Fix: best compatibility with multicompany and others security issue

25686e82 · Regis Houssin · 215b24df · 25686e82 · 25686e82 · 25686e82
Commit 25686e82 authored 9 years ago by Regis Houssin
--- a/htdocs/holiday/card.php
+++ b/htdocs/holiday/card.php
 <?php
-/* Copyright (C) 2011	   Dimitri Mouillard	<dmouillard@teclib.com>
+/* Copyright (C) 2011		Dimitri Mouillard	<dmouillard@teclib.com>
- * Copyright (C) 2012-2015 Laurent Destailleur	<eldy@users.sourceforge.net>
+ * Copyright (C) 2012-2015	Laurent Destailleur	<eldy@users.sourceforge.net>
- * Copyright (C) 2012	   Regis Houssin		<regis.houssin@capnetworks.com>
+ * Copyright (C) 2012-2016	Regis Houssin		<regis.houssin@capnetworks.com>
- * Copyright (C) 2013	   Juanjo Menent		<jmenent@2byte.es>
+ * Copyright (C) 2013		Juanjo Menent		<jmenent@2byte.es>
- * Copyright (C) 2014	   Ferran Marcet		<fmarcet@2byte.es>
+ * Copyright (C) 2014		Ferran Marcet		<fmarcet@2byte.es>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -91,23 +91,23 @@ if ($action == 'create')
 	        $error++;
 	        $action='create';
 	    }
 	    // If no start date
 	    if (empty($date_debut))
 	    {
-	        header('Location: card.php?action=request&error=nodatedebut');
+	        header('Location: '.$_SERVER["PHP_SELF"].'?action=request&error=nodatedebut');
 	        exit;
 	    }
 	    // If no end date
 	    if (empty($date_fin))
 	    {
-	        header('Location: card.php?action=request&error=nodatefin');
+	        header('Location: '.$_SERVER["PHP_SELF"].'?action=request&error=nodatefin');
 	        exit;
 	    }
 	    // If start date after end date
 	    if ($date_debut > $date_fin)
 	    {
-	        header('Location: card.php?action=request&error=datefin');
+	        header('Location: '.$_SERVER["PHP_SELF"].'?action=request&error=datefin');
 	        exit;
 	    }
@@ -115,15 +115,15 @@ if ($action == 'create')
 	    $verifCP = $cp->verifDateHolidayCP($userID, $date_debut, $date_fin, $halfday);
 	    if (! $verifCP)
 	    {
-	        header('Location: card.php?action=request&error=alreadyCP');
+	        header('Location: '.$_SERVER["PHP_SELF"].'?action=request&error=alreadyCP');
 	        exit;
 	    }
-	    // If there is no Business Days within request 
+	    // If there is no Business Days within request
 	    $nbopenedday=num_open_day($date_debut_gmt, $date_fin_gmt, 0, 1, $halfday);
 	    if($nbopenedday < 0.5)
 	    {
-	        header('Location: card.php?action=request&error=DureeHoliday');
+	        header('Location: '.$_SERVER["PHP_SELF"].'?action=request&error=DureeHoliday');
 	        exit;
 	    }
@@ -137,7 +137,7 @@ if ($action == 'create')
 	    $result = 0;
 	    $result = 0;
 	    if (! $error)
 	    {
    	    $cp->fk_user = $userid;
@@ -147,16 +147,16 @@ if ($action == 'create')
    	    $cp->fk_validator = $valideur;
    		$cp->halfday = $halfday;
    		$cp->fk_type = $type;
    		$result = $cp->create($user);
 	    }
 	    // If no SQL error we redirect to the request card
 	    if (! $error && $result > 0)
 	    {
 			$db->commit();
-	    	header('Location: card.php?id='.$result);
+	    	header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
 	        exit;
 	    }
 	    else
@@ -179,15 +179,15 @@ if ($action == 'update')
 	else if ($starthalfday == 'afternoon') $halfday=-1;
 	else if ($endhalfday == 'morning') $halfday=1;
-    // If no right to modify a request 
+    // If no right to modify a request
    if (! $user->rights->holiday->write)
    {
-        header('Location: card.php?action=request&error=CantUpdate');
+        header('Location: '.$_SERVER["PHP_SELF"].'?action=request&error=CantUpdate');
        exit;
    }
    $cp = new Holiday($db);
-    $cp->fetch($_POST['holiday_id']);
+    $cp->fetch($id);
 	$canedit=(($user->id == $cp->fk_user && $user->rights->holiday->write) || ($user->id != $cp->fk_user && $user->rights->holiday->write_all));
@@ -202,25 +202,25 @@ if ($action == 'update')
            // If no start date
            if (empty($_POST['date_debut_'])) {
-                header('Location: card.php?id='.$_POST['holiday_id'].'&action=edit&error=nodatedebut');
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=edit&error=nodatedebut');
                exit;
            }
            // If no end date
            if (empty($_POST['date_fin_'])) {
-                header('Location: card.php?id='.$_POST['holiday_id'].'&action=edit&error=nodatefin');
