From 220d16237675f8f1536740b277575035e3e9cbb0 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Tue, 30 Aug 2005 21:07:53 +0000
Subject: [PATCH] =?UTF-8?q?Secu:=20Prot=E8ge=20chaque=20=E9l=E9ment=20du?=
=?UTF-8?q?=20tableau=20de=20bord=20de=20travail=20pour=20restreindre=20vi?=
=?UTF-8?q?su=20des=20utilisateurs=20externes?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
htdocs/actioncomm.class.php | 8 +++---
htdocs/adherents/adherent.class.php | 6 +++--
htdocs/commande/commande.class.php | 9 ++++---
htdocs/compta/bank/account.class.php | 5 +++-
htdocs/contrat/contrat.class.php | 5 ++--
htdocs/facture.class.php | 5 ++--
htdocs/fourn/fournisseur.facture.class.php | 5 ++--
htdocs/index.php | 30 +++++++++++-----------
htdocs/propal.class.php | 18 +++++++------
9 files changed, 52 insertions(+), 39 deletions(-)
diff --git a/htdocs/actioncomm.class.php b/htdocs/actioncomm.class.php
index c3476d25a03..98fcf7e5ad5 100644
--- a/htdocs/actioncomm.class.php
+++ b/htdocs/actioncomm.class.php
@@ -225,10 +225,11 @@ class ActionComm
/**
- * \brief Charge indicateurs this->nbtodo et this->nbtodolate de tableau de bord
- * \return int <0 si ko, >0 si ok
+ * \brief Charge indicateurs this->nbtodo et this->nbtodolate de tableau de bord
+ * \param user Objet user
+ * \return int <0 si ko, >0 si ok
*/
- function load_board()
+ function load_board($user)
{
global $conf;
@@ -236,6 +237,7 @@ class ActionComm
$sql = "SELECT a.id,".$this->db->pdate("a.datea")." as da";
$sql.= " FROM ".MAIN_DB_PREFIX."actioncomm as a";
$sql.= " WHERE a.percent < 100";
+ if ($user->societe_id) $sql.=" AND fk_soc = ".$user->societe_id;
$resql=$this->db->query($sql);
if ($resql)
{
diff --git a/htdocs/adherents/adherent.class.php b/htdocs/adherents/adherent.class.php
index a66787600bf..452603bc1d9 100644
--- a/htdocs/adherents/adherent.class.php
+++ b/htdocs/adherents/adherent.class.php
@@ -21,7 +21,6 @@
*
* $Id$
* $Source$
- *
*/
/**
@@ -1326,12 +1325,15 @@ class Adherent
/**
* \brief Charge indicateurs this->nbtodo et this->nbtodolate de tableau de bord
+ * \param user Objet user
* \return int <0 si ko, >0 si ok
*/
- function load_board()
+ function load_board($user)
{
global $conf;
+ if ($user->societe_id) return -1; // protection pour eviter appel par utilisateur externe
+
$this->nbtodo=$this->nbtodolate=0;
$sql = "SELECT a.rowid,".$this->db->pdate("a.datefin")." as datefin";
$sql.= " FROM ".MAIN_DB_PREFIX."adherent as a";
diff --git a/htdocs/commande/commande.class.php b/htdocs/commande/commande.class.php
index 543544dfee3..c958ebb480c 100644
--- a/htdocs/commande/commande.class.php
+++ b/htdocs/commande/commande.class.php
@@ -18,7 +18,6 @@
*
* $Id$
* $Source$
- *
*/
/**
@@ -850,10 +849,11 @@ class Commande
/**
- * \brief Charge indicateurs this->nbtodo et this->nbtodolate de tableau de bord
- * \return int <0 si ko, >0 si ok
+ * \brief Charge indicateurs this->nbtodo et this->nbtodolate de tableau de bord
+ * \param user Objet user
+ * \return int <0 si ko, >0 si ok
*/
- function load_board()
+ function load_board($user)
{
global $conf;
@@ -861,6 +861,7 @@ class Commande
$sql = "SELECT c.rowid,".$this->db->pdate("c.date_creation")." as datec";
$sql.= " FROM ".MAIN_DB_PREFIX."commande as c";
$sql.= " WHERE c.fk_statut BETWEEN 1 AND 2";
+ if ($user->societe_id) $sql.=" AND fk_soc = ".$user->societe_id;
$resql=$this->db->query($sql);
if ($resql)
{
diff --git a/htdocs/compta/bank/account.class.php b/htdocs/compta/bank/account.class.php
