From 0dbbd453e5801740ba2d2c59ba3ad4bbf6599ec4 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@inodbox.com>
Date: Thu, 16 Oct 2025 19:10:32 +0200
Subject: [PATCH] FIX Multicompany compatibility with "project_task"

---
 htdocs/core/ajax/ajaxtooltip.php | 11 +++++++++--
 htdocs/core/lib/security.lib.php | 10 +++++++---
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/htdocs/core/ajax/ajaxtooltip.php b/htdocs/core/ajax/ajaxtooltip.php
index 616832d9555..bc652517efb 100644
--- a/htdocs/core/ajax/ajaxtooltip.php
+++ b/htdocs/core/ajax/ajaxtooltip.php
@@ -60,8 +60,15 @@ $module = $object->module;
 $element = $object->element;
 
 $usesublevelpermission = ($module != $element ? $element : '');
-if ($usesublevelpermission && !isset($user->rights->$module->$element)) {	// There is no permission on object defined, we will check permission on module directly
-	$usesublevelpermission = '';
+$exclude = array('projet_task', 'project_task'); // for user rights compatibility
+if ($usesublevelpermission) {
+	if (!in_array($usesublevelpermission, $exclude)) {
+		if (!isset($user->rights->$module->$element)) {	// There is no permission on object defined, we will check permission on module directly
+			$usesublevelpermission = '';
+		}
+	} elseif (!isset($user->rights->$module)) {
+		$usesublevelpermission = '';
+	}
 }
 
 //print $object->id.' - '.$object->module.' - '.$object->element.' - '.$object->table_element.' - '.$usesublevelpermission."\n";
diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 7609da636fe..c96d0034038 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -877,8 +877,11 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
 		if ($feature == 'project') {
 			$feature = 'projet';
 		}
-		if ($feature == 'task') {
-			$feature = 'projet_task';
+		if ($feature == 'projet' && !empty($feature2) && is_array($feature2) && (in_array('project_task', $feature2) || in_array('projet_task', $feature2))) {
+			$feature = 'project_task';
+		}
+		if ($feature == 'task' || $feature == 'projet_task') {
+			$feature = 'project_task';
 		}
 		if ($feature == 'eventorganization') {
 			$feature = 'agenda';
@@ -899,7 +902,7 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
 		$checksoc = array('societe'); // Test for object Societe
 		$checkparentsoc = array('agenda', 'contact', 'contrat'); // Test on entity + link to third party on field $dbt_keyfield. Allowed if link is empty (Ex: contacts...).
 		$checkproject = array('projet', 'project'); // Test for project object
-		$checktask = array('projet_task'); // Test for task object
+		$checktask = array('projet_task', 'project_task'); // Test for task object
 		$checkhierarchy = array('expensereport', 'holiday');	// check permission among the hierarchy of user
 		$checkuser = array('bookmark');	// check permission among the fk_user (must be myself or null)
 		$nocheck = array('barcode', 'stock'); // No test
@@ -1034,6 +1037,7 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
 					return false;
 				}
 			} else {
+				$sharedelement = 'project'; // for multicomany compatibility
 				$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
 				$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
 				$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";