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=edit&error=nodatefin');
                exit;
            }
            // If start date after end date
            if ($date_debut > $date_fin) {
-                header('Location: card.php?id='.$_POST['holiday_id'].'&action=edit&error=datefin');
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=edit&error=datefin');
                exit;
            }
            // If no validator designated
            if ($valideur < 1) {
-                header('Location: card.php?id='.$_POST['holiday_id'].'&action=edit&error=Valideur');
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=edit&error=Valideur');
                exit;
            }
@@ -228,7 +228,7 @@ if ($action == 'update')
            $nbopenedday=num_open_day($date_debut_gmt, $date_fin_gmt, 0, 1, $halfday);
            if ($nbopenedday < 0.5)
            {
-                header('Location: card.php?id='.$_POST['holiday_id'].'&action=edit&error=DureeHoliday');
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=edit&error=DureeHoliday');
                exit;
            }
@@ -242,18 +242,18 @@ if ($action == 'update')
 			$verif = $cp->update($user->id);
            if ($verif > 0)
            {
-                header('Location: card.php?id='.$_POST['holiday_id']);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
                exit;
            }
            else
           {
                // Otherwise we display the request form with the SQL error message
-                header('Location: card.php?id='.$_POST['holiday_id'].'&action=edit&error=SQL_Create&msg='.$cp->error);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=edit&error=SQL_Create&msg='.$cp->error);
                exit;
            }
        }
    } else {
-        header('Location: card.php?id='.$_POST['holiday_id']);
+        header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
        exit;
    }
 }
@@ -276,7 +276,7 @@ if ($action == 'confirm_delete' && GETPOST('confirm') == 'yes' && $user->rights-
 		// Si l'utilisateur à le droit de lire cette demande, il peut la supprimer
 		if ($canedit)
 		{
-			$result=$cp->delete($id);
+			$result=$cp->delete($cp->id);
 		}
 		else
 		{
@@ -303,7 +303,7 @@ if ($action == 'confirm_send')
    $cp->fetch($id);
    $canedit=(($user->id == $cp->fk_user && $user->rights->holiday->write) || ($user->id != $cp->fk_user && $user->rights->holiday->write_all));
    // Si brouillon et créateur
    if($cp->statut == 1 && $canedit)
    {
@@ -321,7 +321,7 @@ if ($action == 'confirm_send')
            if (!$emailTo)
            {
-                header('Location: card.php?id='.$_GET['id']);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
                exit;
            }
@@ -370,7 +370,7 @@ if ($action == 'confirm_send')
            $message.= "\n";
            $message.= "- ".$langs->transnoentitiesnoconv("Name")." : ".dolGetFirstLastname($expediteur->firstname, $expediteur->lastname)."\n";
            $message.= "- ".$langs->transnoentitiesnoconv("Period")." : ".dol_print_date($cp->date_debut,'day')." ".$langs->transnoentitiesnoconv("To")." ".dol_print_date($cp->date_fin,'day')."\n";
-            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->rowid."\n\n";
+            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->id."\n\n";
            $message.= "\n";
            $mail = new CMailFile($subject,$emailTo,$emailFrom,$message);
@@ -380,16 +380,16 @@ if ($action == 'confirm_send')
            if (!$result)
            {
-                header('Location: card.php?id='.$_GET['id'].'&error=mail&error_content='.$mail->error);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=mail&error_content='.$mail->error);
                exit;
            }
-            header('Location: card.php?id='.$_GET['id']);
+            header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
            exit;
        }
        else
        {
            // Sinon on affiche le formulaire de demande avec le message d'erreur SQL
-            header('Location: card.php?id='.$_GET['id'].'&error=SQL_Create&msg='.$cp->error);
+            header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=SQL_Create&msg='.$cp->error);
            exit;
        }
    }
@@ -433,7 +433,7 @@ if ($action == 'confirm_valid')
            if (!$emailTo)
