From 8911d72be84bd64c16cf5f8fa31329185d0a2b7d Mon Sep 17 00:00:00 2001
From: Marc de Lima Lucio <marc.delimalucio@atm-consulting.fr>
Date: Tue, 30 Oct 2018 12:28:04 +0100
Subject: [PATCH 1/6] FIX: task time screen: prevent users with access to all
 project from assigning to tasks they're not allowed to do

---
 htdocs/core/class/html.formprojet.class.php | 37 ++++++++++++---------
 htdocs/projet/activity/perday.php           |  2 +-
 htdocs/projet/activity/perweek.php          |  2 +-
 3 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/htdocs/core/class/html.formprojet.class.php b/htdocs/core/class/html.formprojet.class.php
index 616355eab28..c2d8377add5 100644
--- a/htdocs/core/class/html.formprojet.class.php
+++ b/htdocs/core/class/html.formprojet.class.php
@@ -295,22 +295,29 @@ class FormProjets
 	/**
 	 *	Output a combo list with projects qualified for a third party
 	 *
-	 *	@param	int		$socid      	Id third party (-1=all, 0=only projects not linked to a third party, id=projects not linked or linked to third party id)
-	 *	@param  int		$selected   	Id task preselected
-	 *	@param  string	$htmlname   	Name of HTML select
-	 *	@param	int		$maxlength		Maximum length of label
-	 *	@param	int		$option_only	Return only html options lines without the select tag
-	 *	@param	string	$show_empty		Add an empty line ('1' or string to show for empty line)
-	 *  @param	int		$discard_closed Discard closed projects (0=Keep,1=hide completely,2=Disable)
-     *  @param	int		$forcefocus		Force focus on field (works with javascript only)
-     *  @param	int		$disabled		Disabled
-	 *  @param	string	$morecss        More css added to the select component
-	 *	@return int         			Nbr of project if OK, <0 if KO
+	 *  @param	int		$socid				Id third party (-1=all, 0=only projects not linked to a third party, id=projects not linked or linked to third party id)
+	 *  @param	int		$selected			Id task preselected
+	 *  @param	string	$htmlname			Name of HTML select
+	 *  @param	int		$maxlength			Maximum length of label
+	 *  @param	int		$option_only		Return only html options lines without the select tag
+	 *  @param	string	$show_empty			Add an empty line ('1' or string to show for empty line)
+	 *  @param	int		$discard_closed		Discard closed projects (0=Keep,1=hide completely,2=Disable)
+	 *  @param	int		$forcefocus			Force focus on field (works with javascript only)
+	 *  @param	int		$disabled			Disabled
+	 *  @param	string	$morecss			More css added to the select component
+	 *  @param	User	$usertofilter		User object to use for filtering
+	 *  @param	int		$forceuserfilter	1=Force individual task user rights even if user has right to see all
+	 *  @return	int							Nbr of project if OK, <0 if KO
 	 */
-	function selectTasks($socid=-1, $selected='', $htmlname='taskid', $maxlength=24, $option_only=0, $show_empty='1', $discard_closed=0, $forcefocus=0, $disabled=0, $morecss='maxwidth500')
+	function selectTasks($socid=-1, $selected='', $htmlname='taskid', $maxlength=24, $option_only=0, $show_empty='1', $discard_closed=0, $forcefocus=0, $disabled=0, $morecss='maxwidth500', $usertofilter=null, $forceuserfilter=0)
 	{
 		global $user,$conf,$langs;
 
+		if(is_null($usertofilter))
+		{
+			$usertofilter = $user;
+		}
+
 		require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
 
 		$out='';
@@ -319,10 +326,10 @@ class FormProjets
 		if (! empty($conf->global->PROJECT_HIDE_UNSELECTABLES)) $hideunselectables = true;
 
 		$projectsListId = false;
-		if (empty($user->rights->projet->all->lire))
+		if (empty($usertofilter->rights->projet->all->lire) || $forceuserfilter)
 		{
 			$projectstatic=new Project($this->db);
-			$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user,0,1);
+			$projectsListId = $projectstatic->getProjectsAuthorizedForUser($usertofilter,0,1);
 		}
 
