Merge branch 'develop' into 14a22

ChangeLog

@@ -19,9 +19,9 @@ WARNING:
 Following changes may create regressions for some external modules, but were necessary to make Dolibarr better:
 * The ICS value for direct debit or credit transfer is now store on each bank account instead of into the global setup.
 * API /setup/shipment_methods has been replaced with API /setup/shipping_methods
-* Field "total" renamed into to "total_ht" in llx_facture, llx_facture_rec for better field name consistency
-* Field "tva" renamed into to "total_tva" in llx_facture, llx_facture_rec, llx_propal, llx_supplier_proposal, llx_commande, llx_commande_fournisseur for better field name consistency
-* Field "total" renamed into "total_ttc" in llx_propal, llx_supplier_proposal for better field name consistency
+* Field "total" renamed into to "total_ht" for table llx_facture, llx_facture_rec for better field name consistency
+* Field "tva" renamed into "total_tva" for table llx_propal, llx_supplier_proposal, llx_commande, llx_commande_fournisseur for better field name consistency
+* Field "total" renamed into "total_ttc" for table lx_propal, llx_supplier_proposal for better field name consistency
 * If your database is PostgreSql, you must use version 9.1.0 or more (Dolibarr need the SQL function CONCAT)
 * If your database is MySql or MariaDB, you need at least version 5.1
 

htdocs/core/modules/modBom.class.php

@@ -286,6 +286,7 @@ class modBom extends DolibarrModules
 		$langs->load("mrp");
 		$this->export_code[$r] = $this->rights_class.'_'.$r;
 		$this->export_label[$r] = 'BomAndBomLines'; // Translation key (used only if key ExportDataset_xxx_z not found)
+		$this->export_permission[$r] = array(array("bom", "read"));
 		$this->export_icon[$r] = 'bom';
 		$keyforclass = 'BOM';
 		$keyforclassfile = '/bom/class/bom.class.php';

htdocs/core/modules/modWebsite.class.php

@@ -109,6 +109,12 @@ class modWebsite extends DolibarrModules
 		$this->rights[$r][4] = 'delete';
 		$r++;
 
+		$this->rights[$r][0] = 10008;
+		$this->rights[$r][1] = 'Export website content';
+		$this->rights[$r][3] = 0;
+		$this->rights[$r][4] = 'export';
+		$r++;
+
 		// Main menu entries
 		$r = 0;
 		$this->menu[$r] = array('fk_menu'=>'0', // Use 'fk_mainmenu=xxx' or 'fk_mainmenu=xxx,fk_leftmenu=yyy' where xxx is mainmenucode and yyy is a leftmenucode
@@ -130,6 +136,7 @@ class modWebsite extends DolibarrModules
 
 		$this->export_code[$r] = $this->rights_class.'_'.$r;
 		$this->export_label[$r] = 'MyWebsitePages'; // Translation key (used only if key ExportDataset_xxx_z not found)
+		$this->export_permission[$r] = array(array("website", "export"));
 		$this->export_icon[$r] = 'globe';
 		$keyforclass = 'WebsitePage';
 		$keyforclassfile = '/website/class/websitepage.class.php';

htdocs/exports/export.php

@@ -154,6 +154,9 @@ $upload_dir = $conf->export->dir_temp.'/'.$user->id;
 //$usefilters=($conf->global->MAIN_FEATURES_LEVEL > 1);
 $usefilters = 1;
 
+// Security check
+$result = restrictedArea($user, 'export');
+
 
 /*
  * Actions
@@ -449,7 +452,7 @@ if ($step == 1 || !$datatoexport) {
 			if ($objexport->array_export_perms[$key]) {
 				print '<a href="'.DOL_URL_ROOT.'/exports/export.php?step=2&module_position='.$objexport->array_export_module[$key]->module_position.'&datatoexport='.$objexport->array_export_code[$key].'">'.img_picto($langs->trans("NewExport"), 'next', 'class="fa-15x"').'</a>';
 			} else {
-				print $langs->trans("NotEnoughPermissions");
+				print '<span class="opacitymedium">'.$langs->trans("NotEnoughPermissions").'</span>';
 			}
 			print '</td></tr>';
 		}

htdocs/exports/index.php

@@ -27,11 +27,12 @@ require_once DOL_DOCUMENT_ROOT.'/exports/class/export.class.php';
 // Load translation files required by the page
 $langs->load("exports");
 
