Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Test if user is in correct company is done only when multicompany is enabled.

Browse Source
This commit is contained in:
Laurent Destailleur
2009-05-04 10:27:35 +00:00
parent 268c58ded6
commit aee2dcff57
2 changed files with 66 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
htdocs/lib/functions.lib.php
View File

@@ -1335,6 +1335,7 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
{ {
global $db, $conf; global $db, $conf;
//dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select");
if ($dbt_select != 'rowid') $objectid = "'".$objectid."'"; if ($dbt_select != 'rowid') $objectid = "'".$objectid."'";
//print "user_id=".$user->id.", feature=".$feature.", feature2=".$feature2.", object_id=".$objectid; //print "user_id=".$user->id.", feature=".$feature.", feature2=".$feature2.", object_id=".$objectid;
@@ -1431,7 +1432,7 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
$sql=''; $sql='';
// If dbtable not defined, we use same name for table than module name // If dbtable not defined, we use same name for table than module name
if (!$dbtablename) $dbtablename = $feature; if (empty($dbtablename)) $dbtablename = $feature;
// Check permission for object with entity // Check permission for object with entity
if ($feature == 'user' || $feature == 'usergroup' || $feature == 'produit') if ($feature == 'user' || $feature == 'usergroup' || $feature == 'produit')
@@ -1441,14 +1442,14 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
$sql.= " WHERE dbt.".$dbt_select." = ".$objectid; $sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
$sql.= " AND dbt.entity IN (0,".$conf->entity.")"; $sql.= " AND dbt.entity IN (0,".$conf->entity.")";
} }
else if ($feature == 'societe') else if ($feature == 'societe')
{ {
// Check permission for external users // If external user: Check permission for external users
if ($user->societe_id > 0) if ($user->societe_id > 0)
{ {
if ($user->societe_id <> $objectid) accessforbidden(); if ($user->societe_id <> $objectid) accessforbidden();
} }
// Check permission for internal users that are restricted on their objects // If internal user: Check permission for internal users that are restricted on their objects
else if (! $user->rights->societe->client->voir) else if (! $user->rights->societe->client->voir)
{ {
$sql = "SELECT sc.fk_soc"; $sql = "SELECT sc.fk_soc";
@@ -1457,8 +1458,8 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
$sql.= " AND sc.fk_soc = s.rowid"; $sql.= " AND sc.fk_soc = s.rowid";
$sql.= " AND s.entity = ".$conf->entity; $sql.= " AND s.entity = ".$conf->entity;
} }
// Check permission for entity // If multicompany and internal users with all permissions, check user is in correct entity
else else if ($conf->global->MAIN_MODULE_MULTICOMPANY)
{ {
$sql = "SELECT s.rowid"; $sql = "SELECT s.rowid";
$sql.= " FROM ".MAIN_DB_PREFIX."societe as s"; $sql.= " FROM ".MAIN_DB_PREFIX."societe as s";
@@ -1468,7 +1469,7 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
} }
else else
{ {
// Check permission for external users // If external user: Check permission for external users
if ($user->societe_id > 0) if ($user->societe_id > 0)
{ {
$sql = "SELECT dbt.fk_soc"; $sql = "SELECT dbt.fk_soc";
@@ -1476,7 +1477,7 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
$sql.= " WHERE dbt.rowid = ".$objectid; $sql.= " WHERE dbt.rowid = ".$objectid;
$sql.= " AND dbt.fk_soc = ".$user->societe_id; $sql.= " AND dbt.fk_soc = ".$user->societe_id;
} }
// Check permission for internal users that are restricted on their objects // If internal user: Check permission for internal users that are restricted on their objects
else if (! $user->rights->societe->client->voir) else if (! $user->rights->societe->client->voir)
{ {
$sql = "SELECT sc.fk_soc"; $sql = "SELECT sc.fk_soc";
@@ -1487,8 +1488,8 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
$sql.= " AND s.entity = ".$conf->entity; $sql.= " AND s.entity = ".$conf->entity;
$sql.= " AND IFNULL(sc.fk_user, ".$user->id.") = ".$user->id; $sql.= " AND IFNULL(sc.fk_user, ".$user->id.") = ".$user->id;
} }
// Check permission for entity // If multicompany and internal users with all permissions, check user is in correct entity
else else if ($conf->global->MAIN_MODULE_MULTICOMPANY)
{ {
$sql = "SELECT dbt.".$dbt_select; $sql = "SELECT dbt.".$dbt_select;
$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt, ".MAIN_DB_PREFIX."societe as s"; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt, ".MAIN_DB_PREFIX."societe as s";
@@ -1508,7 +1509,7 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
} }
else else
{ {
dol_syslog("functions.lib::restrictedArea sql=".$sql, LOG_ERR); dol_syslog("functions.lib:restrictedArea sql=".$sql, LOG_ERR);
accessforbidden(); accessforbidden();
} }
} }

