diff --git a/htdocs/bom/bom_list.php b/htdocs/bom/bom_list.php index eb1852699c0..62fb6002760 100644 --- a/htdocs/bom/bom_list.php +++ b/htdocs/bom/bom_list.php @@ -76,18 +76,6 @@ if (!$sortorder) { $sortorder = "ASC"; } -// Security check -if (empty($conf->bom->enabled)) { - accessforbidden('Module not enabled'); -} -$socid = 0; -if ($user->socid > 0) { - // Protection if external user - //$socid = $user->socid; - accessforbidden(); -} -//$result = restrictedArea($user, 'bom', $id, ''); - // Initialize array of search criterias $search_all = GETPOST("search_all", 'alpha'); $search = array(); @@ -133,6 +121,13 @@ $permissiontoread = $user->rights->bom->read; $permissiontoadd = $user->rights->bom->write; $permissiontodelete = $user->rights->bom->delete; +// Security check +if ($user->socid > 0) { + // Protection if external user + accessforbidden(); +} +$result = restrictedArea($user, 'bom'); + /* * Actions diff --git a/htdocs/eventorganization/conferenceorbooth_agenda.php b/htdocs/eventorganization/conferenceorbooth_agenda.php index 54a3e5b9a4c..bd50df31a91 100644 --- a/htdocs/eventorganization/conferenceorbooth_agenda.php +++ b/htdocs/eventorganization/conferenceorbooth_agenda.php @@ -132,14 +132,17 @@ if ($id > 0 || !empty($ref)) { $upload_dir = $conf->eventorganization->multidir_output[$object->entity]."/".$object->id; } -// Security check - Protection if external user -//if ($user->socid > 0) accessforbidden(); -//if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'eventorganization', $object->id); +// Security check +if ($user->socid > 0) { + accessforbidden(); +} +$isdraft = (($object->status== $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'eventorganization', $object->id, '', '', 'fk_soc', 'rowid', $isdraft); $permissiontoadd = $user->rights->eventorganization->conferenceorbooth->write; // Used by the include of actions_addupdatedelete.inc.php + /* * Actions */ diff --git a/htdocs/eventorganization/conferenceorbooth_card.php b/htdocs/eventorganization/conferenceorbooth_card.php index e27e909d071..6f223821bd3 100644 --- a/htdocs/eventorganization/conferenceorbooth_card.php +++ b/htdocs/eventorganization/conferenceorbooth_card.php @@ -85,14 +85,11 @@ $permissionnote = $user->rights->eventorganization->write; // Used by the includ $permissiondellink = $user->rights->eventorganization->write; // Used by the include of actions_dellink.inc.php $upload_dir = $conf->eventorganization->multidir_output[isset($object->entity) ? $object->entity : 1]; -// Security check - Protection if external user +// Security check if ($user->socid > 0) { accessforbidden(); } -if ($user->socid > 0) { - $socid = $user->socid; -} -$isdraft = (($object->statut == $object::STATUS_DRAFT) ? 1 : 0); +$isdraft = (($object->status== $object::STATUS_DRAFT) ? 1 : 0); $result = restrictedArea($user, 'eventorganization', $object->id, '', '', 'fk_soc', 'rowid', $isdraft); if (!$permissiontoread) { diff --git a/htdocs/eventorganization/conferenceorbooth_contact.php b/htdocs/eventorganization/conferenceorbooth_contact.php index e29252aef1e..d42cc78adcb 100644 --- a/htdocs/eventorganization/conferenceorbooth_contact.php +++ b/htdocs/eventorganization/conferenceorbooth_contact.php @@ -78,18 +78,21 @@ $extrafields->fetch_name_optionals_label($object->table_element); // Load object include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once // Must be include, not include_once. Include fetch and fetch_thirdparty but not fetch_optionals -// Security check - Protection if external user -//if ($user->socid > 0) accessforbidden(); -//if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'eventorganization', $object->id); +// Security check +if ($user->socid > 0) { + accessforbidden(); +} +$isdraft = (($object->status== $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'eventorganization', $object->id, '', '', 'fk_soc', 'rowid', $isdraft); $permission = $user->rights->eventorganization->conferenceorbooth->write; + /* - * Add a new contact + * Actions */ -if ($action == 'addcontact' && $permission) { +if ($action == 'addcontact' && $permission) { // Add a new contact $contactid = (GETPOST('userid') ? GETPOST('userid', 'int') : GETPOST('contactid', 'int')); $typeid = (GETPOST('typecontact') ? GETPOST('typecontact') : GETPOST('type')); $result = $object->add_contact($contactid, $typeid, GETPOST("source", 'aZ09')); diff --git a/htdocs/eventorganization/conferenceorbooth_document.php b/htdocs/eventorganization/conferenceorbooth_document.php index 7b8094e3034..1f354453fd1 100644 --- a/htdocs/eventorganization/conferenceorbooth_document.php +++ b/htdocs/eventorganization/conferenceorbooth_document.php @@ -124,13 +124,14 @@ if ($id > 0 || !empty($ref)) { $upload_dir = $conf->eventorganization->multidir_output[$object->entity ? $object->entity : $conf->entity]."