+$export = new Export($db);
+$export->load_arrays($user);
+
 // Security check
 $result = restrictedArea($user, 'export');
 
-$export = new Export($db);
-$export->load_arrays($user);
 
 /*
  * View

htdocs/user/info.php

@@ -32,6 +32,8 @@ $langs->load("users");
 
 // Security check
 $id = GETPOST('id', 'int');
+$ref = GETPOST('ref', 'alpha');
+
 $object = new User($db);
 if ($id > 0 || !empty($ref)) {
 	$result = $object->fetch($id, $ref, '', 1);

htdocs/user/notify/card.php

@@ -32,9 +32,11 @@ require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';
 require_once DOL_DOCUMENT_ROOT.'/core/triggers/interface_50_modNotification_Notification.class.php';
 
 // Load translation files required by page
-$langs->loadLangs(array('companies', 'mails', 'admin', 'other'));
+$langs->loadLangs(array('companies', 'mails', 'admin', 'other', 'errors'));
 
 $id = GETPOST("id", 'int');
+$ref = GETPOST('ref', 'alpha');
+
 $action = GETPOST('action', 'aZ09');
 $actionid = GETPOST('actionid');
 
@@ -63,11 +65,24 @@ $pagenext = $page + 1;
 
 $now = dol_now();
 
+// Security check
+$object = new User($db);
+if ($id > 0 || !empty($ref)) {
+	$result = $object->fetch($id, $ref, '', 1);
+	$object->getrights();
+}
+
+$permissiontoadd = (($object->id == $user->id) || (!empty($user->rights->user->user->lire)));
+
 
 /*
  * Actions
  */
 
+if (GETPOST('cancel', 'alpha')) {
+	$action = 'list';
+}
+
 // Add a notification
 if ($action == 'add') {
 	$error = 0;
@@ -75,6 +90,7 @@ if ($action == 'add') {
 	if ($actionid <= 0) {
 		setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Action")), null, 'errors');
 		$error++;
+		$action = 'create';
 	}
 
 	if (!$error) {
@@ -98,6 +114,7 @@ if ($action == 'add') {
 			$db->commit();
 		} else {
 			$db->rollback();
+			$action = 'create';
 		}
 	}
 }
@@ -185,7 +202,7 @@ if ($result > 0) {
 
 
 	// Add notification form
-	print load_fiche_titre($langs->trans("AddNewNotification"), '', '');
+	//  print load_fiche_titre($langs->trans("AddNewNotification"), '', '');
 
 	print '<form action="'.$_SERVER["PHP_SELF"].'?id='.$id.'" method="post">';
 	print '<input type="hidden" name="token" value="'.newToken().'">';
@@ -194,7 +211,7 @@ if ($result > 0) {
 	$param = "&id=".$id;
 
 	// Line with titles
-	print '<table width="100%" class="noborder">';
+	/*  print '<table width="100%" class="noborder">';
 	print '<tr class="liste_titre">';
 	print_liste_field_titre("Target", $_SERVER["PHP_SELF"], "c.lastname,c.firstname", '', $param, 'width="45%"', $sortfield, $sortorder);
 	print_liste_field_titre("Action", $_SERVER["PHP_SELF"], "", '', $param, 'width="35%"', $sortfield, $sortorder);
@@ -202,48 +219,10 @@ if ($result > 0) {
 	print_liste_field_titre('');
 	print "</tr>\n";
 
