From 7708f967f8e6cf8da4fffcb61d0f189229150d81 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Tue, 28 Apr 2009 06:49:44 +0000
Subject: [PATCH] Fix: security

---
 htdocs/core/menubase.class.php | 6 ++++--
 htdocs/ecm/index.php           | 4 ++++
 htdocs/lib/functions.lib.php   | 4 ++++
 htdocs/user.class.php          | 7 +++++--
 4 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/htdocs/core/menubase.class.php b/htdocs/core/menubase.class.php
index 5932df2b7ac..d273bbbb671 100644
--- a/htdocs/core/menubase.class.php
+++ b/htdocs/core/menubase.class.php
@@ -426,7 +426,7 @@ class Menubase
 				if ($menu['enabled'])
 				{
 					$enabled = $this->verifCond($menu['enabled']);
-					//print "verifCond rowid=".$menu['rowid']." ".$menu['action'].":".$constraint."<br>\n";
+					//print "verifCond rowid=".$menu['rowid']." ".$menu['enabled'].":".$enabled."<br>\n";
 				}
 
 				if ($menu['rowid'] != $oldrowid && $oldrowid) $b++;	// Break on new entry
@@ -461,12 +461,14 @@ class Menubase
 
 		// Get menutopid
 		$menutopid='';
+		
 		$sql = "SELECT m.rowid, m.titre, m.type";
 		$sql.= " FROM " . MAIN_DB_PREFIX . "menu as m";
 		$sql.= " WHERE m.mainmenu = '".$mainmenu."'";
 		$sql.= " AND m.menu_handler in('".$menu_handler."','all')";
 		$sql.= " AND m.entity = ".$conf->entity;
 		$sql.= " AND type = 'top'";
+		
 		// It should have only one response
 		$resql = $this->db->query($sql);
 		$menutop = $this->db->fetch_object($resql);
@@ -546,7 +548,7 @@ class Menubase
 		{
 			$rights = true;
 		}
-
+		
 		return $rights;
 	}
 
diff --git a/htdocs/ecm/index.php b/htdocs/ecm/index.php
index 301fb124194..58351988bbc 100644
--- a/htdocs/ecm/index.php
+++ b/htdocs/ecm/index.php
@@ -41,6 +41,10 @@ $langs->load("propal");
 $langs->load("bills");
 $langs->load("contracts");
 
+// Security check
+if ($user->societe_id) $socid=$user->societe_id;
+$result = restrictedArea($user, 'ecm','');
+
 // Load permissions
 $user->getrights('ecm');
 
diff --git a/htdocs/lib/functions.lib.php b/htdocs/lib/functions.lib.php
index b137e4533de..014d9b3a0f4 100644
--- a/htdocs/lib/functions.lib.php
+++ b/htdocs/lib/functions.lib.php
@@ -1357,6 +1357,10 @@ function restrictedArea($user, $feature='societe', $objectid=0, $dbtablename='',
 	{
 		if (! $user->rights->banque->cheque) $readok=0;
 	}
+	else if ($feature == 'ecm')
+	{
+		if (! $user->rights->ecm->download) $readok=0;
+	}
 	else if (! empty($feature2))	// This should be used for future changes
 	{
 		if (empty($user->rights->$feature->$feature2->lire)
diff --git a/htdocs/user.class.php b/htdocs/user.class.php
index a88b28c2286..a89042ef964 100644
--- a/htdocs/user.class.php
+++ b/htdocs/user.class.php
@@ -490,9 +490,12 @@ class User extends CommonObject
 
 		// D'abord les droits utilisateurs
 		$sql = "SELECT r.module, r.perms, r.subperms";
-		$sql.= " FROM ".MAIN_DB_PREFIX."user_rights as ur, ".MAIN_DB_PREFIX."rights_def as r";
-		$sql.= " WHERE r.id = ur.fk_id AND ur.fk_user= ".$this->id." AND r.perms IS NOT NULL";
+		$sql.= " FROM ".MAIN_DB_PREFIX."user_rights as ur";
+		$sql.= ", ".MAIN_DB_PREFIX."rights_def as r";
+		$sql.= " WHERE r.id = ur.fk_id";
 		$sql.= " AND r.entity = ".$conf->entity;
+		$sql.= " AND ur.fk_user= ".$this->id;
+		$sql.= " AND r.perms IS NOT NULL";
 		if ($moduletag) $sql.= " AND r.module = '".addslashes($moduletag)."'";
 
 		dol_syslog('User::getRights sql='.$sql, LOG_DEBUG);