diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 98247a704c4..68f500a6d44 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -2746,7 +2746,7 @@ class Commande extends CommonOrder } $sql .= " WHERE c.entity IN (".getEntity('commande').")"; $sql .= " AND c.fk_soc = s.rowid"; - if (!$user->hasRight('societe', 'client', 'voir')) { //restriction + if (!$user->hasRight('societe', 'client', 'voir')) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } if ($socid) { diff --git a/htdocs/compta/index.php b/htdocs/compta/index.php index 83884afc340..84d49a433bf 100644 --- a/htdocs/compta/index.php +++ b/htdocs/compta/index.php @@ -292,12 +292,12 @@ if ((isModEnabled('fournisseur') && !getDolGlobalString('MAIN_USE_NEW_SUPPLIERMO $sql .= ", SUM(pf.amount) as am"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."facture_fourn as ff"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."paiementfourn_facturefourn as pf on ff.rowid=pf.fk_facturefourn"; - if (!$user->hasRight('societe', 'client', 'voir') && !$socid) { + if (!$user->hasRight('societe', 'client', 'voir')) { $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; } $sql .= " WHERE s.rowid = ff.fk_soc"; - $sql .= " AND ff.entity = ".$conf->entity; - if (!$user->hasRight('societe', 'client', 'voir') && !$socid) { + $sql .= " AND ff.entity IN (".getEntity('facture_fourn').")"; + if (!$user->hasRight('societe', 'client', 'voir')) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } if ($socid) { @@ -602,15 +602,15 @@ if (isModEnabled('facture') && isModEnabled('commande') && $user->hasRight("comm $sql .= ", c.rowid, c.ref, c.facture, c.fk_statut as status, c.total_ht, c.total_tva, c.total_ttc,"; $sql .= " cc.rowid as country_id, cc.code as country_code"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s LEFT JOIN ".MAIN_DB_PREFIX."c_country as cc ON cc.rowid = s.fk_pays"; - if (!$user->hasRight('societe', 'client', 'voir') && !$socid) { + if (!$user->hasRight('societe', 'client', 'voir')) { $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; } $sql .= ", ".MAIN_DB_PREFIX."commande as c"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."element_element as el ON el.fk_source = c.rowid AND el.sourcetype = 'commande'"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."facture AS f ON el.fk_target = f.rowid AND el.targettype = 'facture'"; $sql .= " WHERE c.fk_soc = s.rowid"; - $sql .= " AND c.entity = ".$conf->entity; - if (!$user->hasRight('societe', 'client', 'voir') && !$socid) { + $sql .= " AND c.entity IN (".getEntity('commande').")"; + if (!$user->hasRight('societe', 'client', 'voir')) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } if ($socid) { diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php index 09c70be50c3..8ecd25f94ae 100644 --- a/htdocs/contact/list.php +++ b/htdocs/contact/list.php @@ -504,7 +504,7 @@ $parameters = array(); $reshook = $hookmanager->executeHooks('printFieldListFrom', $parameters, $object, $action); // Note that $action and $object may have been modified by hook $sql .= $hookmanager->resPrint; $sql .= ' WHERE p.entity IN ('.getEntity('contact').')'; -if (!$user->hasRight('societe', 'client', 'voir')) { //restriction +if (!$user->hasRight('societe', 'client', 'voir')) { $sql .= " AND (sc.fk_user = ".((int) $user->id)." OR p.fk_soc IS NULL)"; } if (!empty($userid)) { // propre au commercial diff --git a/htdocs/core/boxes/box_graph_invoices_permonth.php b/htdocs/core/boxes/box_graph_invoices_permonth.php index 4b00c9944c1..1701dad9f48 100644 --- a/htdocs/core/boxes/box_graph_invoices_permonth.php +++ b/htdocs/core/boxes/box_graph_invoices_permonth.php @@ -99,7 +99,7 @@ class box_graph_invoices_permonth extends ModeleBoxes if ($user->socid) { $socid = $user->socid; } - if (!$user->hasRight('societe', 'client', 'voir') || $socid) { + if (!$user->hasRight('societe', 'client', 'voir')) { $prefix .= 'private-'.$user->id.'-'; // If user has no permission to see all, output dir is specific to user } diff --git a/htdocs/core/boxes/box_graph_invoices_peryear.php b/htdocs/core/boxes/box_graph_invoices_peryear.php index cf92c4b38d0..926181eaac4 100644 --- a/htdocs/core/boxes/box_graph_invoices_peryear.php +++ b/htdocs/core/boxes/box_graph_invoices_peryear.php @@ -97,7 +97,7 @@ class box_graph_invoices_peryear extends ModeleBoxes if ($user->socid) { $socid = $user->socid; } - if (!$user->hasRight('societe', 'client', 'voir') || $socid) { + if (!$user->hasRight('societe', 'client', 'voir')) { $prefix .= 'private-'.$user->id.'