soc', 'rowid', 0);
-
 $maxofloop = (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD);
 
 

From 31984b8f2eef16d6bda64e2aa630db24ff6a24c1 Mon Sep 17 00:00:00 2001
From: Guenter Lukas <gl@gl.co.at>
Date: Sun, 5 Feb 2023 09:33:54 +0100
Subject: [PATCH 4/8] update

---
 htdocs/comm/index.php | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/htdocs/comm/index.php b/htdocs/comm/index.php
index a57c7232885..167005cf2f4 100644
--- a/htdocs/comm/index.php
+++ b/htdocs/comm/index.php
@@ -60,19 +60,11 @@ if (isset($user->socid) && $user->socid > 0) {
 	$socid = $user->socid;
 }
 
+restrictedArea($user, 'societe', $socid, '&societe', '', 'fk_soc', 'rowid', 0);
+
 $max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT;
 $now = dol_now();
 
-// Security check
-$socid = GETPOST("socid", 'int');
-if ($user->socid > 0) {
-	$action = '';
-	$id = $user->socid;
-} else {
-	$id = 0;
-}
-restrictedArea($user, 'societe', $id, '&societe', '', 'fk_soc', 'rowid', 0);
-
 $maxofloop = (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD);
 
 

From edb81d19553983b80869f36baad258fc4437485d Mon Sep 17 00:00:00 2001
From: Guenter Lukas <gl@gl.co.at>
Date: Sun, 5 Feb 2023 11:43:09 +0100
Subject: [PATCH 5/8] update

---
 htdocs/comm/action/peruser.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/htdocs/comm/action/peruser.php b/htdocs/comm/action/peruser.php
index 87def7240f5..724a6a89a59 100644
--- a/htdocs/comm/action/peruser.php
+++ b/htdocs/comm/action/peruser.php
@@ -915,6 +915,11 @@ while ($currentdaytoshow < $lastdaytoshow) {
 		if ($usergroup > 0)	{
 			$sql .= " AND ug.fk_usergroup = ".((int) $usergroup);
 		}
+		if ($user->socid > 0)
+		{
+			// External users should see only contacts of their company
+			$sql .= " AND fk_soc=" . $socid;
+		}
 
 		//print $sql;
 		$resql = $db->query($sql);

From d2a6d89fca58163b07fcbc2a15b90f04afd85415 Mon Sep 17 00:00:00 2001
From: stickler-ci <support@stickler-ci.com>
Date: Sun, 5 Feb 2023 10:48:29 +0000
Subject: [PATCH 6/8] Fixing style errors.

---
 htdocs/comm/action/peruser.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/htdocs/comm/action/peruser.php b/htdocs/comm/action/peruser.php
index 724a6a89a59..e0e6e9ff004 100644
--- a/htdocs/comm/action/peruser.php
+++ b/htdocs/comm/action/peruser.php
@@ -915,8 +915,7 @@ while ($currentdaytoshow < $lastdaytoshow) {
 		if ($usergroup > 0)	{
 			$sql .= " AND ug.fk_usergroup = ".((int) $usergroup);
 		}
-		if ($user->socid > 0)
-		{
+		if ($user->socid > 0) {
 			// External users should see only contacts of their company
 			$sql .= " AND fk_soc=" . $socid;
 		}

From a0f8a2454b05e9ed3919f15850806c7c65a8c639 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 6 Feb 2023 00:04:19 +0100
Subject: [PATCH 7/8] Update peruser.php

---
 htdocs/comm/action/peruser.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/comm/action/peruser.php b/htdocs/comm/action/peruser.php
index e0e6e9ff004..9448ea0b77b 100644
--- a/htdocs/comm/action/peruser.php
+++ b/htdocs/comm/action/peruser.php
@@ -917,7 +917,7 @@ while ($currentdaytoshow < $lastdaytoshow) {
 		}
 		if ($user->socid > 0) {
 			// External users should see only contacts of their company
-			$sql .= " AND fk_soc=" . $socid;
+			$sql .= " AND fk_soc = ".((int) $user->socid);
 		}
 
 		//print $sql;

From b52203b4e0bf438b1a69fe98af216921d34c982e Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 6 Feb 2023 00:05:06 +0100
Subject: [PATCH 8/8] Update peruser.php

---
 htdocs/comm/action/peruser.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/comm/action/peruser.php b/htdocs/comm/action/peruser.php
index 9448ea0b77b..ba631ba8c59 100644
--- a/htdocs/comm/action/peruser.php
+++ b/htdocs/comm/action/peruser.php
@@ -917,7 +917,7 @@ while ($currentdaytoshow < $lastdaytoshow) {
 		}
 		if ($user->socid > 0) {
 			// External users should see only contacts of their company
-			$sql .= " AND fk_soc = ".((int) $user->socid);
+			$sql .= " AND u.fk_soc = ".((int) $user->socid);
 		}
 
 		//print $sql;