-
-	// $listofemails=$object->thirdparty_and_contact_email_array();
-	if ($object->email) {
-		$actions = array();
-
-		// Load array of available notifications
-		$notificationtrigger = new InterfaceNotification($db);
-		$listofnotifiedevents = $notificationtrigger->getListOfManagedEvents();
-
-		foreach ($listofnotifiedevents as $notifiedevent) {
-			$label = ($langs->trans("Notify_".$notifiedevent['code']) != "Notify_".$notifiedevent['code'] ? $langs->trans("Notify_".$notifiedevent['code']) : $notifiedevent['label']);
-			$actions[$notifiedevent['rowid']] = $label;
-		}
-		print '<tr class="oddeven nohover"><td>';
-		print $object->getNomUrl(1);
-		if (isValidEmail($object->email)) {
-			print ' &lt;'.$object->email.'&gt;';
-		} else {
-			$langs->load("errors");
-			print ' &nbsp; '.img_warning().' '.$langs->trans("ErrorBadEMail", $object->email);
-		}
-		print '</td>';
-		print '<td>';
-		print img_picto('', 'object_action', '', false, 0, 0, '', 'paddingright').$form->selectarray("actionid", $actions, '', 1);
-		print '</td>';
-		print '<td>';
-		$type = array('email'=>$langs->trans("EMail"));
-		print $form->selectarray("typeid", $type);
-		print '</td>';
-		print '<td class="right"><input type="submit" class="button" value="'.$langs->trans("Add").'"></td>';
-		print '</tr>';
-	} else {
-		print '<tr class="oddeven"><td colspan="4">';
-		print $langs->trans("YouMustAssignUserMailFirst");
-		print '</td></tr>';
-	}
-
 	print '</table>';
 
-	print '</form>';
 	print '<br>';
-
+	*/
 	// List of notifications enabled for contacts
 	$sql = "SELECT n.rowid, n.type,";
 	$sql .= " a.code, a.label,";
@@ -262,8 +241,13 @@ if ($result > 0) {
 		dol_print_error($db);
 	}
 
+	$newcardbutton = dolGetButtonTitle($langs->trans('New'), '', 'fa fa-plus-circle', $_SERVER["PHP_SELF"].'?id='.$object->id.'&action=create&backtopage='.urlencode($_SERVER['PHP_SELF']), '', $permissiontoadd);
+
+	$title = $langs->trans("ListOfActiveNotifications");
+
 	// List of active notifications
-	print load_fiche_titre($langs->trans("ListOfActiveNotifications").' ('.$num.')', '', '');
+	//print load_fiche_titre($langs->trans("ListOfActiveNotifications").' ('.$num.')', '', '');
+	print_barre_liste($title, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, '', $num, $num, 'email', 0, $newcardbutton, '', $limit, 0, 0, 1);
 
 	// Line with titles
 	print '<table width="100%" class="noborder">';
@@ -274,99 +258,141 @@ if ($result > 0) {
 	print_liste_field_titre('', '', '');
 	print '</tr>';
 
-	$langs->load("errors");
-	$langs->load("other");
 
-	if ($num) {
-		$i = 0;
+	if ($action == 'create') {
+		// $listofemails=$object->thirdparty_and_contact_email_array();
+		if ($object->email) {
+			$actions = array();
 
-		$userstatic = new user($db);
+			// Load array of available notifications
+			$notificationtrigger = new InterfaceNotification($db);
+			$listofnotifiedevents = $notificationtrigger->getListOfManagedEvents();
 
-		while ($i < $num) {
-			$obj = $db->fetch_object($resql);
+			foreach ($listofnotifiedevents as $notifiedevent) {
+				$label = ($langs->trans("Notify_".$notifiedevent['code']) != "Notify_".$notifiedevent['code'] ? $langs->trans("Notify_".$notifiedevent['code']) : $notifiedevent['label']);
+				$actions[$notifiedevent['rowid']] = $label;
+			}
+			print '<tr class="oddeven nohover"><td>';
+			print $object->getNomUrl(1);
+			if (isValidEmail($object->email)) {
+				print ' &lt;'.$object->email.'&gt;';
+			} else {
+				$langs->load("errors");
+				print ' &nbsp; '.img_warning().' '.$langs->trans("ErrorBadEMail", $object->email);
+			}
+			print '</td>';
+			print '<td>';
+			print img_picto('', 'object_action', '', false, 0, 0, '', 'paddingright').$form->selectarray("actionid", $actions, '', 1);
+			print '</td>';
+			print '<td>';
+			$type = array('email'=>$langs->trans("EMail"));
+			print $form->selectarray("typeid", $type);
+			print '</td>';
+			print '<td class="nowraponall">';
+			print '<input type="submit" class="button" value="'.$langs->trans("Add").'">';
+			print '&nbsp;';
+			print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';
+			print '</td>';
+			print '</tr>';
+		} else {
+			print '<tr class="oddeven"><td colspan="4">';
+			print $langs->trans("YouMustAssignUserMailFirst");
+			print '</td></tr>';
+		}
+	} else {
+		if ($num) {
+			$i = 0;
 
