From cbbe909bc58f028ab3a76156171d2ff8202ca8a9 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 12 Oct 2014 15:22:07 +0200
Subject: [PATCH] Fix: Pb in management of "or" ("|") for permission check.

---
 htdocs/compta/charges/index.php  | 10 +++++-----
 htdocs/core/lib/security.lib.php | 12 +++++++++---
 2 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/htdocs/compta/charges/index.php b/htdocs/compta/charges/index.php
index f38f7e72aa2..a3803e853ba 100644
--- a/htdocs/compta/charges/index.php
+++ b/htdocs/compta/charges/index.php
@@ -111,7 +111,7 @@ if ($conf->salaries->enabled)
 		    $total = 0 ;
 		    print '<table class="noborder" width="100%">';
 		    print '<tr class="liste_titre">';
-			  print_liste_field_titre($langs->trans("PeriodEndDate"),$_SERVER["PHP_SELF"],"s.datev","",$param,'width="120"',$sortfield,$sortorder);
+			  print_liste_field_titre($langs->trans("PeriodEndDate"),$_SERVER["PHP_SELF"],"s.datev","",$param,'width="140px"',$sortfield,$sortorder);
 			  print_liste_field_titre($langs->trans("Label"),$_SERVER["PHP_SELF"],"s.label","",$param,'',$sortfield,$sortorder);
 			  print_liste_field_titre($langs->trans("ExpectedToPay"),$_SERVER["PHP_SELF"],"s.amount","",$param,'align="right"',$sortfield,$sortorder);
 			  print_liste_field_titre($langs->trans("RefPayment"),$_SERVER["PHP_SELF"],"s.rowid","",$param,'',$sortfield,$sortorder);
@@ -144,7 +144,7 @@ if ($conf->salaries->enabled)
 
 		        $i++;
 		    }
-		    print '<tr class="liste_total"><td align="right" colspan="2">'.$langs->trans("Total").'</td>';
+		    print '<tr class="liste_total"><td colspan="2">'.$langs->trans("Total").'</td>';
 		    print '<td align="right">'.price($total)."</td>";
 		    print '<td align="center">&nbsp;</td>';
 		    print '<td align="center">&nbsp;</td>';
@@ -174,7 +174,7 @@ if ($conf->tax->enabled)
 
 	print '<table class="noborder" width="100%">';
 	print '<tr class="liste_titre">';
-	print_liste_field_titre($langs->trans("PeriodEndDate"),$_SERVER["PHP_SELF"],"cs.date_ech","",$param,'width="120"',$sortfield,$sortorder);
+	print_liste_field_titre($langs->trans("PeriodEndDate"),$_SERVER["PHP_SELF"],"cs.date_ech","",$param,'width="140px"',$sortfield,$sortorder);
 	print_liste_field_titre($langs->trans("Label"),$_SERVER["PHP_SELF"],"c.libelle","",$param,'',$sortfield,$sortorder);
 	print_liste_field_titre($langs->trans("Type"),$_SERVER["PHP_SELF"],"cs.fk_type","",$param,'',$sortfield,$sortorder);
 	print_liste_field_titre($langs->trans("ExpectedToPay"),$_SERVER["PHP_SELF"],"cs.amount","",$param,'align="right"',$sortfield,$sortorder);
@@ -304,7 +304,7 @@ if ($conf->tax->enabled)
 		    $total = 0 ;
 		    print '<table class="noborder" width="100%">';
 		    print '<tr class="liste_titre">';
-			print_liste_field_titre($langs->trans("PeriodEndDate"),$_SERVER["PHP_SELF"],"pv.datev","",$param,'width="120"',$sortfield,$sortorder);
+			print_liste_field_titre($langs->trans("PeriodEndDate"),$_SERVER["PHP_SELF"],"pv.datev","",$param,'width="140px"',$sortfield,$sortorder);
 			print_liste_field_titre($langs->trans("Label"),$_SERVER["PHP_SELF"],"pv.label","",$param,'',$sortfield,$sortorder);
 			print_liste_field_titre($langs->trans("ExpectedToPay"),$_SERVER["PHP_SELF"],"pv.amount","",$param,'align="right"',$sortfield,$sortorder);
 			print_liste_field_titre($langs->trans("RefPayment"),$_SERVER["PHP_SELF"],"pv.rowid","",$param,'',$sortfield,$sortorder);
@@ -337,7 +337,7 @@ if ($conf->tax->enabled)
 
 		        $i++;
 		    }
-		    print '<tr class="liste_total"><td align="right" colspan="2">'.$langs->trans("Total").'</td>';
+		    print '<tr class="liste_total"><td colspan="2">'.$langs->trans("Total").'</td>';
 		    print '<td align="right">'.price($total)."</td>";
 		    print '<td align="center">&nbsp;</td>';
 		    print '<td align="center">&nbsp;</td>';
diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 31e900f8e7e..7416d564a1a 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -174,11 +174,17 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
         }
         else if (! empty($feature2))	// This should be used for future changes
         {
+           	$tmpreadok=1;
         	foreach($feature2 as $subfeature)
         	{
-        		if (! empty($subfeature) && empty($user->rights->$feature->$subfeature->lire) && empty($user->rights->$feature->$subfeature->read)) { $readok=0; $nbko++; }
-        		else if (empty($subfeature) && empty($user->rights->$feature->lire) && empty($user->rights->$feature->read)) { $readok=0; $nbko++; }
-        		else { $readok=1; break; } // Break is to bypass second test if the first is ok
+        		if (! empty($subfeature) && empty($user->rights->$feature->$subfeature->lire) && empty($user->rights->$feature->$subfeature->read)) { $tmpreadok=0; }
+        		else if (empty($subfeature) && empty($user->rights->$feature->lire) && empty($user->rights->$feature->read)) { $tmpreadok=0; }
+        		else { $tmpreadok=1; break; } // Break is to bypass second test if the first is ok
+        	}
+        	if (! $tmpreadok)	// We found a test on feature that is ko
+        	{
+        		$readok=0;	// All tests are ko (we manage here the and, the or will be managed later using $nbko).
+        		$nbko++;
         	}
         }
         else if (! empty($feature) && ($feature!='user' && $feature!='usergroup'))		// This is for old permissions

'.$langs->trans("Total").'
'.$langs->trans("Total").'		'.price($total)."