Fix: bad security request

htdocs/commonobject.class.php

@@ -411,7 +411,7 @@ class CommonObject
 	 */
 	function load_previous_next_ref($filter='',$fieldid)
 	{
-		global $conf;
+		global $conf, $user;
 
 		if (! $this->table_element)
 		{
@@ -422,15 +422,17 @@ class CommonObject
  		// this->ismultientitymanaged contains
 		// 0=No test on entity, 1=Test with field entity, 2=Test with link by societe
 
-		$sql = "SELECT MAX(".$fieldid.")";
+		$sql = "SELECT MAX(te.".$fieldid.")";
 		$sql.= " FROM ".MAIN_DB_PREFIX.$this->table_element." as te";
-		if ($this->ismultientitymanaged == 2) $sql.= ", ".MAIN_DB_PREFIX."societe as s";	// If we need to link to societe to limit select to entity
+		if ($this->ismultientitymanaged == 2 || (!$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ", ".MAIN_DB_PREFIX."societe as s";	// If we need to link to societe to limit select to entity
+		if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON s.rowid = sc.fk_soc";
 		$sql.= " WHERE te.".$fieldid." < '".addslashes($this->ref)."'";
+		if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " AND s.rowid = te.fk_soc AND sc.fk_user = " .$user->id;
 		if (isset($filter)) $sql.=" AND ".$filter;
 		if ($this->ismultientitymanaged == 2) $sql.= ' AND te.fk_soc = s.rowid';			// If we need to link to societe to limit select to entity
-		if ($this->ismultientitymanaged > 0) $sql.= ' AND entity IN (0,'.$conf->entity.')';
+		if ($this->ismultientitymanaged > 0) $sql.= ' AND te.entity IN (0,'.$conf->entity.')';
 
-		//print $sql."<br>";
+		print $sql."<br>";
 		$result = $this->db->query($sql) ;
 		if (! $result)
 		{
@@ -441,13 +443,15 @@ class CommonObject
 		$this->ref_previous = $row[0];
 
 
-		$sql = "SELECT MIN(".$fieldid.")";
+		$sql = "SELECT MIN(te.".$fieldid.")";
 		$sql.= " FROM ".MAIN_DB_PREFIX.$this->table_element." as te";
-		if ($this->ismultientitymanaged == 2) $sql.= ", ".MAIN_DB_PREFIX."societe as s";	// If we need to link to societe to limit select to entity
+		if ($this->ismultientitymanaged == 2 || (!$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ", ".MAIN_DB_PREFIX."societe as s";	// If we need to link to societe to limit select to entity
+		if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON s.rowid = sc.fk_soc";
 		$sql.= " WHERE te.".$fieldid." > '".addslashes($this->ref)."'";
+		if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " AND s.rowid = te.fk_soc AND sc.fk_user = " .$user->id;
 		if (isset($filter)) $sql.=" AND ".$filter;
 		if ($this->ismultientitymanaged == 2) $sql.= ' AND te.fk_soc = s.rowid';			// If we need to link to societe to limit select to entity
-		if ($this->ismultientitymanaged > 0) $sql.= ' AND entity IN (0,'.$conf->entity.')';
+		if ($this->ismultientitymanaged > 0) $sql.= ' AND te.entity IN (0,'.$conf->entity.')';
 		// Rem: Bug in some mysql version: SELECT MIN(rowid) FROM llx_socpeople WHERE rowid > 1 when one row in database with rowid=1, returns 1 instead of null
 
 		//print $sql."<br>";

htdocs/compta/facture.php

@@ -53,11 +53,12 @@ $projetid=isset($_GET['projetid'])?$_GET['projetid']:0;
 
 // Security check
 $socid=isset($_GET['socid'])?$_GET['socid']:$_POST['socid'];
-$facid = isset($_GET["facid"])?$_GET["facid"]:'';
+$facid = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+$fieldid = isset($_GET["ref"])?'facnumber':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
-$result = restrictedArea($user, 'facture', $facid,'');
+$result = restrictedArea($user, 'facture', $facid,'','','fk_soc',$fieldid);
 
-// Nombre de ligne pour choix de produit/service pr<EFBFBD>d<EFBFBD>finis
+// Nombre de ligne pour choix de produit/service predefinis
 $NBLINES=4;
 
 $usehm=$conf->global->MAIN_USE_HOURMIN_IN_DATE_RANGE;

htdocs/lib/functions.lib.php

@@ -1631,17 +1631,20 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 	}
 
 	// If we have a particular object to check permissions on
-	if ($objectid > 0)
+	if (!empty($objectid))
 	{
 		foreach ($features as $feature)
 		{
 			$sql='';
 			
+			$check = array('user','usergroup','produit','service','produit|service');
+			$nocheck = array('categorie','barcode','stock','fournisseur');
+
 			// If dbtable not defined, we use same name for table than module name
 			if (empty($dbtablename)) $dbtablename = $feature;
 
 			// Check permission for object with entity
-			if ($feature == 'user' || $feature == 'usergroup' || $feature == 'produit' || $feature == 'service' || $feature == 'produit|service')
+			if (in_array($feature,$check))
 			{
 				$sql = "SELECT dbt.".$dbt_select;
 				$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
@@ -1675,7 +1678,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 					$sql.= " AND s.entity = ".$conf->entity;
 				}
 			}
-			else
+			else if (!in_array($feature,$nocheck))
 			{
 				// If external user: Check permission for external users
 				if ($user->societe_id > 0)
@@ -1692,7 +1695,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 					$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
 					$sql.= ", ".MAIN_DB_PREFIX."societe as s";
 					$sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
-					$sql.= " WHERE dbt.rowid = ".$objectid;
+					$sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
 					$sql.= " AND sc.fk_soc = dbt.".$dbt_keyfield;
 					$sql.= " AND dbt.fk_soc = s.rowid";
 					$sql.= " AND s.entity = ".$conf->entity;

htdocs/product.class.php

@@ -37,10 +37,11 @@ class Product extends CommonObject
 {
 	var $db;
 	var $error;
-	//! Numero de l'erreur
+	//! Error number
 	var $errno = 0;
 	var $element='product';
 	var $table_element='product';
+	var $isnolinkedbythird = 1;     // No field fk_soc
 	var $ismultientitymanaged = 1;	// 0=No test on entity, 1=Test with field entity, 2=Test with link by societe
 
 	//! Identifiant unique