 		// Search all projects
@@ -367,7 +374,7 @@ class FormProjets
 				{
 					$obj = $this->db->fetch_object($resql);
 					// If we ask to filter on a company and user has no permission to see all companies and project is linked to another company, we hide project.
-					if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && empty($user->rights->societe->lire))
+					if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && empty($usertofilter->rights->societe->lire))
 					{
 						// Do nothing
 					}
diff --git a/htdocs/projet/activity/perday.php b/htdocs/projet/activity/perday.php
index b4329ac9237..b1214f0bff7 100644
--- a/htdocs/projet/activity/perday.php
+++ b/htdocs/projet/activity/perday.php
@@ -399,7 +399,7 @@ print '<div class="float valignmiddle">';
 $titleassigntask = $langs->trans("AssignTaskToMe");
 if ($usertoprocess->id != $user->id) $titleassigntask = $langs->trans("AssignTaskToUser", $usertoprocess->getFullName($langs));
 print '<div class="taskiddiv inline-block">';
-$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1);
+$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess, 1);
 print '</div>';
 print ' ';
 print $formcompany->selectTypeContact($object, '', 'type','internal','rowid', 0, 'maxwidth200');
diff --git a/htdocs/projet/activity/perweek.php b/htdocs/projet/activity/perweek.php
index 591f8b3ab6f..d18afc573e1 100644
--- a/htdocs/projet/activity/perweek.php
+++ b/htdocs/projet/activity/perweek.php
@@ -402,7 +402,7 @@ print '<div class="float valignmiddle">';
 $titleassigntask = $langs->trans("AssignTaskToMe");
 if ($usertoprocess->id != $user->id) $titleassigntask = $langs->trans("AssignTaskToUser", $usertoprocess->getFullName($langs));
 print '<div class="taskiddiv inline-block">';
-$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1);
+$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess, 1);
 print '</div>';
 print ' ';
 print $formcompany->selectTypeContact($object, '', 'type','internal','rowid', 0, 'maxwidth200');

From 2fbc305683c9cacba509e4fb0a67cac4f7c98fd5 Mon Sep 17 00:00:00 2001
From: Marc de Lima Lucio <marc.delimalucio@atm-consulting.fr>
Date: Tue, 30 Oct 2018 16:00:56 +0100
Subject: [PATCH 2/6] FIX: task time screen: last fix was overkill

---
 htdocs/core/class/html.formprojet.class.php | 5 ++---
 htdocs/projet/activity/perday.php           | 2 +-
 htdocs/projet/activity/perweek.php          | 2 +-
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/htdocs/core/class/html.formprojet.class.php b/htdocs/core/class/html.formprojet.class.php
index c2d8377add5..cb31107c65c 100644
--- a/htdocs/core/class/html.formprojet.class.php
+++ b/htdocs/core/class/html.formprojet.class.php
@@ -306,10 +306,9 @@ class FormProjets
 	 *  @param	int		$disabled			Disabled
 	 *  @param	string	$morecss			More css added to the select component
 	 *  @param	User	$usertofilter		User object to use for filtering
-	 *  @param	int		$forceuserfilter	1=Force individual task user rights even if user has right to see all
 	 *  @return	int							Nbr of project if OK, <0 if KO
 	 */
-	function selectTasks($socid=-1, $selected='', $htmlname='taskid', $maxlength=24, $option_only=0, $show_empty='1', $discard_closed=0, $forcefocus=0, $disabled=0, $morecss='maxwidth500', $usertofilter=null, $forceuserfilter=0)
+	function selectTasks($socid=-1, $selected='', $htmlname='taskid', $maxlength=24, $option_only=0, $show_empty='1', $discard_closed=0, $forcefocus=0, $disabled=0, $morecss='maxwidth500', $usertofilter=null)
 	{
 		global $user,$conf,$langs;
 
@@ -326,7 +325,7 @@ class FormProjets
 		if (! empty($conf->global->PROJECT_HIDE_UNSELECTABLES)) $hideunselectables = true;
 