-			$userstatic->id = $obj->userid;
-			$userstatic->lastname = $obj->lastname;
-			$userstatic->firstname = $obj->firstname;
-			print '<tr class="oddeven"><td>'.$userstatic->getNomUrl(1);
-			if ($obj->type == 'email') {
-				if (isValidEmail($obj->email)) {
-					print ' &lt;'.$obj->email.'&gt;';
-				} else {
-					$langs->load("errors");
-					print ' &nbsp; '.img_warning().' '.$langs->trans("ErrorBadEMail", $obj->email);
+			$userstatic = new user($db);
+
+			while ($i < $num) {
+				$obj = $db->fetch_object($resql);
+
+				$userstatic->id = $obj->userid;
+				$userstatic->lastname = $obj->lastname;
+				$userstatic->firstname = $obj->firstname;
+				print '<tr class="oddeven"><td>'.$userstatic->getNomUrl(1);
+				if ($obj->type == 'email') {
+					if (isValidEmail($obj->email)) {
+						print ' &lt;'.$obj->email.'&gt;';
+					} else {
+						$langs->load("errors");
+						print ' &nbsp; '.img_warning().' '.$langs->trans("ErrorBadEMail", $obj->email);
+					}
+				}
+				print '</td>';
+				print '<td>';
+				$label = ($langs->trans("Notify_".$obj->code) != "Notify_".$obj->code ? $langs->trans("Notify_".$obj->code) : $obj->label);
+				print img_picto('', 'object_action', '', false, 0, 0, '', 'paddingright').$label;
+				print '</td>';
+				print '<td>';
+				if ($obj->type == 'email') {
+					print $langs->trans("Email");
+				}
+				if ($obj->type == 'sms') {
+					print $langs->trans("SMS");
+				}
+				print '</td>';
+				print '<td class="right"><a href="card.php?id='.$id.'&amp;action=delete&amp;token='.newToken().'&amp;actid='.$obj->rowid.'">'.img_delete().'</a></td>';
+				print '</tr>';
+				$i++;
+			}
+			$db->free($resql);
+		}
+
+		// List of notifications enabled for fixed email
+		/*
+		foreach($conf->global as $key => $val) {
+			if (! preg_match('/^NOTIFICATION_FIXEDEMAIL_(.*)/', $key, $reg)) continue;
+			print '<tr class="oddeven"><td>';
+			$listtmp=explode(',',$val);
+			$first=1;
+			foreach($listtmp as $keyemail => $valemail)
+			{
+				if (! $first) print ', ';
+				$first=0;
+				$valemail=trim($valemail);
+				//print $keyemail.' - '.$valemail.' - '.$reg[1].'<br>';
+				if (isValidEmail($valemail, 1))
+				{
+					if ($valemail == '__SUPERVISOREMAIL__') print $valemail;
+					else print ' &lt;'.$valemail.'&gt;';
+				}
+				else
+				{
+					print ' '.img_warning().' '.$langs->trans("ErrorBadEMail",$valemail);
 				}
 			}
 			print '</td>';
 			print '<td>';
-			$label = ($langs->trans("Notify_".$obj->code) != "Notify_".$obj->code ? $langs->trans("Notify_".$obj->code) : $obj->label);
-			print img_picto('', 'object_action', '', false, 0, 0, '', 'paddingright').$label;
+			$notifcode=preg_replace('/_THRESHOLD_.*$/','',$reg[1]);
+			$notifcodecond=preg_replace('/^.*_(THRESHOLD_)/','$1',$reg[1]);
+			$label=($langs->trans("Notify_".$notifcode)!="Notify_".$notifcode?$langs->trans("Notify_".$notifcode):$notifcode);
+			print $label;
+			if (preg_match('/^THRESHOLD_HIGHER_(.*)$/',$notifcodecond,$regcond) && ($regcond[1] > 0))
+			{
+				print ' - '.$langs->trans("IfAmountHigherThan",$regcond[1]);
+			}
 			print '</td>';
 			print '<td>';
-			if ($obj->type == 'email') {
-				print $langs->trans("Email");
-			}
-			if ($obj->type == 'sms') {
-				print $langs->trans("SMS");
-			}
+			print $langs->trans("Email");
 			print '</td>';
-			print '<td class="right"><a href="card.php?id='.$id.'&amp;action=delete&amp;token='.newToken().'&amp;actid='.$obj->rowid.'">'.img_delete().'</a></td>';
+			print '<td class="right">'.$langs->trans("SeeModuleSetup", $langs->transnoentitiesnoconv("Module600Name")).'</td>';
 			print '</tr>';
-			$i++;
-		}
-		$db->free($resql);
+		}*/
+		/*if ($user->admin)
+		{
+			$var = ! $var;
+			print '<tr class="oddeven"><td colspan="4">';
+			print '+ <a href="'.DOL_URL_ROOT.'/admin/notification.php">'.$langs->trans("SeeModuleSetup", $langs->transnoentitiesnoconv("Module600Name")).'</a>';
+			print '</td></tr>';
+		}*/
 	}
 