            {
-                header('Location: card.php?id='.$_GET['id']);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
                exit;
            }
@@ -455,7 +455,7 @@ if ($action == 'confirm_valid')
            $message.= "- ".$langs->transnoentitiesnoconv("ValidatedBy")." : ".dolGetFirstLastname($expediteur->firstname, $expediteur->lastname)."\n";
-            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->rowid."\n\n";
+            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->id."\n\n";
            $message.= "\n";
            $mail = new CMailFile($subject,$emailTo,$emailFrom,$message);
@@ -464,15 +464,15 @@ if ($action == 'confirm_valid')
            $result=$mail->sendfile();
            if(!$result) {
-                header('Location: card.php?id='.$_GET['id'].'&error=mail&error_content='.$mail->error);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=mail&error_content='.$mail->error);
                exit;
            }
-            header('Location: card.php?id='.$_GET['id']);
+            header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
            exit;
        } else {
            // Sinon on affiche le formulaire de demande avec le message d'erreur SQL
-            header('Location: card.php?id='.$_GET['id'].'&error=SQL_Create&msg='.$cp->error);
+            header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=SQL_Create&msg='.$cp->error);
            exit;
        }
@@ -485,7 +485,7 @@ if ($action == 'confirm_refuse')
    if (! empty($_POST['detail_refuse']))
    {
        $cp = new Holiday($db);
-        $cp->fetch($_GET['id']);
+        $cp->fetch($id);
        // Si statut en attente de validation et valideur = utilisateur
        if ($cp->statut == 2 && $user->id == $cp->fk_validator)
@@ -507,7 +507,7 @@ if ($action == 'confirm_refuse')
                if (!$emailTo)
                {
-                    header('Location: card.php?id='.$_GET['id']);
+                    header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
                    exit;
                }
@@ -530,7 +530,7 @@ if ($action == 'confirm_refuse')
 	            $message.= "- ".$langs->transnoentitiesnoconv("ModifiedBy")." : ".dolGetFirstLastname($expediteur->firstname, $expediteur->lastname)."\n";
-	            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->rowid."\n\n";
+	            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->id."\n\n";
                $message.= "\n";
                $mail = new CMailFile($subject,$emailTo,$emailFrom,$message);
@@ -539,22 +539,22 @@ if ($action == 'confirm_refuse')
                $result=$mail->sendfile();
                if(!$result) {
-                    header('Location: card.php?id='.$_GET['id'].'&error=mail&error_content='.$mail->error);
+                    header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=mail&error_content='.$mail->error);
                    exit;
                }
-                header('Location: card.php?id='.$_GET['id']);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
                exit;
            } else {
                // Sinon on affiche le formulaire de demande avec le message d'erreur SQL
-                header('Location: card.php?id='.$_GET['id'].'&error=SQL_Create&msg='.$cp->error);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=SQL_Create&msg='.$cp->error);
                exit;
            }
        }
    } else {
-        header('Location: card.php?id='.$_GET['id'].'&error=NoMotifRefuse');
+        header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=NoMotifRefuse');
        exit;
    }
 }
@@ -563,7 +563,7 @@ if ($action == 'confirm_refuse')
 if ($action == 'confirm_cancel' && GETPOST('confirm') == 'yes')
 {
    $cp = new Holiday($db);
-    $cp->fetch($_GET['id']);
+    $cp->fetch($id);
    // Si statut en attente de validation et valideur = utilisateur
    if (($cp->statut == 2 || $cp->statut == 3) && ($user->id == $cp->fk_validator || $user->id == $cp->fk_user))
@@ -616,7 +616,7 @@ if ($action == 'confirm_cancel' && GETPOST('confirm') == 'yes')
            if (!$emailTo)
            {
-                header('Location: card.php?id='.$_GET['id']);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
                exit;
            }
@@ -638,7 +638,7 @@ if ($action == 'confirm_cancel' && GETPOST('confirm') == 'yes')
