diff --git a/htdocs/core/menubase.class.php b/htdocs/core/menubase.class.php
index 5932df2b7ac..d273bbbb671 100644
--- a/htdocs/core/menubase.class.php
+++ b/htdocs/core/menubase.class.php
@@ -426,7 +426,7 @@ class Menubase
if ($menu['enabled'])
{
$enabled = $this->verifCond($menu['enabled']);
- //print "verifCond rowid=".$menu['rowid']." ".$menu['action'].":".$constraint."
\n";
+ //print "verifCond rowid=".$menu['rowid']." ".$menu['enabled'].":".$enabled."
\n";
}
if ($menu['rowid'] != $oldrowid && $oldrowid) $b++; // Break on new entry
@@ -461,12 +461,14 @@ class Menubase
// Get menutopid
$menutopid='';
+
$sql = "SELECT m.rowid, m.titre, m.type";
$sql.= " FROM " . MAIN_DB_PREFIX . "menu as m";
$sql.= " WHERE m.mainmenu = '".$mainmenu."'";
$sql.= " AND m.menu_handler in('".$menu_handler."','all')";
$sql.= " AND m.entity = ".$conf->entity;
$sql.= " AND type = 'top'";
+
// It should have only one response
$resql = $this->db->query($sql);
$menutop = $this->db->fetch_object($resql);
@@ -546,7 +548,7 @@ class Menubase
{
$rights = true;
}
-
+
return $rights;
}
diff --git a/htdocs/ecm/index.php b/htdocs/ecm/index.php
index 301fb124194..58351988bbc 100644
--- a/htdocs/ecm/index.php
+++ b/htdocs/ecm/index.php
@@ -41,6 +41,10 @@ $langs->load("propal");
$langs->load("bills");
$langs->load("contracts");
+// Security check
+if ($user->societe_id) $socid=$user->societe_id;
+$result = restrictedArea($user, 'ecm','');
+
// Load permissions
$user->getrights('ecm');
diff --git a/htdocs/lib/functions.lib.php b/htdocs/lib/functions.lib.php
index b137e4533de..014d9b3a0f4 100644
--- a/htdocs/lib/functions.lib.php
+++ b/htdocs/lib/functions.lib.php
@@ -1357,6 +1357,10 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
{
if (! $user->rights->banque->cheque) $readok=0;
}
+ else if ($feature == 'ecm')
+ {
+ if (! $user->rights->ecm->download) $readok=0;
+ }
else if (! empty($feature2)) // This should be used for future changes
{
if (empty($user->rights->$feature->$feature2->lire)
diff --git a/htdocs/user.class.php b/htdocs/user.class.php
index a88b28c2286..a89042ef964 100644
--- a/htdocs/user.class.php
+++ b/htdocs/user.class.php
@@ -490,9 +490,12 @@ class User extends CommonObject
// D'abord les droits utilisateurs
$sql = "SELECT r.module, r.perms, r.subperms";
- $sql.= " FROM ".MAIN_DB_PREFIX."user_rights as ur, ".MAIN_DB_PREFIX."rights_def as r";
- $sql.= " WHERE r.id = ur.fk_id AND ur.fk_user= ".$this->id." AND r.perms IS NOT NULL";
+ $sql.= " FROM ".MAIN_DB_PREFIX."user_rights as ur";
+ $sql.= ", ".MAIN_DB_PREFIX."rights_def as r";
+ $sql.= " WHERE r.id = ur.fk_id";
$sql.= " AND r.entity = ".$conf->entity;
+ $sql.= " AND ur.fk_user= ".$this->id;
+ $sql.= " AND r.perms IS NOT NULL";
if ($moduletag) $sql.= " AND r.module = '".addslashes($moduletag)."'";
dol_syslog('User::getRights sql='.$sql, LOG_DEBUG);