-	// List of notifications enabled for fixed email
-	/*
-	foreach($conf->global as $key => $val) {
-		if (! preg_match('/^NOTIFICATION_FIXEDEMAIL_(.*)/', $key, $reg)) continue;
-		print '<tr class="oddeven"><td>';
-		$listtmp=explode(',',$val);
-		$first=1;
-		foreach($listtmp as $keyemail => $valemail)
-		{
-			if (! $first) print ', ';
-			$first=0;
-			$valemail=trim($valemail);
-			//print $keyemail.' - '.$valemail.' - '.$reg[1].'<br>';
-			if (isValidEmail($valemail, 1))
-			{
-				if ($valemail == '__SUPERVISOREMAIL__') print $valemail;
-				else print ' &lt;'.$valemail.'&gt;';
-			}
-			else
-			{
-				print ' '.img_warning().' '.$langs->trans("ErrorBadEMail",$valemail);
-			}
-		}
-		print '</td>';
-		print '<td>';
-		$notifcode=preg_replace('/_THRESHOLD_.*$/','',$reg[1]);
-		$notifcodecond=preg_replace('/^.*_(THRESHOLD_)/','$1',$reg[1]);
-		$label=($langs->trans("Notify_".$notifcode)!="Notify_".$notifcode?$langs->trans("Notify_".$notifcode):$notifcode);
-		print $label;
-		if (preg_match('/^THRESHOLD_HIGHER_(.*)$/',$notifcodecond,$regcond) && ($regcond[1] > 0))
-		{
-			print ' - '.$langs->trans("IfAmountHigherThan",$regcond[1]);
-		}
-		print '</td>';
-		print '<td>';
-		print $langs->trans("Email");
-		print '</td>';
-		print '<td class="right">'.$langs->trans("SeeModuleSetup", $langs->transnoentitiesnoconv("Module600Name")).'</td>';
-		print '</tr>';
-	}*/
-	/*if ($user->admin)
-	{
-		$var = ! $var;
-		print '<tr class="oddeven"><td colspan="4">';
-		print '+ <a href="'.DOL_URL_ROOT.'/admin/notification.php">'.$langs->trans("SeeModuleSetup", $langs->transnoentitiesnoconv("Module600Name")).'</a>';
-		print '</td></tr>';
-	}*/
-
 	print '</table>';
 
