diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 2d46f6b3c8b..cdceab83dc1 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -902,14 +902,14 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl $checkonentitydone = 0; // Array to define rules of checks to do - $check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'payment_sc', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salaries', 'website', 'recruitment', 'chargesociales', 'knowledgemanagement'); // Test on entity only (Objects with no link to company) + $check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'payment_sc', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salaries', 'website', 'recruitment', 'chargesociales', 'knowledgemanagement', 'stock'); // Test on entity only (Objects with no link to company) $checksoc = array('societe'); // Test for object Societe $checkparentsoc = array('agenda', 'contact', 'contrat'); // Test on entity + link to third party on field $dbt_keyfield. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet', 'project'); // Test for project object $checktask = array('projet_task', 'project_task'); // Test for task object $checkhierarchy = array('expensereport', 'holiday', 'hrm'); // check permission among the hierarchy of user $checkuser = array('bookmark'); // check permission among the fk_user (must be myself or null) - $nocheck = array('barcode', 'stock'); // No test + $nocheck = array('barcode'); // No test //$checkdefault = 'all other not already defined'; // Test on entity + link to third party on field $dbt_keyfield. Not allowed if link is empty (Ex: invoice, orders...). diff --git a/htdocs/product/inventory/card.php b/htdocs/product/inventory/card.php index 79d7b21757e..37285af1974 100644 --- a/htdocs/product/inventory/card.php +++ b/htdocs/product/inventory/card.php @@ -42,9 +42,9 @@ $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'inv $backtopage = GETPOST('backtopage', 'alpha'); if (empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { - $result = restrictedArea($user, 'stock', $id); + $result = restrictedArea($user, 'stock', $id, 'inventory&stock'); } else { - $result = restrictedArea($user, 'stock', $id, '', 'inventory_advance'); + $result = restrictedArea($user, 'stock', $id, 'inventory&stock', 'inventory_advance'); } // Initialize technical objects diff --git a/htdocs/product/inventory/inventory.php b/htdocs/product/inventory/inventory.php index e9ddf7ad877..1bd941aa1fe 100644 --- a/htdocs/product/inventory/inventory.php +++ b/htdocs/product/inventory/inventory.php @@ -59,9 +59,9 @@ $batch = GETPOST('batch', 'alphanohtml'); $totalExpectedValuation = 0; $totalRealValuation = 0; if (empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { - $result = restrictedArea($user, 'stock', $id); + $result = restrictedArea($user, 'stock', $id, 'inventory&stock'); } else { - $result = restrictedArea($user, 'stock', $id, '', 'inventory_advance'); + $result = restrictedArea($user, 'stock', $id, 'inventory&stock', 'inventory_advance'); } // Initialize technical objects diff --git a/htdocs/product/stock/card.php b/htdocs/product/stock/card.php index 5baf343556e..3736b0296f7 100644 --- a/htdocs/product/stock/card.php +++ b/htdocs/product/stock/card.php @@ -70,8 +70,7 @@ if (!$sortorder) { $backtopage = GETPOST('backtopage', 'alpha'); // Security check -//$result=restrictedArea($user,'stock', $id, 'entrepot&stock'); -$result = restrictedArea($user, 'stock'); +$result=restrictedArea($user,'stock', $id, 'entrepot&stock'); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('warehousecard', 'globalcard'));