New: Task #10725

htdocs/lib/functions.lib.php

@@ -1573,6 +1573,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 
 	// More features to check
 	$features = explode("&",$features);
+	//var_dump($features);
 
 	// Check read permission from module
 	// TODO Replace "feature" param by permission for reading
@@ -1633,8 +1634,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 
 	// Check write permission from module
 	$createok=1;
-	if ( (isset($_GET["action"])  && $_GET["action"]  == 'create')
-	|| (isset($_POST["action"]) && $_POST["action"] == 'create') )
+	if ( GETPOST("action") && GETPOST("action")  == 'create')
 	{
 		foreach ($features as $feature)
 		{
@@ -1673,6 +1673,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 			}
 			else if (! empty($feature))		// This is for old permissions
 			{
+				//print '<br>feature='.$feature.' creer='.$user->rights->$feature->creer.' write='.$user->rights->$feature->write;
 				if (empty($user->rights->$feature->creer)
 				&& empty($user->rights->$feature->write)) $createok=0;
 			}

htdocs/user/fiche.php

@@ -51,10 +51,16 @@ if ($_GET["id"])
 	|| (($user->id != $_GET["id"]) && $user->rights->user->user->password) );
 }
 
+$action=GETPOST("action");
+$confirm=GETPOST("confirm");
+
 // Security check
 $socid=0;
-if ($user->societe_id > 0) $socid = $user->societe_id;
-$feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
+if ($user->societe_id > 0)
+{
+	$socid = $user->societe_id;
+	$feature2='user';
+}
 if ($user->id == $_GET["id"])	// A user can always read its own card
 {
 	$feature2='';
@@ -67,8 +73,6 @@ $langs->load("users");
 $langs->load("companies");
 $langs->load("ldap");
 
-$action=isset($_GET["action"])?$_GET["action"]:$_POST["action"];
-
 $form = new Form($db);
 
 // Define size of logo small and mini (might be set into other pages)
@@ -95,7 +99,7 @@ if ($_GET["subaction"] == 'delrights' && $canedituser)
 	$edituser->delrights($_GET["rights"]);
 }
 
-if ($_REQUEST["action"] == 'confirm_disable' && $_REQUEST["confirm"] == "yes")
+if ($action == 'confirm_disable' && $confirm == "yes")
 {
 	if ($_GET["id"] <> $user->id)
 	{
@@ -106,7 +110,7 @@ if ($_REQUEST["action"] == 'confirm_disable' && $_REQUEST["confirm"] == "yes")
 		exit;
 	}
 }
-if ($_REQUEST["action"] == 'confirm_enable' && $_REQUEST["confirm"] == "yes")
+if ($action == 'confirm_enable' && $confirm == "yes")
 {
 	if ($_GET["id"] <> $user->id)
 	{
@@ -133,7 +137,7 @@ if ($_REQUEST["action"] == 'confirm_enable' && $_REQUEST["confirm"] == "yes")
 	}
 }
 
-if ($_REQUEST["action"] == 'confirm_delete' && $_REQUEST["confirm"] == "yes")
+if ($action == 'confirm_delete' && $confirm == "yes")
 {
 	if ($_GET["id"] <> $user->id)
 	{
@@ -370,8 +374,8 @@ if ($_POST["action"] == 'update' && ! $_POST["cancel"])
 }
 
 // Change password with a new generated one
-if ((($_REQUEST["action"] == 'confirm_password' && $_REQUEST["confirm"] == 'yes')
-|| ($_REQUEST["action"] == 'confirm_passwordsend' && $_REQUEST["confirm"] == 'yes')) && $caneditpassword)
+if ((($action == 'confirm_password' && $confirm == 'yes')
+|| ($action == 'confirm_passwordsend' && $confirm == 'yes')) && $caneditpassword)
 {
 	$edituser = new User($db);
 	$edituser->fetch($_GET["id"]);
@@ -385,7 +389,7 @@ if ((($_REQUEST["action"] == 'confirm_password' && $_REQUEST["confirm"] == 'yes'
 	else
 	{
 		// Succes
-		if ($_REQUEST["action"] == 'confirm_passwordsend' && $_REQUEST["confirm"] == 'yes')
+		if ($action == 'confirm_passwordsend' && $confirm == 'yes')
 		{
 			if ($edituser->send_password($user,$newpassword) > 0)
 			{