/conferenceorbooth/".get_exdir(0, 0, 0, 1, $object); } -// Security check - Protection if external user -//if ($user->socid > 0) accessforbidden(); -//if ($user->socid > 0) $socid = $user->socid; -//$result = restrictedArea($user, 'eventorganization', $object->id); - $permissiontoadd = $user->rights->eventorganization->conferenceorbooth->write; // Used by the include of actions_addupdatedelete.inc.php +// Security check +if ($user->socid > 0) { + accessforbidden(); +} +$isdraft = (($object->status== $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'eventorganization', $object->id, '', '', 'fk_soc', 'rowid', $isdraft); /* diff --git a/htdocs/eventorganization/conferenceorbooth_list.php b/htdocs/eventorganization/conferenceorbooth_list.php index 6632e8a1f29..f4cda255cdb 100644 --- a/htdocs/eventorganization/conferenceorbooth_list.php +++ b/htdocs/eventorganization/conferenceorbooth_list.php @@ -132,17 +132,12 @@ $permissiontoadd = $user->rights->eventorganization->write; $permissiontodelete = $user->rights->eventorganization->delete; // Security check -if (empty($conf->eventorganization->enabled)) { - accessforbidden('Module not enabled'); -} -$socid = 0; +//$socid = 0; if ($user->socid > 0) { // Protection if external user //$socid = $user->socid; accessforbidden(); } -//$result = restrictedArea($user, 'eventorganization', $id, ''); -//if (!$permissiontoread) accessforbidden(); - +$result = restrictedArea($user, 'eventorganization'); /* diff --git a/htdocs/eventorganization/conferenceorbooth_note.php b/htdocs/eventorganization/conferenceorbooth_note.php index 61c8ba957e6..634877d82fe 100644 --- a/htdocs/eventorganization/conferenceorbooth_note.php +++ b/htdocs/eventorganization/conferenceorbooth_note.php @@ -109,6 +109,12 @@ if ($id > 0 || !empty($ref)) { $permissionnote = $user->rights->eventorganization->conferenceorbooth->write; // Used by the include of actions_setnotes.inc.php $permissiontoadd = $user->rights->eventorganization->conferenceorbooth->write; // Used by the include of actions_addupdatedelete.inc.php +// Security check +if ($user->socid > 0) { + accessforbidden(); +} +$isdraft = (($object->status== $object::STATUS_DRAFT) ? 1 : 0); +$result = restrictedArea($user, 'eventorganization', $object->id, '', '', 'fk_soc', 'rowid', $isdraft); /* diff --git a/htdocs/eventorganization/eventorganizationindex.php b/htdocs/eventorganization/eventorganizationindex.php index 999d85255d0..d5c158ab860 100644 --- a/htdocs/eventorganization/eventorganizationindex.php +++ b/htdocs/eventorganization/eventorganizationindex.php @@ -25,57 +25,26 @@ */ // Load Dolibarr environment -$res = 0; -// Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined) -if (!$res && !empty($_SERVER["CONTEXT_DOCUMENT_ROOT"])) { - $res = @include $_SERVER["CONTEXT_DOCUMENT_ROOT"]."/main.inc.php"; -} -// Try main.inc.php into web root detected using web root calculated from SCRIPT_FILENAME -$tmp = empty($_SERVER['SCRIPT_FILENAME']) ? '' : $_SERVER['SCRIPT_FILENAME']; $tmp2 = realpath(__FILE__); $i = strlen($tmp) - 1; $j = strlen($tmp2) - 1; -while ($i > 0 && $j > 0 && isset($tmp[$i]) && isset($tmp2[$j]) && $tmp[$i] == $tmp2[$j]) { - $i--; $j--; -} -if (!$res && $i > 0 && file_exists(substr($tmp, 0, ($i + 1))."/main.inc.php")) { - $res = @include substr($tmp, 0, ($i + 1))."/main.inc.php"; -} -if (!$res && $i > 0 && file_exists(dirname(substr($tmp, 0, ($i + 1)))."/main.inc.php")) { - $res = @include dirname(substr($tmp, 0, ($i + 1)))."/main.inc.php"; -} -// Try main.inc.php using relative path -if (!$res && file_exists("../main.inc.php")) { - $res = @include "../main.inc.php"; -} -if (!$res && file_exists("../../main.inc.php")) { - $res = @include "../../main.inc.php"; -} -if (!$res && file_exists("../../../main.inc.php")) { - $res = @include "../../../main.inc.php"; -} -if (!