 		$projectsListId = false;
-		if (empty($usertofilter->rights->projet->all->lire) || $forceuserfilter)
+		if (empty($usertofilter->rights->projet->all->lire))
 		{
 			$projectstatic=new Project($this->db);
 			$projectsListId = $projectstatic->getProjectsAuthorizedForUser($usertofilter,0,1);
diff --git a/htdocs/projet/activity/perday.php b/htdocs/projet/activity/perday.php
index b1214f0bff7..b27572790dd 100644
--- a/htdocs/projet/activity/perday.php
+++ b/htdocs/projet/activity/perday.php
@@ -399,7 +399,7 @@ print '<div class="float valignmiddle">';
 $titleassigntask = $langs->trans("AssignTaskToMe");
 if ($usertoprocess->id != $user->id) $titleassigntask = $langs->trans("AssignTaskToUser", $usertoprocess->getFullName($langs));
 print '<div class="taskiddiv inline-block">';
-$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess, 1);
+$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess);
 print '</div>';
 print ' ';
 print $formcompany->selectTypeContact($object, '', 'type','internal','rowid', 0, 'maxwidth200');
diff --git a/htdocs/projet/activity/perweek.php b/htdocs/projet/activity/perweek.php
index d18afc573e1..3d2e638849e 100644
--- a/htdocs/projet/activity/perweek.php
+++ b/htdocs/projet/activity/perweek.php
@@ -402,7 +402,7 @@ print '<div class="float valignmiddle">';
 $titleassigntask = $langs->trans("AssignTaskToMe");
 if ($usertoprocess->id != $user->id) $titleassigntask = $langs->trans("AssignTaskToUser", $usertoprocess->getFullName($langs));
 print '<div class="taskiddiv inline-block">';
-$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess, 1);
+$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess);
 print '</div>';
 print ' ';
 print $formcompany->selectTypeContact($object, '', 'type','internal','rowid', 0, 'maxwidth200');

From 8ab53012b71b2dd149ea743abfd4063f5faf489c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20FRANCE?=
 <frederic34@users.noreply.github.com>
Date: Sat, 3 Nov 2018 18:20:36 +0100
Subject: [PATCH 3/6] mode is only customer in stats fichinter

---
 htdocs/fichinter/stats/index.php | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/htdocs/fichinter/stats/index.php b/htdocs/fichinter/stats/index.php
index 1c0ba5764ed..0dacf19c600 100644
--- a/htdocs/fichinter/stats/index.php
+++ b/htdocs/fichinter/stats/index.php
@@ -30,7 +30,7 @@ $WIDTH=DolGraph::getDefaultGraphSizeForStats('width');
 $HEIGHT=DolGraph::getDefaultGraphSizeForStats('height');
 
 $mode='customer';
-if ($mode == 'customer' && ! $user->rights->ficheinter->lire) accessforbidden();
+if (! $user->rights->ficheinter->lire) accessforbidden();
 
 $userid=GETPOST('userid','int');
 $socid=GETPOST('socid','int');
@@ -129,14 +129,12 @@ $data = $stats->getAmountByMonthWithPrevYear($endyear,$startyear);
 if (!$user->rights->societe->client->voir || $user->societe_id)
 {
     $filenameamount = $dir.'/interventionsamountinyear-'.$user->id.'-'.$year.'.png';
-    if ($mode == 'customer') $fileurlamount = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstats&file=interventionsamountinyear-'.$user->id.'-'.$year.'.png';
-    if ($mode == 'supplier') $fileurlamount = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstatssupplier&file=interventionsamountinyear-'.$user->id.'-'.$year.'.png';
+    $fileurlamount = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstats&file=interventionsamountinyear-'.$user->id.'-'.$year.'.png';
 }
 else
 {
     $filenameamount = $dir.'/interventionsamountinyear-'.$year.'.png';
-    if ($mode == 'customer') $fileurlamount = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstats&file=interventionsamountinyear-'.$year.'.png';
-    if ($mode == 'supplier') $fileurlamount = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstatssupplier&file=interventionsamountinyear-'.$year.'.png';
+    $fileurlamount = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstats&file=interventionsamountinyear-'.$year.'.png';
 }
 