+	print '</form>';
+
 
 	print '<br><br>'."\n";
 
@@ -422,7 +448,7 @@ if ($result > 0) {
 	print '<input type="hidden" name="id" value="'.$object->id.'">';
 
 	// List of notifications done
-	print_barre_liste($langs->trans("ListOfNotificationsDone"), $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, '', $num, $nbtotalofrecords, '', 0, '', '', $limit);
+	print_barre_liste($langs->trans("ListOfNotificationsDone"), $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, '', $num, $nbtotalofrecords, 'email', 0, '', '', $limit);
 
 	// Line with titles
 	print '<table width="100%" class="noborder">';

htdocs/variants/admin/admin.php

@@ -25,7 +25,7 @@ $langs->loadLangs(array("admin", "products"));
 $action = GETPOST('action', 'alphanohtml');
 
 // Security check
-if (!$user->admin || (empty($conf->product->enabled) && empty($conf->service->enabled))) {
+if (!$user->admin || empty($conf->variants->enabled)) {
 	accessforbidden();
 }
 

htdocs/variants/ajax/getCombinations.php

@@ -36,7 +36,24 @@ require '../../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php';
 require_once DOL_DOCUMENT_ROOT.'/variants/class/ProductCombination.class.php';
 
-header('Content-Type: application/json');
+$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire;
+
+// Security check
+if (empty($conf->variants->enabled)) {
+	accessforbidden('Module not enabled');
+}
+if ($user->socid > 0) { // Protection if external user
+	accessforbidden();
+}
+//$result = restrictedArea($user, 'variant');
+if (!$permissiontoread) accessforbidden();
+
+
+/*
+ * View
+ */
+
+top_httphead('application/json');
 
 $id = GETPOST('id', 'int');
 

htdocs/variants/ajax/get_attribute_values.php

@@ -36,7 +36,24 @@ require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php';
 require_once DOL_DOCUMENT_ROOT.'/variants/class/ProductAttribute.class.php';
 require_once DOL_DOCUMENT_ROOT.'/variants/class/ProductAttributeValue.class.php';
 
-header('Content-Type: application/json');
+$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire;
+
+// Security check
+if (empty($conf->variants->enabled)) {
+	accessforbidden('Module not enabled');
+}
+if ($user->socid > 0) { // Protection if external user
+	accessforbidden();
+}
+//$result = restrictedArea($user, 'variant');
+if (!$permissiontoread) accessforbidden();
+
+
+/*
+ * View
+ */
+
+top_httphead('application/json');
 
 $id = GETPOST('id', 'int');
 

htdocs/variants/ajax/orderAttribute.php

@@ -37,6 +37,18 @@ if (!defined('NOREQUIRETRAN')) {
 
 require '../../main.inc.php';
 
+$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire;
+
+// Security check
+if (empty($conf->variants->enabled)) {
+	accessforbidden('Module not enabled');
+}
+if ($user->socid > 0) { // Protection if external user
+	accessforbidden();
+}
+//$result = restrictedArea($user, 'variant');
+if (!$permissiontoread) accessforbidden();
+
 
 /*
  * View

htdocs/variants/card.php

@@ -36,6 +36,18 @@ if ($object->fetch($id) < 1) {
 	exit();
 }
 
+$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire;
+
+// Security check
+if (empty($conf->variants->enabled)) {
+	accessforbidden('Module not enabled');
+}
+if ($user->socid > 0) { // Protection if external user
+	accessforbidden();
+}
+//$result = restrictedArea($user, 'variant');
+if (!$permissiontoread) accessforbidden();
+
 
 /*
  * Actions

htdocs/variants/combinations.php

@@ -64,6 +64,18 @@ if ($id > 0 || $ref) {
 
 $selectedvariant = $_SESSION['addvariant_'.$object->id];
 
+$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire;
+
+// Security check
+if (empty($conf->variants->enabled)) {
+	accessforbidden('Module not enabled');
+}
+if ($user->socid > 0) { // Protection if external user
+	accessforbidden();
+}
+//$result = restrictedArea($user, 'variant');
+if (!$permissiontoread) accessforbidden();
+
 