103
htdocs/product/fiche.php
View File

@@ -48,7 +48,7 @@ if (isset($_GET["id"]) || isset($_GET["ref"]))
} }
if ($user->societe_id) $socid=$user->societe_id; if ($user->societe_id) $socid=$user->societe_id;
$result=restrictedArea($user,'produit',$id,'product','','',$fieldid); $result=restrictedArea($user,'produit',$id,'product','','',$fieldid?$fieldid:'rowid');
$mesg = ''; $mesg = '';
@@ -65,7 +65,7 @@ if ($_GET["action"] == 'fastappro')
} }
// Action ajout d'un produit ou service // Add a product or service
if ($_POST["action"] == 'add' && $user->rights->produit->creer) if ($_POST["action"] == 'add' && $user->rights->produit->creer)
{ {
$error=0; $error=0;
@@ -151,68 +151,73 @@ if ($_POST["action"] == 'add' && $user->rights->produit->creer)
} }
} }
} }
// Update a product or service
// Action mise a jour d'un produit ou service if ($_POST["action"] == 'update' && $user->rights->produit->creer)
if ($_POST["action"] == 'update' &&
$_POST["cancel"] <> $langs->trans("Cancel") &&
$user->rights->produit->creer)
{ {
$product = new Product($db); if (! empty($_POST["cancel"]))
if ($product->fetch($_POST["id"]))
{ {
$product->ref = $_POST["ref"]; $_GET["action"] = '';
$product->libelle = $_POST["libelle"]; $_GET["id"] = $_POST["id"];
$product->description = dol_htmlcleanlastbr($_POST["desc"]); }
$product->note = dol_htmlcleanlastbr($_POST["note"]); else
$product->status = $_POST["statut"]; {
$product->seuil_stock_alerte = $_POST["seuil_stock_alerte"]; $product = new Product($db);
$product->stock_loc = $_POST["stock_loc"]; if ($product->fetch($_POST["id"]))
$product->duration_value = $_POST["duration_value"];
$product->duration_unit = $_POST["duration_unit"];
$product->canvas = $_POST["canvas"];
$product->weight = $_POST["weight"];
$product->weight_units = $_POST["weight_units"];
$product->volume = $_POST["volume"];
$product->volume_units = $_POST["volume_units"];
$product->finished = $_POST["finished"];
if ($product->check())
{ {
if ($product->update($product->id, $user) > 0) $product->ref = $_POST["ref"];
$product->libelle = $_POST["libelle"];
$product->description = dol_htmlcleanlastbr($_POST["desc"]);
$product->note = dol_htmlcleanlastbr($_POST["note"]);
$product->status = $_POST["statut"];
$product->seuil_stock_alerte = $_POST["seuil_stock_alerte"];
$product->stock_loc = $_POST["stock_loc"];
$product->duration_value = $_POST["duration_value"];
$product->duration_unit = $_POST["duration_unit"];
$product->canvas = $_POST["canvas"];
$product->weight = $_POST["weight"];
$product->weight_units = $_POST["weight_units"];
$product->volume = $_POST["volume"];
$product->volume_units = $_POST["volume_units"];
$product->finished = $_POST["finished"];
if ($product->check())
{ {
$_GET["action"] = ''; if ($product->update($product->id, $user) > 0)
$_GET["id"] = $_POST["id"]; {
$_GET["action"] = '';
$_GET["id"] = $_POST["id"];
}
else
{
$_GET["action"] = 'edit';
$_GET["id"] = $_POST["id"];
$mesg = $product->error;
}
} }
else else
{ {
$_GET["action"] = 'edit'; $_GET["action"] = 'edit';
$_GET["id"] = $_POST["id"]; $_GET["id"] = $_POST["id"];
$mesg = $product->error; $mesg = $langs->trans("ErrorProductBadRefOrLabel");
} }
}
else
{
$_GET["action"] = 'edit';
$_GET["id"] = $_POST["id"];
$mesg = $langs->trans("ErrorProductBadRefOrLabel");
}
// Produit sp<73>cifique // Produit sp<73>cifique
if ($product->canvas <> '' && file_exists('canvas/product.'.$product->canvas.'.class.php') ) if ($product->canvas <> '' && file_exists('canvas/product.'.$product->canvas.'.class.php') )
{
$class = 'Product'.ucfirst($product->canvas);
include_once('canvas/product.'.$product->canvas.'.class.php');
$product = new $class($db);
if ($product->FetchCanvas($_POST["id"]))
{ {
$product->UpdateCanvas($_POST); $class = 'Product'.ucfirst($product->canvas);
include_once('canvas/product.'.$product->canvas.'.class.php');
$product = new $class($db);
if ($product->FetchCanvas($_POST["id"]))
{
$product->UpdateCanvas($_POST);
}
} }
} }
} }
} }
// clone d'un produit // Clone a product
if ($_GET["action"] == 'clone' && $user->rights->produit->creer) if ($_GET["action"] == 'clone' && $user->rights->produit->creer)
{ {
$db->begin(); $db->begin();
@@ -1335,7 +1340,7 @@ if ($_GET["id"] && $_GET["action"] == '' && $product->status)
// Liste de "Mes commandes" // Liste de "Mes commandes"
print '<tr><td width="50%" valign="top">'; print '<tr><td width="50%" valign="top">';
$sql = "SELECT s.nom, s.rowid as socid, c.rowid as commandeid, c.ref,".$db->pdate("c.date_commande")." as dc"; $sql = "SELECT s.nom, s.rowid as socid, c.rowid as commandeid, c.ref,".$db->pdate("c.date_commande")." as dc";
$sql.= " FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."commande as c"; $sql.= " FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."commande as c";
$sql.= " WHERE c.fk_soc = s.rowid"; $sql.= " WHERE c.fk_soc = s.rowid";
@@ -1448,7 +1453,7 @@ if ($_GET["id"] && $_GET["action"] == '' && $product->status)
// Liste de Mes factures // Liste de Mes factures
print '<tr><td width="50%" valign="top">'; print '<tr><td width="50%" valign="top">';
$sql = "SELECT s.nom, s.rowid as socid, f.rowid as factureid, f.facnumber,".$db->pdate("f.datef")." as df"; $sql = "SELECT s.nom, s.rowid as socid, f.rowid as factureid, f.facnumber,".$db->pdate("f.datef")." as df";
$sql.= " FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."facture as f"; $sql.= " FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."facture as f";
$sql.= " WHERE f.fk_soc = s.rowid"; $sql.= " WHERE f.fk_soc = s.rowid";