-'; } // If user has no permission to see all, output dir is specific to user diff --git a/htdocs/core/boxes/box_graph_invoices_supplier_permonth.php b/htdocs/core/boxes/box_graph_invoices_supplier_permonth.php index 655eaef5e6a..f8e2d58afdd 100644 --- a/htdocs/core/boxes/box_graph_invoices_supplier_permonth.php +++ b/htdocs/core/boxes/box_graph_invoices_supplier_permonth.php @@ -98,7 +98,7 @@ class box_graph_invoices_supplier_permonth extends ModeleBoxes if ($user->socid) { $socid = $user->socid; } - if (!$user->hasRight('societe', 'client', 'voir') || $socid) { + if (!$user->hasRight('societe', 'client', 'voir')) { $prefix .= 'private-'.$user->id.'-'; // If user has no permission to see all, output dir is specific to user } diff --git a/htdocs/core/boxes/box_graph_orders_permonth.php b/htdocs/core/boxes/box_graph_orders_permonth.php index 3b6dd8eec70..f9b5f7605d2 100644 --- a/htdocs/core/boxes/box_graph_orders_permonth.php +++ b/htdocs/core/boxes/box_graph_orders_permonth.php @@ -99,7 +99,7 @@ class box_graph_orders_permonth extends ModeleBoxes if ($user->socid) { $socid = $user->socid; } - if (!$user->hasRight('societe', 'client', 'voir') || $socid) { + if (!$user->hasRight('societe', 'client', 'voir')) { $prefix .= 'private-'.$user->id.'-'; // If user has no permission to see all, output dir is specific to user } diff --git a/htdocs/core/boxes/box_graph_orders_supplier_permonth.php b/htdocs/core/boxes/box_graph_orders_supplier_permonth.php index 85e3d42d66a..f32105903a0 100644 --- a/htdocs/core/boxes/box_graph_orders_supplier_permonth.php +++ b/htdocs/core/boxes/box_graph_orders_supplier_permonth.php @@ -98,7 +98,7 @@ class box_graph_orders_supplier_permonth extends ModeleBoxes if ($user->socid) { $socid = $user->socid; } - if (!$user->hasRight('societe', 'client', 'voir') || $socid) { + if (!$user->hasRight('societe', 'client', 'voir')) { $prefix .= 'private-'.$user->id.'-'; // If user has no permission to see all, output dir is specific to user } diff --git a/htdocs/core/boxes/box_graph_propales_permonth.php b/htdocs/core/boxes/box_graph_propales_permonth.php index 04c1082e80b..367e61252f9 100644 --- a/htdocs/core/boxes/box_graph_propales_permonth.php +++ b/htdocs/core/boxes/box_graph_propales_permonth.php @@ -101,7 +101,7 @@ class box_graph_propales_permonth extends ModeleBoxes if ($user->socid) { $socid = $user->socid; } - if (!$user->hasRight('societe', 'client', 'voir') || $socid) { + if (!$user->hasRight('societe', 'client', 'voir')) { $prefix .= 'private-'.$user->id.'-'; // If user has no permission to see all, output dir is specific to user } diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 443e3158683..32f7987c610 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -3014,7 +3014,7 @@ class Product extends CommonObject $sql .= " AND p.fk_soc = s.rowid"; $sql .= " AND p.entity IN (".getEntity('propal').")"; $sql .= " AND pd.fk_product = ".((int) $this->id); - if (!$user->hasRight('societe', 'client', 'voir') && !$socid) { + if (!$user->hasRight('societe', 'client', 'voir')) { $sql .= " AND p.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } //$sql.= " AND pr.fk_statut != 0"; diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index a5dc591b4e4..cefadcb4824 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -2833,7 +2833,7 @@ class Societe extends CommonObject */ public function getNomUrl($withpicto = 0, $option = '', $maxlen = 0, $notooltip = 0, $save_lastsearch_value = -1, $noaliasinname = 0, $target = '') { - global $conf, $langs, $hookmanager; + global $conf, $langs, $hookmanager, $user; if (!empty($conf->dol_no_mouse_hover)) { $notooltip = 1; // Force disable tooltips @@ -2946,7 +2946,6 @@ class Societe extends CommonObject $linkstart .= $linkclose.'>'; $linkend = ''; - global $user; if (!$user->hasRight('societe', 'client', 'voir') && $user->socid > 0 && $this->id != $user->socid) { $linkstart = ''; $linkend = ''; diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index b53596be705..b93d58a647e 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -816,6 +816,13 @@ class User extends CommonObject return 0; } + // Special case for external user + if (!empty($this->socid)) { + if ($module = 'societe' && $permlevel1 = 'client' && $permlevel2 == 'voir') { + return 0; // An external user never has the permission ->societe->client->voir to see all thirdparties (always restricted to himself) + } + } + // For compatibility with bad naming permissions on permlevel1 if ($permlevel1 == 'propale') { $permlevel1 = 'propal';