            $message.= $langs->transnoentities("HolidaysCanceledBody", dol_print_date($cp->date_debut,'day'), dol_print_date($cp->date_fin,'day'))."\n";
            $message.= "- ".$langs->transnoentitiesnoconv("ModifiedBy")." : ".dolGetFirstLastname($expediteur->firstname, $expediteur->lastname)."\n";
-            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->rowid."\n\n";
+            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->id."\n\n";
            $message.= "\n";
            $mail = new CMailFile($subject,$emailTo,$emailFrom,$message);
@@ -648,17 +648,17 @@ if ($action == 'confirm_cancel' && GETPOST('confirm') == 'yes')
            if(!$result)
            {
-                header('Location: card.php?id='.$_GET['id'].'&error=mail&error_content='.$mail->error);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=mail&error_content='.$mail->error);
                exit;
            }
-            header('Location: card.php?id='.$_GET['id']);
+            header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
            exit;
        }
        else
        {
            // Sinon on affiche le formulaire de demande avec le message d'erreur SQL
-            header('Location: card.php?id='.$_GET['id'].'&error=SQL_Create&msg='.$cp->error);
+            header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=SQL_Create&msg='.$cp->error);
            exit;
        }
@@ -852,13 +852,8 @@ if (empty($id) || $action == 'add' || $action == 'request' || $action == 'create
        // Approved by
        print '<tr>';
        print '<td class="fieldrequired">'.$langs->trans("ReviewedByCP").'</td>';
-        $validator = new UserGroup($db);
-        $excludefilter=$user->admin?'':'u.rowid <> '.$user->id;
-        $valideurobjects = $validator->listUsersForGroup($excludefilter);
-        $valideurarray = array();
-        foreach($valideurobjects as $val) $valideurarray[$val->id]=$val->id;
        print '<td>';
-        print $form->select_dolusers((GETPOST('valideur')>0?GETPOST('valideur'):$user->fk_user), "valideur", 1, "", 0, $valideurarray, 0, 0, 0, 0, '', 0, '', '', 1);	// By default, hierarchical parent
+        print $form->select_dolusers((GETPOST('valideur')>0?GETPOST('valideur'):$user->fk_user), "valideur", 1, ($user->admin ? '' : array($user->id)), 0, '', 0, 0, 0, 0, '', 0, '', '', 1);	// By default, hierarchical parent
        print '</td>';
        print '</tr>';
@@ -952,35 +947,35 @@ else
            {
                if ($action == 'delete')
                {
-                    if($user->rights->holiday->delete)
+                    if ($user->rights->holiday->delete)
                    {
-                        print $form->formconfirm("card.php?id=".$id,$langs->trans("TitleDeleteCP"),$langs->trans("ConfirmDeleteCP"),"confirm_delete", '', 0, 1);
+                        print $form->formconfirm($_SERVER["PHP_SELF"]."?id=".$cp->id,$langs->trans("TitleDeleteCP"),$langs->trans("ConfirmDeleteCP"),"confirm_delete", '', 0, 1);
                    }
                }
                // Si envoi en validation
                if ($action == 'sendToValidate' && $cp->statut == 1)
                {
-                    print $form->formconfirm("card.php?id=".$id,$langs->trans("TitleToValidCP"),$langs->trans("ConfirmToValidCP"),"confirm_send", '', 1, 1);
+                    print $form->formconfirm($_SERVER["PHP_SELF"]."?id=".$cp->id,$langs->trans("TitleToValidCP"),$langs->trans("ConfirmToValidCP"),"confirm_send", '', 1, 1);
                }
                // Si validation de la demande
                if ($action == 'valid')
                {
-                    print $form->formconfirm("card.php?id=".$id,$langs->trans("TitleValidCP"),$langs->trans("ConfirmValidCP"),"confirm_valid", '', 1, 1);
+                    print $form->formconfirm($_SERVER["PHP_SELF"]."?id=".$cp->id,$langs->trans("TitleValidCP"),$langs->trans("ConfirmValidCP"),"confirm_valid", '', 1, 1);
                }
                // Si refus de la demande
                if ($action == 'refuse')
                {
                    $array_input = array(array('type'=>"text",'label'=> $langs->trans('DetailRefusCP'),'name'=>"detail_refuse",'size'=>"50",'value'=>""));
-                    print $form->formconfirm("card.php?id=".$id."&action=confirm_refuse", $langs->trans("TitleRefuseCP"), $langs->trans('ConfirmRefuseCP'), "confirm_refuse", $array_input, 1, 0);
