Fix missing test on permissions

htdocs/product/stock/stockatdate.php

@@ -193,7 +193,7 @@ if ($date && $dateIsValid) {	// Avoid heavy sql if mandatory date is not defined
 		dol_print_error($db);
 	}
 	//var_dump($stock_prod_warehouse);
-} elseif ($action == 'filter') {
+} elseif ($action == 'filter') {	// Test on permissions not required here
 	setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Date")), null, 'errors');
 }
 

htdocs/projet/contact.php

@@ -67,6 +67,8 @@ $hookmanager->initHooks(array('projectcontactcard', 'globalcard'));
 //if ($user->socid > 0) $socid = $user->socid;    // For external user, no check is done on company because readability is managed by public status of project and assignment.
 $result = restrictedArea($user, 'projet', $id, 'projet&project');
 
+$permissiontoadd = $user->hasRight('projet', 'creer');
+
 
 /*
  * Actions
@@ -81,7 +83,7 @@ if ($reshook < 0) {
 if (empty($reshook)) {
 	// Test if we can add contact to the tasks at the same times, if not or not required, make a redirect
 	$formconfirmtoaddtasks = '';
-	if ($action == 'addcontact') {
+	if ($action == 'addcontact' && $permissiontoadd) {
 		$form = new Form($db);
 
 		$source = GETPOST("source", 'aZ09');
@@ -161,7 +163,7 @@ if (empty($reshook)) {
 	}
 
 	// Add new contact
-	if ($action == 'addcontact_confirm' && $user->hasRight('projet', 'creer')) {
+	if ($action == 'addcontact_confirm' && $permissiontoadd) {
 		if (GETPOST('confirm', 'alpha') == 'no') {
 			header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id);
 			exit;
@@ -274,7 +276,7 @@ if (empty($reshook)) {
 	}
 
 	// Change contact's status
-	if ($action == 'swapstatut' && $user->hasRight('projet', 'creer')) {
+	if ($action == 'swapstatut' && $permissiontoadd) {
 		if ($object->fetch($id)) {
 			$result = $object->swapContactStatus(GETPOSTINT('ligne'));
 		} else {
@@ -283,7 +285,7 @@ if (empty($reshook)) {
 	}
 
 	// Delete a contact
-	if (($action == 'deleteline' || $action == 'deletecontact') && $user->hasRight('projet', 'creer')) {
+	if (($action == 'deleteline' || $action == 'deletecontact') && $permissiontoadd) {
 		$object->fetch($id);
 		$result = $object->delete_contact(GETPOSTINT("lineid"));
 

htdocs/reception/card.php

@@ -171,6 +171,8 @@ if (isModEnabled("reception")) {
 	$permissiontodelete = $user->hasRight('fournisseur', 'commande', 'receptionner');
 }
 
+$error = 0;
+
 
 /*
  * Actions
@@ -289,11 +291,11 @@ if (empty($reshook)) {
 	// Create reception
 	if ($action == 'add' && $permissiontoadd) {
 		$error = 0;
-		$predef = '';
 
 		$db->begin();
 
 		$object->note = GETPOST('note', 'alpha');
+		$object->note_private = GETPOST('note', 'alpha');
 		$object->origin = $origin;
 		$object->origin_id = $origin_id;
 		$object->fk_project = GETPOSTINT('projectid');

htdocs/resource/card.php

@@ -375,9 +375,6 @@ if ($action == 'create' || $object->fetch($id, $ref) > 0) {
 		print '<div class="fichecenter">';
 		print '<div class="underbanner clearboth"></div>';
 
-		/*---------------------------------------
-		 * View object
-		 */
 		print '<table class="border tableforfield centpercent">';
 
 		// Resource type

htdocs/ticket/card.php

@@ -189,8 +189,10 @@ if (empty($reshook)) {
 	}
 
 	if (($action == 'add' || ($action == 'update' && $object->status < Ticket::STATUS_CLOSED)) && $permissiontoadd) {
-		$ifErrorAction = $action == 'add' ? 'create' : 'edit';
-		if ($action == 'add') $object->track_id = null;
+		$ifErrorAction = ($action == 'add' ? 'create' : 'edit');
+		if ($action == 'add') {		// Test on permission already done
+			$object->track_id = null;
+		}
 		$error = 0;
 
 		$fieldsToCheck = [