index ae0de1da08e..839ace4a4b4 100644
--- a/htdocs/compta/bank/account.class.php
+++ b/htdocs/compta/bank/account.class.php
@@ -471,12 +471,15 @@ class Account
/**
* \brief Charge indicateurs this->nbtodo et this->nbtodolate de tableau de bord
+ * \param user Objet user
* \return int <0 si ko, >0 si ok
*/
- function load_board()
+ function load_board($user)
{
global $conf;
+ if ($user->societe_id) return -1; // protection pour eviter appel par utilisateur externe
+
$this->nbtodo=$this->nbtodolate=0;
$sql = "SELECT b.rowid,".$this->db->pdate("b.datev")." as datefin";
$sql.= " FROM ".MAIN_DB_PREFIX."bank as b";
diff --git a/htdocs/contrat/contrat.class.php b/htdocs/contrat/contrat.class.php
index 284fb176eb0..41c6132e4f1 100644
--- a/htdocs/contrat/contrat.class.php
+++ b/htdocs/contrat/contrat.class.php
@@ -18,7 +18,6 @@
*
* $Id$
* $Source$
- *
*/
/**
@@ -646,10 +645,11 @@ class Contrat
/**
* \brief Charge indicateurs this->nbtodo et this->nbtodolate de tableau de bord
+ * \param user Objet user
* \param mode "inactive" pour services � activer, "expired" pour services expir�s
* \return int <0 si ko, >0 si ok
*/
- function load_board($mode)
+ function load_board($user,$mode)
{
global $conf;
@@ -669,6 +669,7 @@ class Contrat
$sql.= " AND cd.statut = 4";
$sql.= " AND cd.date_fin_validite < '".$this->db->idate(time())."'";
}
+ if ($user->societe_id) $sql.=" AND fk_soc = ".$user->societe_id;
$resql=$this->db->query($sql);
if ($resql)
{
diff --git a/htdocs/facture.class.php b/htdocs/facture.class.php
index 46ad33fa9e1..1d0fd8c2a97 100644
--- a/htdocs/facture.class.php
+++ b/htdocs/facture.class.php
@@ -20,7 +20,6 @@
*
* $Id$
* $Source$
- *
*/
/**
@@ -1604,9 +1603,10 @@ class Facture
/**
* \brief Charge indicateurs this->nbtodo et this->nbtodolate de tableau de bord
+ * \param user Objet user
* \return int <0 si ko, >0 si ok
*/
- function load_board()
+ function load_board($user)
{
global $conf;
@@ -1614,6 +1614,7 @@ class Facture
$sql = "SELECT f.rowid,".$this->db->pdate("f.date_lim_reglement")." as datefin";
$sql.= " FROM ".MAIN_DB_PREFIX."facture as f";
$sql.= " WHERE f.paye=0 AND f.fk_statut = 1";
+ if ($user->societe_id) $sql.=" AND fk_soc = ".$user->societe_id;
$resql=$this->db->query($sql);
if ($resql)
{
diff --git a/htdocs/fourn/fournisseur.facture.class.php b/htdocs/fourn/fournisseur.facture.class.php
index 1df9b39f0d2..a68bf28f3e1 100644
--- a/htdocs/fourn/fournisseur.facture.class.php
+++ b/htdocs/fourn/fournisseur.facture.class.php
@@ -19,7 +19,6 @@
*
* $Id$
* $Source$
- *
*/
/**
@@ -509,9 +508,10 @@ class FactureFournisseur
/**
* \brief Charge indicateurs this->nbtodo et this->nbtodolate de tableau de bord
+ * \param user Objet user
* \return int <0 si ko, >0 si ok
*/
- function load_board()
+ function load_board($user)
{
global $conf;
@@ -519,6 +519,7 @@ class FactureFournisseur
$sql = "SELECT ff.rowid,".$this->db->pdate("ff.date_lim_reglement")." as datefin";
$sql.= " FROM ".MAIN_DB_PREFIX."facture_fourn as ff";
$sql.= " WHERE ff.paye=0";
+ if ($user->societe_id) $sql.=" AND fk_soc = ".$user->societe_id;
$resql=$this->db->query($sql);
if ($resql)
{
diff --git a/htdocs/index.php b/htdocs/index.php
index 7de0ff7804a..3e6a93c39e3 100644
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -108,7 +108,7 @@ if ($user->societe_id == 0)
$conf->produit->enabled && $user->rights->produit->lire,
$conf->service->enabled && $user->rights->produit->lire,