+                    print $form->formconfirm($_SERVER["PHP_SELF"]."?id=".$cp->id."&action=confirm_refuse", $langs->trans("TitleRefuseCP"), $langs->trans('ConfirmRefuseCP'), "confirm_refuse", $array_input, 1, 0);
                }
                // Si annulation de la demande
                if ($action == 'cancel')
                {
-                    print $form->formconfirm("card.php?id=".$id,$langs->trans("TitleCancelCP"),$langs->trans("ConfirmCancelCP"),"confirm_cancel", '', 1, 1);
+                    print $form->formconfirm($_SERVER["PHP_SELF"]."?id=".$cp->id,$langs->trans("TitleCancelCP"),$langs->trans("ConfirmCancelCP"),"confirm_cancel", '', 1, 1);
                }
                $head=holiday_prepare_head($cp);
@@ -989,13 +984,13 @@ else
                if ($action == 'edit' && $cp->statut == 1)
                {
                    $edit = true;
-                    print '<form method="post" action="'.$_SERVER['PHP_SELF'].'?id='.$id.'">'."\n";
+                    print '<form method="post" action="'.$_SERVER['PHP_SELF'].'?id='.$cp->id.'">'."\n";
                    print '<input type="hidden" name="action" value="update"/>'."\n";
-                    print '<input type="hidden" name="holiday_id" value="'.$id.'" />'."\n";
+                    print '<input type="hidden" name="id" value="'.$cp->id.'" />'."\n";
                }
                dol_fiche_head($head,'card',$langs->trans("CPTitreMenu"),0,'holiday');
                print '<table class="border" width="100%">';
                print '<tbody>';
@@ -1132,15 +1127,8 @@ else
                } else {
                    print '<tr>';
                    print '<td width="50%">'.$langs->trans('ReviewedByCP').'</td>';
-			        $validator = new UserGroup($db);
-			        $excludefilter=$user->admin?'':'u.rowid <> '.$user->id;
-			        $valideurobjects = $validator->listUsersForGroup($excludefilter);
-			        $valideurarray = array();
-			        foreach($valideurobjects as $val) $valideurarray[$val->id]=$val->id;
                    print '<td>';
-        			print $form->select_dolusers($user->fk_user, "valideur", 1, "", 0, $valideurarray);	// By default, hierarchical parent
+        			print $form->select_dolusers($cp->fk_user, "valideur", 1, ($user->admin ? '' : array($user->id)));	// By default, hierarchical parent
                    print '</td>';
                    print '</tr>';
                }
@@ -1149,19 +1137,19 @@ else
                print '<td>'.$langs->trans('DateCreateCP').'</td>';
                print '<td>'.dol_print_date($cp->date_create,'dayhour').'</td>';
                print '</tr>';
-                if($cp->statut == 3) {
+                if ($cp->statut == 3) {
                    print '<tr>';
                    print '<td>'.$langs->trans('DateValidCP').'</td>';
                    print '<td>'.dol_print_date($cp->date_valid,'dayhour').'</td>';
                    print '</tr>';
                }
-                if($cp->statut == 4) {
+                if ($cp->statut == 4) {
                    print '<tr>';
                    print '<td>'.$langs->trans('DateCancelCP').'</td>';
                    print '<td>'.dol_print_date($cp->date_cancel,'dayhour').'</td>';
                    print '</tr>';
                }
-                if($cp->statut == 5) {
+                if ($cp->statut == 5) {
                    print '<tr>';
                    print '<td>'.$langs->trans('DateRefusCP').'</td>';
                    print '<td>'.dol_print_date($cp->date_refuse,'dayhour').'</td>';
@@ -1171,7 +1159,7 @@ else
                print '</table>';
                dol_fiche_end();
                if ($action == 'edit' && $cp->statut == 1)
                {
                    print '<div align="center">';
@@ -1192,26 +1180,26 @@ else
                    // Boutons d'actions
                    if ($canedit && $cp->statut == 1)
                    {
-                        print '<a href="card.php?id='.$_GET['id'].'&action=edit" class="butAction">'.$langs->trans("EditCP").'</a>';
+                        print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=edit" class="butAction">'.$langs->trans("EditCP").'</a>';
                    }
                    if ($canedit && $cp->statut == 1)
                    {