 /*
  * Actions

htdocs/variants/create.php

@@ -24,6 +24,18 @@ $label = GETPOST('label', 'alpha');
 $backtopage = GETPOST('backtopage', 'alpha');
 $action = GETPOST('action', 'alpha');
 
+$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire;
+
+// Security check
+if (empty($conf->variants->enabled)) {
+	accessforbidden('Module not enabled');
+}
+if ($user->socid > 0) { // Protection if external user
+	accessforbidden();
+}
+//$result = restrictedArea($user, 'variant');
+if (!$permissiontoread) accessforbidden();
+
 
 /*
  * Actions

htdocs/variants/create_val.php

@@ -36,6 +36,18 @@ if ($object->fetch($id) < 1) {
 	exit();
 }
 
+$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire;
+
+// Security check
+if (empty($conf->variants->enabled)) {
+	accessforbidden('Module not enabled');
+}
+if ($user->socid > 0) { // Protection if external user
+	accessforbidden();
+}
+//$result = restrictedArea($user, 'variant');
+if (!$permissiontoread) accessforbidden();
+
 
 /*
  * Actions

htdocs/variants/list.php

@@ -21,6 +21,18 @@ require DOL_DOCUMENT_ROOT.'/variants/class/ProductAttribute.class.php';
 $action = GETPOST('action', 'aZ09');
 $object = new ProductAttribute($db);
 
+$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire;
+
+// Security check
+if (empty($conf->variants->enabled)) {
+	accessforbidden('Module not enabled');
+}
+if ($user->socid > 0) { // Protection if external user
+	accessforbidden();
+}
+//$result = restrictedArea($user, 'variant');
+if (!$permissiontoread) accessforbidden();
+
 
 
 /*

htdocs/website/index.php

@@ -477,7 +477,7 @@ if ($massaction == 'setcategory' && GETPOST('confirmmassaction', 'alpha') && $us
 }
 
 // Replacement of string into pages
-if ($massaction == 'replace' && GETPOST('confirmmassaction', 'alpha')) {
+if ($massaction == 'replace' && GETPOST('confirmmassaction', 'alpha') && $usercanedit) {
 	$replacestring = GETPOST('replacestring', 'none');
 
 	if (empty($user->rights->website->writephp)) {
@@ -567,7 +567,7 @@ if ($action == 'adddir' && $permtouploadfile)
 */
 
 // Add site
-if ($action == 'addsite') {
+if ($action == 'addsite' && $usercanedit) {
 	$db->begin();
 
 	if (GETPOST('virtualhost', 'alpha') && !preg_match('/^http/', GETPOST('virtualhost', 'alpha'))) {
@@ -625,7 +625,7 @@ if ($action == 'addsite') {
 }
 
 // Add page/container
-if ($action == 'addcontainer') {
+if ($action == 'addcontainer' && $usercanedit) {
 	dol_mkdir($pathofwebsite);
 
 	$db->begin();
@@ -1148,7 +1148,7 @@ if ($action == 'addcontainer') {
 }
 
 // Delete site
-if ($action == 'confirm_deletesite' && $confirm == 'yes') {
+if ($action == 'confirm_deletesite' && $confirm == 'yes' && $permissiontodelete) {
 	$error = 0;
 
 	$db->begin();
@@ -1276,7 +1276,7 @@ if (!GETPOSTISSET('pageid')) {
 }
 
 // Update css Update site properties
-if ($action == 'updatecss') {
+if ($action == 'updatecss' && $usercanedit) {
 	// If we tried to reload another site/page, we stay on editcss mode.
 	if (GETPOST('refreshsite') || GETPOST('refreshsite_x') || GETPOST('refreshsite.x') || GETPOST('refreshpage') || GETPOST('refreshpage_x') || GETPOST('refreshpage.x')) {
 		$action = 'editcss';
@@ -1523,7 +1523,7 @@ if ($action == 'updatecss') {
 }
 