 $px2 = new DolGraph();
@@ -171,14 +169,12 @@ $data = $stats->getAverageByMonthWithPrevYear($endyear, $startyear);
 if (!$user->rights->societe->client->voir || $user->societe_id)
 {
     $filename_avg = $dir.'/interventionsaverage-'.$user->id.'-'.$year.'.png';
-    if ($mode == 'customer') $fileurl_avg = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstats&file=interventionsaverage-'.$user->id.'-'.$year.'.png';
-    if ($mode == 'supplier') $fileurl_avg = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstatssupplier&file=interventionsaverage-'.$user->id.'-'.$year.'.png';
+    $fileurl_avg = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstats&file=interventionsaverage-'.$user->id.'-'.$year.'.png';
 }
 else
 {
     $filename_avg = $dir.'/interventionsaverage-'.$year.'.png';
-    if ($mode == 'customer') $fileurl_avg = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstats&file=interventionsaverage-'.$year.'.png';
-    if ($mode == 'supplier') $fileurl_avg = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstatssupplier&file=interventionsaverage-'.$year.'.png';
+    $fileurl_avg = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstats&file=interventionsaverage-'.$year.'.png';
 }
 
 $px3 = new DolGraph();
@@ -221,13 +217,12 @@ if (! count($arrayyears)) $arrayyears[$nowyear]=$nowyear;
 
 $h=0;
 $head = array();
-$head[$h][0] = DOL_URL_ROOT . '/commande/stats/index.php?mode='.$mode;
+$head[$h][0] = DOL_URL_ROOT . '/fichinter/stats/index.php?mode='.$mode;
 $head[$h][1] = $langs->trans("ByMonthYear");
 $head[$h][2] = 'byyear';
 $h++;
 
-if ($mode == 'customer') $type='order_stats';
-if ($mode == 'supplier') $type='supplier_order_stats';
+$type='fichinter_stats';
 
 complete_head_from_modules($conf,$langs,null,$head,$h,$type);
 
@@ -247,7 +242,6 @@ print '<div class="fichecenter"><div class="fichethirdleft">';
 	// Company
 	print '<tr><td align="left">'.$langs->trans("ThirdParty").'</td><td align="left">';
 	if ($mode == 'customer') $filter='s.client in (1,2,3)';
-	if ($mode == 'supplier') $filter='s.fournisseur = 1';
 	print $form->select_company($socid,'socid',$filter,1,0,0,array(),0,'','style="width: 95%"');
 	print '</td></tr>';
 	// User

From d6b909a28063712acfed8ba2e6b4a9d7ade4d1fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20FRANCE?=
 <frederic34@users.noreply.github.com>
Date: Sat, 3 Nov 2018 18:26:11 +0100
Subject: [PATCH 4/6] Update index.php

---
 htdocs/fichinter/stats/index.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/fichinter/stats/index.php b/htdocs/fichinter/stats/index.php
index 0dacf19c600..39cad7ca4f1 100644
--- a/htdocs/fichinter/stats/index.php
+++ b/htdocs/fichinter/stats/index.php
@@ -217,12 +217,12 @@ if (! count($arrayyears)) $arrayyears[$nowyear]=$nowyear;
 
 $h=0;
 $head = array();
-$head[$h][0] = DOL_URL_ROOT . '/fichinter/stats/index.php?mode='.$mode;
+$head[$h][0] = DOL_URL_ROOT . '/fichinter/stats/index.php';
 $head[$h][1] = $langs->trans("ByMonthYear");
 $head[$h][2] = 'byyear';
 $h++;
 
-$type='fichinter_stats';
+$type = 'fichinter_stats';
 
 complete_head_from_modules($conf,$langs,null,$head,$h,$type);
 

From 670eed1e688dce5464d43bd031137a525fc1a399 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20FRANCE?=
 <frederic34@users.noreply.github.com>
Date: Thu, 8 Nov 2018 12:13:07 +0100
Subject: [PATCH 5/6] Update index.php

---
 htdocs/fichinter/stats/index.php | 21 +++++++--------------
 1 file changed, 7 insertions(+), 14 deletions(-)

diff --git a/htdocs/fichinter/stats/index.php b/htdocs/fichinter/stats/index.php
index 39cad7ca4f1..9bbbea09141 100644
--- a/htdocs/fichinter/stats/index.php
+++ b/htdocs/fichinter/stats/index.php
@@ -49,10 +49,7 @@ $endyear=$year;
 