$conf->telephonie->enabled && $user->rights->telephonie->ligne->lire_restreint);
- // Fichiers des classes qui contiennent la methode load_state_board pour chaque ligne
+ // Fichier des classes qui contiennent la methode load_state_board pour chaque ligne
$includes=array(DOL_DOCUMENT_ROOT."/client.class.php",
DOL_DOCUMENT_ROOT."/client.class.php",
DOL_DOCUMENT_ROOT."/fourn/fournisseur.class.php",
@@ -124,7 +124,7 @@ if ($user->societe_id == 0)
'Product',
'Service',
'LigneTel');
- // Cl� du tableau retourn� par la methode laod_state_bord pour chaque ligne
+ // Cl� de tableau retourn� par la methode load_state_bord pour chaque ligne
$keys=array('customers',
'prospects',
'suppliers',
@@ -148,7 +148,7 @@ if ($user->societe_id == 0)
$langs->trans("Products"),
$langs->trans("Services"),
$langs->trans("Lignes de t�l�phonie suivis"));
- // Liens des lignes du tableau de bord
+ // Lien des lignes du tableau de bord
$links=array(DOL_URL_ROOT.'/comm/clients.php',
DOL_URL_ROOT.'/comm/prospect/prospects.php',
DOL_URL_ROOT.'/fourn/liste.php',
@@ -205,7 +205,7 @@ if ($conf->commercial->enabled || $conf->compta->enabled)
{
include_once("./actioncomm.class.php");
$board=new ActionComm($db);
- $board->load_board();
+ $board->load_board($user);
$board->warning_delay=$conf->actions->warning_delay/60/60/24;
$board->label=$langs->trans("ActionsToDo");
@@ -230,7 +230,7 @@ if ($conf->commande->enabled && $user->rights->commande->lire)
{
include_once(DOL_DOCUMENT_ROOT."/commande/commande.class.php");
$board=new Commande($db);
- $board->load_board();
+ $board->load_board($user);
$var=!$var;
print '<tr '.$bc[$var].'><td width="16">'.img_object($langs->trans("Orders"),"order").'</td><td>'.$langs->trans("OrdersToProcess").'</td>';
@@ -253,7 +253,7 @@ if ($conf->propal->enabled && $user->rights->propale->lire)
{
include_once(DOL_DOCUMENT_ROOT."/propal.class.php");
$board=new Propal($db);
- $board->load_board("opened");
+ $board->load_board($user,"opened");
$var=!$var;
print '<tr '.$bc[$var].'><td width="16">'.img_object($langs->trans("Propals"),"propal").'</td><td>'.$langs->trans("PropalsToClose").'</td>';
@@ -276,7 +276,7 @@ if ($conf->propal->enabled && $user->rights->propale->lire)
{
include_once(DOL_DOCUMENT_ROOT."/propal.class.php");
$board=new Propal($db);
- $board->load_board("signed");
+ $board->load_board($user,"signed");
$var=!$var;
print '<tr '.$bc[$var].'><td width="16">'.img_object($langs->trans("Propals"),"propal").'</td><td>'.$langs->trans("PropalsToBill").'</td>';
@@ -301,7 +301,7 @@ if ($conf->contrat->enabled && $user->rights->contrat->lire)
include_once(DOL_DOCUMENT_ROOT."/contrat/contrat.class.php");
$board=new Contrat($db);
- $board->load_board("inactives");
+ $board->load_board($user,"inactives");
$var=!$var;
print '<tr '.$bc[$var].'><td width="16">'.img_object($langs->trans("Contract"),"contract").'</td><td>'.$langs->trans("BoardNotActivatedServices").'</td>';
@@ -326,7 +326,7 @@ if ($conf->contrat->enabled && $user->rights->contrat->lire)
include_once(DOL_DOCUMENT_ROOT."/contrat/contrat.class.php");
$board=new Contrat($db);
- $board->load_board("expired");
+ $board->load_board($user,"expired");
$var=!$var;
print '<tr '.$bc[$var].'><td width="16">'.img_object($langs->trans("Contract"),"contract").'</td><td>'.$langs->trans("BoardRunningServices").'</td>';
@@ -351,7 +351,7 @@ if ($conf->fournisseur->enabled && $conf->facture->enabled && $user->rights->fac
include_once("./fourn/fournisseur.facture.class.php");