-                        print '<a href="card.php?id='.$_GET['id'].'&action=sendToValidate" class="butAction">'.$langs->trans("Validate").'</a>';
+                        print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=sendToValidate" class="butAction">'.$langs->trans("Validate").'</a>';
                    }
                    if ($user->rights->holiday->delete && $cp->statut == 1)	// If draft
                    {
-                    	print '<a href="card.php?id='.$_GET['id'].'&action=delete" class="butActionDelete">'.$langs->trans("DeleteCP").'</a>';
+                    	print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=delete" class="butActionDelete">'.$langs->trans("DeleteCP").'</a>';
                    }
                    if ($user->id == $cp->fk_validator && $cp->statut == 2)
                    {
-                        print '<a href="card.php?id='.$_GET['id'].'&action=valid" class="butAction">'.$langs->trans("Approve").'</a>';
+                        print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=valid" class="butAction">'.$langs->trans("Approve").'</a>';
-                        print '<a href="card.php?id='.$_GET['id'].'&action=refuse" class="butAction">'.$langs->trans("ActionRefuseCP").'</a>';
+                        print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=refuse" class="butAction">'.$langs->trans("ActionRefuseCP").'</a>';
                    }
                    if (($user->id == $cp->fk_validator || $user->id == $cp->fk_user) && ($cp->statut == 2 || $cp->statut == 3))	// Status validated or approved
                    {
-                    	if (($cp->date_debut > dol_now()) || $user->admin) print '<a href="card.php?id='.$_GET['id'].'&action=cancel" class="butAction">'.$langs->trans("ActionCancelCP").'</a>';
+                    	if (($cp->date_debut > dol_now()) || $user->admin) print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=cancel" class="butAction">'.$langs->trans("ActionCancelCP").'</a>';
                    	else print '<a href="#" class="butActionRefused" title="'.$langs->trans("HolidayStarted").'">'.$langs->trans("ActionCancelCP").'</a>';
                    }

--- a/htdocs/holiday/class/holiday.class.php
+++ b/htdocs/holiday/class/holiday.class.php
 <?php
-/* Copyright (C) 2011	   Dimitri Mouillard	<dmouillard@teclib.com>
+/* Copyright (C) 2011		Dimitri Mouillard	<dmouillard@teclib.com>
- * Copyright (C) 2012-2014 Laurent Destailleur	<eldy@users.sourceforge.net>
+ * Copyright (C) 2012-2014	Laurent Destailleur	<eldy@users.sourceforge.net>
- * Copyright (C) 2012	   Regis Houssin		<regis.houssin@capnetworks.com>
+ * Copyright (C) 2012-2016	Regis Houssin		<regis.houssin@capnetworks.com>
- * Copyright (C) 2013      Florian Henry        <florian.henry@open-concept.pro>
+ * Copyright (C) 2013		Florian Henry		<florian.henry@open-concept.pro>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -35,7 +35,7 @@ class Holiday extends CommonObject
 	public $table_element='holiday';
 	protected $isnolinkedbythird = 1;     // No field fk_soc
 	protected $ismultientitymanaged = 0;	// 0=No test on entity, 1=Test with field entity, 2=Test with link by societe
 	/**
 	 * @deprecated
 	 * @see id
@@ -161,7 +161,7 @@ class Holiday extends CommonObject
        if (! $error)
        {
-            $this->rowid = $this->db->last_insert_id(MAIN_DB_PREFIX."holiday");
+            $this->id = $this->db->last_insert_id(MAIN_DB_PREFIX."holiday");
        }
        // Commit or rollback
@@ -178,7 +178,7 @@ class Holiday extends CommonObject
        else
        {
            $this->db->commit();
-            return $this->rowid;
+            return $this->id;
        }
    }
@@ -301,7 +301,8 @@ class Holiday extends CommonObject
        $sql.= " ua.firstname as validator_firstname";
        $sql.= " FROM ".MAIN_DB_PREFIX."holiday as cp, ".MAIN_DB_PREFIX."user as uu, ".MAIN_DB_PREFIX."user as ua";
-		$sql.= " WHERE cp.fk_user = uu.rowid AND cp.fk_validator = ua.rowid "; // Hack pour la recherche sur le tableau
+        $sql.= " WHERE cp.entity IN (".getEntity('holiday', 1).")";
+		$sql.= " AND cp.fk_user = uu.rowid AND cp.fk_validator = ua.rowid "; // Hack pour la recherche sur le tableau
        $sql.= " AND cp.fk_user = '".$user_id."'";
        // Filtre de séléction
@@ -413,7 +414,8 @@ class Holiday extends CommonObject