 // Update page
-if ($action == 'setashome') {
+if ($action == 'setashome' && $usercanedit) {
 	$db->begin();
 	$object->fetch(0, $websitekey);
 	$website = $object;
@@ -1556,7 +1556,7 @@ if ($action == 'setashome') {
 }
 
 // Update page properties (meta)
-if ($action == 'updatemeta') {
+if ($action == 'updatemeta' && $usercanedit) {
 	$db->begin();
 
 	$result = $object->fetch(0, $websitekey);
@@ -1778,8 +1778,8 @@ if ($action == 'updatemeta') {
 }
 
 // Update page
-if (($action == 'updatesource' || $action == 'updatecontent' || $action == 'confirm_createfromclone' || $action == 'confirm_createpagefromclone')
-	|| ($action == 'preview' && (GETPOST('refreshsite') || GETPOST('refreshpage') || GETPOST('preview')))) {
+if ($usercanedit && (($action == 'updatesource' || $action == 'updatecontent' || $action == 'confirm_createfromclone' || $action == 'confirm_createpagefromclone')
+	|| ($action == 'preview' && (GETPOST('refreshsite') || GETPOST('refreshpage') || GETPOST('preview'))))) {
 	$object->fetch(0, $websitekey);
 	$website = $object;
 
@@ -2041,7 +2041,7 @@ if (($action == 'updatesource' || $action == 'updatecontent' || $action == 'conf
 }
 
 // Export site
-if ($action == 'exportsite') {
+if ($action == 'exportsite' && !empty($user->rights->website->export)) {
 	$fileofzip = $object->exportWebSite();
 
 	if ($fileofzip) {
@@ -2060,7 +2060,7 @@ if ($action == 'exportsite') {
 }
 
 // Regenerate site
-if ($action == 'regeneratesite') {
+if ($action == 'regeneratesite' && $usercanedit) {
 	// Check symlink to medias and restore it if ko. Recreate also dir of website if not found.
 	$pathtomedias = DOL_DATA_ROOT.'/medias';
 	$pathtomediasinwebsite = $pathofwebsite.'/medias';
@@ -2085,7 +2085,7 @@ if ($action == 'regeneratesite') {
 }
 
 // Import site
-if ($action == 'importsiteconfirm') {
+if ($action == 'importsiteconfirm' && $usercanedit) {
 	if (empty($_FILES) && !GETPOSTISSET('templateuserfile')) {
 		setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("File")), null, 'errors');
 		$action = 'importsite';
@@ -2162,7 +2162,7 @@ $domainname = '0.0.0.0:8080';
 $tempdir = $conf->website->dir_output.'/'.$websitekey.'/';
 
 // Generate web site sitemaps
-if ($action == 'generatesitemaps') {
+if ($action == 'generatesitemaps' && $usercanedit) {
 	$domtree = new DOMDocument('1.0', 'UTF-8');
 	$root = $domtree->createElementNS('http://www.sitemaps.org/schemas/sitemap/0.9', 'urlset');
 	$domtree->formatOutput = true;
@@ -2331,6 +2331,10 @@ if (!GETPOST('hide_websitemenu')) {
 	if (empty($user->rights->website->write)) {
 		$disabled = ' disabled="disabled"';
 	}
+	$disabledexport = '';
+	if (empty($user->rights->website->export)) {
+		$disabledexport = ' disabled="disabled"';
+	}
 
 	if ($websitekey) {
 		$virtualurl = '';
@@ -2446,7 +2450,7 @@ if (!GETPOST('hide_websitemenu')) {
 			}
 
 			//print '<input type="submit" class="button"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("EditMenu")).'" name="editmenu">';
-			print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($exportlabel).'" name="exportsite">';
+			print '<input type="submit" class="button bordertransp"'.$disabledexport.' value="'.dol_escape_htmltag($exportlabel).'" name="exportsite">';
 
 			print '<input type="submit" class="button bordertransp"'.$disabled.' value="'.dol_escape_htmltag($langs->trans("CloneSite")).'" name="createfromclone">';