$board=new FactureFournisseur($db);
- $board->load_board();
+ $board->load_board($user);
$var=!$var;
print '<tr '.$bc[$var].'><td width="16">'.img_object($langs->trans("Bills"),"bill").'</td><td>'.$langs->trans("SupplierBillsToPay").'</td>';
@@ -374,7 +374,7 @@ if ($conf->facture->enabled && $user->rights->facture->lire)
{
include_once(DOL_DOCUMENT_ROOT."/facture.class.php");
$board=new Facture($db);
- $board->load_board();
+ $board->load_board($user);
$var=!$var;
print '<tr '.$bc[$var].'><td width="16">'.img_object($langs->trans("Bills"),"bill").'</td><td>'.$langs->trans("CustomerBillsUnpayed").'</td>';
@@ -393,13 +393,13 @@ if ($conf->facture->enabled && $user->rights->facture->lire)
}
// Nbre ecritures � rapprocher
-if ($conf->banque->enabled && $user->rights->banque->lire)
+if ($conf->banque->enabled && $user->rights->banque->lire && ! $user->societe_id)
{
$langs->load("banks");
include_once(DOL_DOCUMENT_ROOT."/compta/bank/account.class.php");
$board=new Account($db);
- $board->load_board();
+ $board->load_board($user);
$var=!$var;
print '<tr '.$bc[$var].'><td width="16">'.img_object($langs->trans("TransactionsToConciliate"),"payment").'</td><td>'.$langs->trans("TransactionsToConciliate").'</td>';
@@ -418,13 +418,13 @@ if ($conf->banque->enabled && $user->rights->banque->lire)
}
// Nbre adh�rent valides (attente cotisation)
-if ($conf->adherent->enabled && $user->rights->adherent->lire)
+if ($conf->adherent->enabled && $user->rights->adherent->lire && ! $user->societe_id)
{
$langs->load("members");
include_once(DOL_DOCUMENT_ROOT."/adherents/adherent.class.php");
$board=new Adherent($db);
- $board->load_board();
+ $board->load_board($user);
$var=!$var;
print '<tr '.$bc[$var].'><td width="16">'.img_object($langs->trans("Members"),"user").'</td><td>'.$langs->trans("Members").'</td>';
diff --git a/htdocs/propal.class.php b/htdocs/propal.class.php
index 83a98d55488..9283a7f4223 100644
--- a/htdocs/propal.class.php
+++ b/htdocs/propal.class.php
@@ -68,7 +68,7 @@ class Propal
/**
* \brief Constructeur
- * \param DB Handler d'acc�s base
+ * \param DB Handler d'acc�s base
*/
function Propal($DB, $soc_idp="", $propalid=0)
{
@@ -1000,7 +1000,7 @@ class Propal
}
else
{
- $this->error=$this->db->error();
+ $this->error=$this->db->error();
return -1;
}
}
@@ -1084,18 +1084,20 @@ class Propal
/**
* \brief Charge indicateurs this->nbtodo et this->nbtodolate de tableau de bord
- * \param mode opened pour propal � fermer, signed pour propale � facturer
+ * \param user Objet user
+ * \param mode "opened" pour propal � fermer, "signed" pour propale � facturer
* \return int <0 si ko, >0 si ok
*/
- function load_board($mode)
+ function load_board($user,$mode)
{
global $conf;
$this->nbtodo=$this->nbtodolate=0;
- $sql = "SELECT p.rowid,".$this->db->pdate("p.datec")." as datec,".$this->db->pdate("p.fin_validite")." as datefin";
- $sql.= " FROM ".MAIN_DB_PREFIX."propal as p";
- if ($mode == 'opened') $sql.= " WHERE p.fk_statut = 1";
- if ($mode == 'signed') $sql.= " WHERE p.fk_statut = 2";
+ $sql ="SELECT p.rowid,".$this->db->pdate("p.datec")." as datec,".$this->db->pdate("p.fin_validite")." as datefin";
+ $sql.=" FROM ".MAIN_DB_PREFIX."propal as p";
+ if ($mode == 'opened') $sql.=" WHERE p.fk_statut = 1";
+ if ($mode == 'signed') $sql.=" WHERE p.fk_statut = 2";
+ if ($user->societe_id) $sql.=" AND fk_soc = ".$user->societe_id;
$resql=$this->db->query($sql);
if ($resql)
{
--
GitLab