forked from Wavyzz/dolibarr
Test if user is in correct company is done only when multicompany is enabled.
This commit is contained in:
Laurent Destailleur
@@ -1335,6 +1335,7 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
|
||||
{
|
||||
global $db, $conf;
|
||||
|
||||
//dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select");
|
||||
if ($dbt_select != 'rowid') $objectid = "'".$objectid."'";
|
||||
|
||||
//print "user_id=".$user->id.", feature=".$feature.", feature2=".$feature2.", object_id=".$objectid;
|
||||
@@ -1431,7 +1432,7 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
|
||||
$sql='';
|
||||
|
||||
// If dbtable not defined, we use same name for table than module name
|
||||
if (!$dbtablename) $dbtablename = $feature;
|
||||
if (empty($dbtablename)) $dbtablename = $feature;
|
||||
|
||||
// Check permission for object with entity
|
||||
if ($feature == 'user' || $feature == 'usergroup' || $feature == 'produit')
|
||||
@@ -1443,12 +1444,12 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
|
||||
}
|
||||
else if ($feature == 'societe')
|
||||
{
|
||||
// Check permission for external users
|
||||
// If external user: Check permission for external users
|
||||
if ($user->societe_id > 0)
|
||||
{
|
||||
if ($user->societe_id <> $objectid) accessforbidden();
|
||||
}
|
||||
// Check permission for internal users that are restricted on their objects
|
||||
// If internal user: Check permission for internal users that are restricted on their objects
|
||||
else if (! $user->rights->societe->client->voir)
|
||||
{
|
||||
$sql = "SELECT sc.fk_soc";
|
||||
@@ -1457,8 +1458,8 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
|
||||
$sql.= " AND sc.fk_soc = s.rowid";
|
||||
$sql.= " AND s.entity = ".$conf->entity;
|
||||
}
|
||||
// Check permission for entity
|
||||
else
|
||||
// If multicompany and internal users with all permissions, check user is in correct entity
|
||||
else if ($conf->global->MAIN_MODULE_MULTICOMPANY)
|
||||
{
|
||||
$sql = "SELECT s.rowid";
|
||||
$sql.= " FROM ".MAIN_DB_PREFIX."societe as s";
|
||||
@@ -1468,7 +1469,7 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
|
||||
}
|
||||
else
|
||||
{
|
||||
// Check permission for external users
|
||||
// If external user: Check permission for external users
|
||||
if ($user->societe_id > 0)
|
||||
{
|
||||
$sql = "SELECT dbt.fk_soc";
|
||||
@@ -1476,7 +1477,7 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
|
||||
$sql.= " WHERE dbt.rowid = ".$objectid;
|
||||
$sql.= " AND dbt.fk_soc = ".$user->societe_id;
|
||||
}
|
||||
// Check permission for internal users that are restricted on their objects
|
||||
// If internal user: Check permission for internal users that are restricted on their objects
|
||||
else if (! $user->rights->societe->client->voir)
|
||||
{
|
||||
$sql = "SELECT sc.fk_soc";
|
||||
@@ -1487,8 +1488,8 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
|
||||
$sql.= " AND s.entity = ".$conf->entity;
|
||||
$sql.= " AND IFNULL(sc.fk_user, ".$user->id.") = ".$user->id;
|
||||
}
|
||||
// Check permission for entity
|
||||
else
|
||||
// If multicompany and internal users with all permissions, check user is in correct entity
|
||||
else if ($conf->global->MAIN_MODULE_MULTICOMPANY)
|
||||
{
|
||||
$sql = "SELECT dbt.".$dbt_select;
|
||||
$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt, ".MAIN_DB_PREFIX."societe as s";
|
||||
@@ -1508,7 +1509,7 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
|
||||
}
|
||||
else
|
||||
{
|
||||
dol_syslog("functions.lib::restrictedArea sql=".$sql, LOG_ERR);
|
||||
dol_syslog("functions.lib:restrictedArea sql=".$sql, LOG_ERR);
|
||||
accessforbidden();
|
||||
}
|
||||
}
|
||||
|
||||
@@ -48,7 +48,7 @@ if (isset($_GET["id"]) || isset($_GET["ref"]))
|
||||
}
|
||||
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
|
||||
$result=restrictedArea($user,'produit',$id,'product','','',$fieldid?$fieldid:'rowid');
|
||||
|
||||
$mesg = '';
|
||||
|
||||
@@ -65,7 +65,7 @@ if ($_GET["action"] == 'fastappro')
|
||||
}
|
||||
|
||||
|
||||
// Action ajout d'un produit ou service
|
||||
// Add a product or service
|
||||
if ($_POST["action"] == 'add' && $user->rights->produit->creer)
|
||||
{
|
||||
$error=0;
|
||||
@@ -151,12 +151,16 @@ if ($_POST["action"] == 'add' && $user->rights->produit->creer)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Action mise a jour d'un produit ou service
|
||||
if ($_POST["action"] == 'update' &&
|
||||
$_POST["cancel"] <> $langs->trans("Cancel") &&
|
||||
$user->rights->produit->creer)
|
||||
// Update a product or service
|
||||
if ($_POST["action"] == 'update' && $user->rights->produit->creer)
|
||||
{
|
||||
if (! empty($_POST["cancel"]))
|
||||
{
|
||||
$_GET["action"] = '';
|
||||
$_GET["id"] = $_POST["id"];
|
||||
}
|
||||
else
|
||||
{
|
||||
$product = new Product($db);
|
||||
if ($product->fetch($_POST["id"]))
|
||||
{
|
||||
@@ -210,9 +214,10 @@ $user->rights->produit->creer)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// clone d'un produit
|
||||
// Clone a product
|
||||
if ($_GET["action"] == 'clone' && $user->rights->produit->creer)
|
||||
{
|
||||
$db->begin();
|
||||
|
||||
Reference in New Issue
Block a user