From 5fcda2157ee2e35b44e4be90c5f60371e1f030a9 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 1 Sep 2024 14:32:49 +0200
Subject: [PATCH] Fix missing test on permissions

---
 htdocs/product/stock/stockatdate.php |  2 +-
 htdocs/projet/contact.php            | 10 ++++++----
 htdocs/reception/card.php            |  4 +++-
 htdocs/resource/card.php             |  3 ---
 htdocs/ticket/card.php               |  6 ++++--
 5 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/htdocs/product/stock/stockatdate.php b/htdocs/product/stock/stockatdate.php
index 72498c7786f..ac09f9770e3 100644
--- a/htdocs/product/stock/stockatdate.php
+++ b/htdocs/product/stock/stockatdate.php
@@ -193,7 +193,7 @@ if ($date && $dateIsValid) {	// Avoid heavy sql if mandatory date is not defined
 		dol_print_error($db);
 	}
 	//var_dump($stock_prod_warehouse);
-} elseif ($action == 'filter') {
+} elseif ($action == 'filter') {	// Test on permissions not required here
 	setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Date")), null, 'errors');
 }
 
diff --git a/htdocs/projet/contact.php b/htdocs/projet/contact.php
index 60ce796b03a..26165bea40d 100644
--- a/htdocs/projet/contact.php
+++ b/htdocs/projet/contact.php
@@ -67,6 +67,8 @@ $hookmanager->initHooks(array('projectcontactcard', 'globalcard'));
 //if ($user->socid > 0) $socid = $user->socid;    // For external user, no check is done on company because readability is managed by public status of project and assignment.
 $result = restrictedArea($user, 'projet', $id, 'projet&project');
 
+$permissiontoadd = $user->hasRight('projet', 'creer');
+
 
 /*
  * Actions
@@ -81,7 +83,7 @@ if ($reshook < 0) {
 if (empty($reshook)) {
 	// Test if we can add contact to the tasks at the same times, if not or not required, make a redirect
 	$formconfirmtoaddtasks = '';
-	if ($action == 'addcontact') {
+	if ($action == 'addcontact' && $permissiontoadd) {
 		$form = new Form($db);
 
 		$source = GETPOST("source", 'aZ09');
@@ -161,7 +163,7 @@ if (empty($reshook)) {
 	}
 
 	// Add new contact
-	if ($action == 'addcontact_confirm' && $user->hasRight('projet', 'creer')) {
+	if ($action == 'addcontact_confirm' && $permissiontoadd) {
 		if (GETPOST('confirm', 'alpha') == 'no') {
 			header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id);
 			exit;
@@ -274,7 +276,7 @@ if (empty($reshook)) {
 	}
 
 	// Change contact's status
-	if ($action == 'swapstatut' && $user->hasRight('projet', 'creer')) {
+	if ($action == 'swapstatut' && $permissiontoadd) {
 		if ($object->fetch($id)) {
 			$result = $object->swapContactStatus(GETPOSTINT('ligne'));
 		} else {
@@ -283,7 +285,7 @@ if (empty($reshook)) {
 	}
 
 	// Delete a contact
-	if (($action == 'deleteline' || $action == 'deletecontact') && $user->hasRight('projet', 'creer')) {
+	if (($action == 'deleteline' || $action == 'deletecontact') && $permissiontoadd) {
 		$object->fetch($id);
 		$result = $object->delete_contact(GETPOSTINT("lineid"));
 
diff --git a/htdocs/reception/card.php b/htdocs/reception/card.php
index a6e19e93dba..502938bdd43 100644
--- a/htdocs/reception/card.php
+++ b/htdocs/reception/card.php
@@ -171,6 +171,8 @@ if (isModEnabled("reception")) {
 	$permissiontodelete = $user->hasRight('fournisseur', 'commande', 'receptionner');
 }
 
+$error = 0;
+
 
 /*
  * Actions
@@ -289,11 +291,11 @@ if (empty($reshook)) {
 	// Create reception
 	if ($action == 'add' && $permissiontoadd) {
 		$error = 0;
-		$predef = '';
 
 		$db->begin();
 
 		$object->note = GETPOST('note', 'alpha');
+		$object->note_private = GETPOST('note', 'alpha');
 		$object->origin = $origin;
 		$object->origin_id = $origin_id;
 		$object->fk_project = GETPOSTINT('projectid');
diff --git a/htdocs/resource/card.php b/htdocs/resource/card.php
index d97ff6d6988..fbcd991a056 100644
--- a/htdocs/resource/card.php
+++ b/htdocs/resource/card.php
@@ -375,9 +375,6 @@ if ($action == 'create' || $object->fetch($id, $ref) > 0) {
 		print '<div class="fichecenter">';
 		print '<div class="underbanner clearboth"></div>';
 
-		/*---------------------------------------
-		 * View object
-		 */
 		print '<table class="border tableforfield centpercent">';
 
 		// Resource type
diff --git a/htdocs/ticket/card.php b/htdocs/ticket/card.php
index 521c1076784..14d03187d6d 100644
--- a/htdocs/ticket/card.php
+++ b/htdocs/ticket/card.php
@@ -189,8 +189,10 @@ if (empty($reshook)) {
 	}
 
 	if (($action == 'add' || ($action == 'update' && $object->status < Ticket::STATUS_CLOSED)) && $permissiontoadd) {
-		$ifErrorAction = $action == 'add' ? 'create' : 'edit';
-		if ($action == 'add') $object->track_id = null;
+		$ifErrorAction = ($action == 'add' ? 'create' : 'edit');
+		if ($action == 'add') {		// Test on permission already done
+			$object->track_id = null;
+		}
 		$error = 0;
 
 		$fieldsToCheck = [