$res) { - die("Include of main fails"); -} - +require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; // Load translation files required by the page -$langs->loadLangs(array("eventorganization@eventorganization")); +$langs->loadLangs(array("eventorganization")); $action = GETPOST('action', 'aZ09'); - -// Security check -// if (! $user->rights->eventorganization->myobject->read) { -// accessforbidden(); -// } -$socid = GETPOST('socid', 'int'); -if (isset($user->socid) && $user->socid > 0) { - $action = ''; - $socid = $user->socid; -} - $max = 5; $now = dol_now(); +// Security check +//$socid = 0; +if ($user->socid > 0) { // Protection if external user + //$socid = $user->socid; + accessforbidden(); +} +$result = restrictedArea($user, 'eventorganization'); + + /* * Actions diff --git a/htdocs/intracommreport/list.php b/htdocs/intracommreport/list.php index e43dc33e700..d3fd0ff2fb1 100644 --- a/htdocs/intracommreport/list.php +++ b/htdocs/intracommreport/list.php @@ -39,8 +39,6 @@ $toselect = GETPOST('toselect', 'array'); $sall = trim((GETPOST('search_all', 'alphanohtml') != '') ?GETPOST('search_all', 'alphanohtml') : GETPOST('sall', 'alphanohtml')); $search_ref = GETPOST("search_ref", 'alpha'); $search_type = GETPOST("search_type", 'int'); -$fourn_id = GETPOST("fourn_id", 'int'); -$catid = GETPOST('catid', 'int'); $optioncss = GETPOST('optioncss', 'alpha'); $type = GETPOST("type", "int"); @@ -139,6 +137,14 @@ if (is_array($extrafields->attributes[$object->table_element]['label']) && count $object->fields = dol_sort_array($object->fields, 'position'); $arrayfields = dol_sort_array($arrayfields, 'position'); +// Security check +if ($search_type == '0') { + $result = restrictedArea($user, 'produit', '', '', '', '', '', 0); +} elseif ($search_type == '1') { + $result = restrictedArea($user, 'service', '', '', '', '', '', 0); +} else { + $result = restrictedArea($user, 'produit|service', '', '', '', '', '', 0); +} /* @@ -192,6 +198,7 @@ if (empty($reshook)) { /* * View */ + $formother = new FormOther($db); $title = $langs->trans('IntracommReportList'.$type); diff --git a/htdocs/modulebuilder/template/myobject_list.php b/htdocs/modulebuilder/template/myobject_list.php index aa616709a7d..47afaa55b55 100644 --- a/htdocs/modulebuilder/template/myobject_list.php +++ b/htdocs/modulebuilder/template/myobject_list.php @@ -187,7 +187,7 @@ if ($user->socid > 0) { // Protection if external user //$socid = $user->socid; accessforbidden(); } -//$result = restrictedArea($user, 'mymodule', $id, ''); +//$result = restrictedArea($user, 'mymodule'); //if (!$permissiontoread) accessforbidden(); diff --git a/htdocs/mrp/mo_list.php b/htdocs/mrp/mo_list.php index 841dba3ea20..30fe3e8d9fa 100644 --- a/htdocs/mrp/mo_list.php +++ b/htdocs/mrp/mo_list.php @@ -82,18 +82,6 @@ if (!$sortorder) { $sortorder = "ASC"; } -// Security check -if (empty($conf->mrp->enabled)) { - accessforbidden('Module not enabled'); -} -$socid = 0; -if ($user->socid > 0) { // Protection if external user - //$socid = $user->socid; - accessforbidden(); -} -//$result = restrictedArea($user, 'mrp', $id, ''); - - // Initialize array of search criterias $search_all = GETPOST('search_all', 'alphanohtml') ? GETPOST('search_all', 'alphanohtml') : GETPOST('sall', 'alphanohtml'); $search = array(); @@ -139,6 +127,13 @@ $permissiontoread = $user->rights->mrp->read; $permissiontoadd = $user->rights->mrp->write; $permissiontodelete = $user->rights->mrp->delete; +// Security check +if ($user->socid > 0) { + // Protection if external user + accessforbidden(); +} +$result = restrictedArea($user, 'mrp'); + /* * Actions diff --git a/htdocs/product/list.php b/htdocs/product/list.php index bd38e41f4dd..4d8f07ab9a5 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -146,15 +146,6 @@ if (!empty($canvas)) { $objcanvas->getCanvas('product', 'list', $canvas); } -// Security check -if ($search_type == '0') { - $result = restrictedArea($user, 'produit', '', '', '', '', '', 0); -} elseif ($search_type == '1') { - $result = restrictedArea($user, 'service', '', '', '', '', '', 0); -} else { - $result = restrictedArea($user, 'produit|service', '', '', '', '', '', 0); -} - // Define virtualdiffersfromphysical $virtualdiffersfromphysical = 0; if (!empty($conf->global->STOCK_CALCULATE_ON_SHIPMENT) @@ -267,6 +258,14 @@ include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_array_fields.tpl.php'; $object->fields = dol_sort_array($object->fields, 'position'); $arrayfields = dol_sort_array($arrayfields, 'position'); +// Security check +if ($search_type == '0') { + $result = restrictedArea($user, 'produit', '', '', '', '', '', 0); +} elseif ($search_type == '1') { + $result = restrictedArea($user, 'service', '', '', '', '', '', 0); +} else { + $result = restrictedArea($user, 'produit|service', '', '', '', '', '', 0); +} /*