 $object_status=GETPOST('object_status');
 
-$langs->load('interventions');
-$langs->load('companies');
-$langs->load('other');
-$langs->load('suppliers');
+$langs->loadLangs(array('interventions', 'companies', 'other', 'suppliers'));
 
 
 /*
@@ -62,11 +59,8 @@ $langs->load('suppliers');
 $form=new Form($db);
 $objectstatic=new FichInter($db);
 
-if ($mode == 'customer')
-{
-    $title=$langs->trans("InterventionStatistics");
-    $dir=$conf->ficheinter->dir_temp;
-}
+$title=$langs->trans("InterventionStatistics");
+$dir=$conf->ficheinter->dir_temp;
 
 llxHeader('', $title);
 
@@ -79,19 +73,18 @@ if ($object_status != '' && $object_status > -1) $stats->where .= ' AND c.fk_sta
 
 // Build graphic number of object
 $data = $stats->getNbByMonthWithPrevYear($endyear,$startyear);
-//var_dump($data);
 // $data = array(array('Lib',val1,val2,val3),...)
 
 
 if (!$user->rights->societe->client->voir || $user->societe_id)
 {
     $filenamenb = $dir.'/interventionsnbinyear-'.$user->id.'-'.$year.'.png';
-    if ($mode == 'customer') $fileurlnb = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstats&file=interventionsnbinyear-'.$user->id.'-'.$year.'.png';
+    $fileurlnb = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstats&file=interventionsnbinyear-'.$user->id.'-'.$year.'.png';
 }
 else
 {
     $filenamenb = $dir.'/interventionsnbinyear-'.$year.'.png';
-    if ($mode == 'customer') $fileurlnb = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstats&file=interventionsnbinyear-'.$year.'.png';
+    $fileurlnb = DOL_URL_ROOT.'/viewimage.php?modulepart=interventionstats&file=interventionsnbinyear-'.$year.'.png';
 }
 
 $px1 = new DolGraph();
@@ -123,7 +116,6 @@ if (! $mesg)
 
 // Build graphic amount of object
 $data = $stats->getAmountByMonthWithPrevYear($endyear,$startyear);
-//var_dump($data);
 // $data = array(array('Lib',val1,val2,val3),...)
 
 if (!$user->rights->societe->client->voir || $user->societe_id)
@@ -283,7 +275,8 @@ foreach ($data as $val)
 {
 	$year = $val['year'];
 	while (! empty($year) && $oldyear > $year+1)
-	{ // If we have empty year
+	{
+        // If we have empty year
 		$oldyear--;
 
 		print '<tr '.$bc[$var].' height="24">';

From 8bb1545ed012e38c3f7a2c664c2a2d8f05651fc6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20FRANCE?=
 <frederic34@users.noreply.github.com>
Date: Thu, 8 Nov 2018 12:16:05 +0100
Subject: [PATCH 6/6] Update index.php

---
 htdocs/fichinter/stats/index.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/fichinter/stats/index.php b/htdocs/fichinter/stats/index.php
index 9bbbea09141..3551d8baab3 100644
--- a/htdocs/fichinter/stats/index.php
+++ b/htdocs/fichinter/stats/index.php
@@ -233,8 +233,8 @@ print '<div class="fichecenter"><div class="fichethirdleft">';
 	print '<tr class="liste_titre"><td class="liste_titre" colspan="2">'.$langs->trans("Filter").'</td></tr>';
 	// Company
 	print '<tr><td align="left">'.$langs->trans("ThirdParty").'</td><td align="left">';
-	if ($mode == 'customer') $filter='s.client in (1,2,3)';
-	print $form->select_company($socid,'socid',$filter,1,0,0,array(),0,'','style="width: 95%"');
+    $filter = 's.client in (1,2,3)';
+	print $form->select_company($socid, 'socid', $filter, 1, 0, 0, array(), 0, '', 'style="width: 95%"');
 	print '</td></tr>';
 	// User
 	print '<tr><td align="left">'.$langs->trans("CreatedBy").'</td><td align="left">';