        $sql.= " ua.firstname as validator_firstname";
        $sql.= " FROM ".MAIN_DB_PREFIX."holiday as cp, ".MAIN_DB_PREFIX."user as uu, ".MAIN_DB_PREFIX."user as ua";
-        $sql.= " WHERE cp.fk_user = uu.rowid AND cp.fk_validator = ua.rowid "; // Hack pour la recherche sur le tableau
+        $sql.= " WHERE cp.entity IN (".getEntity('holiday', 1).")";
+        $sql.= " AND cp.fk_user = uu.rowid AND cp.fk_validator = ua.rowid "; // Hack pour la recherche sur le tableau
        // Filtrage de séléction
        if(!empty($filter)) {
@@ -560,7 +562,7 @@ class Holiday extends CommonObject
            $sql.= " detail_refuse = NULL";
        }
-        $sql.= " WHERE rowid= '".$this->rowid."'";
+        $sql.= " WHERE rowid= '".$this->id."'";
        $this->db->begin();
@@ -607,7 +609,7 @@ class Holiday extends CommonObject
        $error=0;
        $sql = "DELETE FROM ".MAIN_DB_PREFIX."holiday";
-        $sql.= " WHERE rowid=".$this->rowid;
+        $sql.= " WHERE rowid=".$this->id;
        $this->db->begin();
@@ -1112,16 +1114,29 @@ class Holiday extends CommonObject
     */
    function fetchUsers($stringlist=true,$type=true)
    {
+    	global $conf;
        // Si vrai donc pour user Dolibarr
        if ($stringlist)
        {
-            if($type)
+            if ($type)
            {
                // Si utilisateur de Dolibarr
                $sql = "SELECT u.rowid";
                $sql.= " FROM ".MAIN_DB_PREFIX."user as u";
-                $sql.= " WHERE statut > 0";
+                if (! empty($conf->multicompany->enabled) && ! empty($conf->multicompany->transverse_mode))
+                {
+                	$sql.= ", ".MAIN_DB_PREFIX."usergroup_user as ug";
+                	$sql.= " WHERE (ug.fk_user = u.rowid";
+                	$sql.= " AND ug.entity = ".$conf->entity.")";
+                	$sql.= " OR u.admin = 1";
+                }
+                else
+                	$sql.= " WHERE u.entity IN (0,".$conf->entity.")";
+                $sql.= " AND u.statut > 0";
                dol_syslog(get_class($this)."::fetchUsers", LOG_DEBUG);
                $resql=$this->db->query($sql);
@@ -1138,7 +1153,7 @@ class Holiday extends CommonObject
                    {
                        $obj = $this->db->fetch_object($resql);
-                        if($i == 0) {
+                        if ($i == 0) {
                            $stringlist.= $obj->rowid;
                        } else {
                            $stringlist.= ', '.$obj->rowid;
@@ -1158,7 +1173,7 @@ class Holiday extends CommonObject
            }
            else
-           {
+            {
           		// We want only list of user id
                $sql = "SELECT DISTINCT cpu.fk_user";
                $sql.= " FROM ".MAIN_DB_PREFIX."holiday_users as cpu";
@@ -1199,14 +1214,25 @@ class Holiday extends CommonObject
        }
        else
-       { // Si faux donc user Congés Payés
+        { // Si faux donc user Congés Payés
            // List for Dolibarr users
            if ($type)
            {
                $sql = "SELECT u.rowid, u.lastname, u.firstname";
                $sql.= " FROM ".MAIN_DB_PREFIX."user as u";
-                $sql.= " WHERE statut > 0";
+                if (! empty($conf->multicompany->enabled) && ! empty($conf->multicompany->transverse_mode))
+                {
+                	$sql.= ", ".MAIN_DB_PREFIX."usergroup_user as ug";
+                	$sql.= " WHERE (ug.fk_user = u.rowid";
+                	$sql.= " AND ug.entity = ".$conf->entity.")";
+                	$sql.= " OR u.admin = 1";
+                }
+                else
+                	$sql.= " WHERE u.entity IN (0,".$conf->entity.")";
+                $sql.= " AND u.statut > 0";
                dol_syslog(get_class($this)."::fetchUsers", LOG_DEBUG);
                $resql=$this->db->query($sql);

--- a/htdocs/holiday/define_holiday.php
+++ b/htdocs/holiday/define_holiday.php
 <?php
-/* Copyright (C) 2007-2015 Laurent Destailleur  <eldy@users.sourceforge.net>
+/* Copyright (C) 2007-2015	Laurent Destailleur	<eldy@users.sourceforge.net>
- * Copyright (C) 2011      Dimitri Mouillard <dmouillard@teclib.com>
+ * Copyright (C) 2011		Dimitri Mouillard	<dmouillard@teclib.com>
- * Copyright (C) 2013      Marcos García <marcosgdf@gmail.com>
+ * Copyright (C) 2013		Marcos García		<marcosgdf@gmail.com>
+ * Copyright (C) 2016		Regis Houssin		<regis.houssin@capnetworks.com>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -132,7 +133,7 @@ elseif($action == 'add_event')
        $new_holiday = $nb_holiday + $add_holiday;
        // add event to existing types of vacation
-        foreach ($typeleaves as $key => $leave) 
+        foreach ($typeleaves as $key => $leave)
        {
        	$vacationTypeID = $leave['rowid'];
@@ -160,7 +161,7 @@ print load_fiche_titre($langs->trans('MenuConfCP'), '', 'title_hrm.png');
 print '<div class="info">'.$langs->trans('LastUpdateCP').': '."\n";
 $lastUpdate = $holiday->getConfCP('lastUpdate');
-if ($lastUpdate) 
+if ($lastUpdate)
 {
    $monthLastUpdate = $lastUpdate[4].$lastUpdate[5];
    $yearLastUpdate = $lastUpdate[0].$lastUpdate[1].$lastUpdate[2].$lastUpdate[3];
@@ -215,7 +216,7 @@ else
 {
    print '<form method="POST" action="'.$_SERVER["PHP_SELF"].'">'."\n";
    print '<input type="hidden" name="action" value="update" />';
    print '<table class="noborder" width="100%;">';
    print "<tr class=\"liste_titre\">";
    print '<td width="55%">'.$langs->trans('Employee').'</td>';
@@ -233,12 +234,12 @@ else
    print '<td width="20%" style="text-align:center">'.$langs->trans('Note').'</td>';
    print '<td></td>';
    print '</tr>';
    foreach($listUsers as $users)
    {
        $var=!$var;
        print '<tr '.$bc[$var].' style="height: 20px;">';
        print '<td>';
        $userstatic->id=$users['rowid'];
@@ -246,7 +247,7 @@ else
        $userstatic->firstname=$users['firstname'];
        print $userstatic->getNomUrl(1);
        print '</td>';
        if (count($typeleaves))
        {
        	foreach($typeleaves as $key => $val)
@@ -261,17 +262,17 @@ else
        }
        else
        {
-            print '<td></td>';   
+            print '<td></td>';
        }
        print '<td style="text-align:center"><input type="text" value="" name="note_holiday['.$users['rowid'].']" size="30"/></td>';
        print '<td><input type="submit" name="update_cp['.$users['rowid'].']" value="'.dol_escape_htmltag($langs->trans("Update")).'" class="button"/></td>'."\n";
        print '</tr>';
        $i++;
    }
    print '</table>';
    print '</form>';
 }

--- a/htdocs/holiday/list.php
+++ b/htdocs/holiday/list.php
 <?php
 /* Copyright (C) 2011	   Dimitri Mouillard	<dmouillard@teclib.com>
 * Copyright (C) 2013-2015 Laurent Destailleur	<eldy@users.sourceforge.net>
- * Copyright (C) 2012	   Regis Houssin		<regis.houssin@capnetworks.com>
+ * Copyright (C) 2012-2016 Regis Houssin		<regis.houssin@capnetworks.com>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -232,16 +232,16 @@ if ($id > 0)
 	$title = $langs->trans("User");
 	$linkback = '<a href="'.DOL_URL_ROOT.'/user/index.php">'.$langs->trans("BackToList").'</a>';
 	$head = user_prepare_head($fuser);
 	dol_fiche_head($head, 'paidholidays', $title, 0, 'user');
    dol_banner_tab($fuser,'id',$linkback,$user->rights->user->user->lire || $user->admin);
    print '<div class="underbanner clearboth"></div>';
    print '<br>';
 }
 else
 {
@@ -283,7 +283,7 @@ if ($sall)
    foreach($fieldstosearchall as $key => $val) $fieldstosearchall[$key]=$langs->trans($val);
    print $langs->trans("FilterOnInto", $sall) . join(', ',$fieldstosearchall);
 }
 print '<table class="noborder" width="100%;">';
 print "<tr class=\"liste_titre\">";
 print_liste_field_titre($langs->trans("Ref"),$_SERVER["PHP_SELF"],"cp.rowid","",'','',$sortfield,$sortorder);

--- a/htdocs/install/mysql/migration/3.8.0-3.9.0.sql
+++ b/htdocs/install/mysql/migration/3.8.0-3.9.0.sql
@@ -593,6 +593,7 @@ ALTER TABLE llx_accounting_bookkeeping MODIFY COLUMN doc_ref varchar(300) NOT NU
 ALTER TABLE llx_holiday ADD COLUMN tms timestamp;
 ALTER TABLE llx_holiday ADD COLUMN entity integer DEFAULT 1 NOT NULL;
+ALTER TABLE llx_holiday ADD INDEX idx_holiday_entity (entity);
 -- Fix Argentina provences
 INSERT INTO llx_c_departements ( code_departement, fk_region, cheflieu, tncc, ncc, nom, active) VALUES ('2326', 2305, '', 0, 'MISIONES', 'Misiones', 1);

--- a/htdocs/install/mysql/tables/llx_holiday.key.sql
+++ b/htdocs/install/mysql/tables/llx_holiday.key.sql
 -- ===================================================================
-- Copyright (C) 2012      Laurent Destailleur  <eldy@users.sourceforge.net>
+-- Copyright (C) 2012	Laurent Destailleur	<eldy@users.sourceforge.net>
+-- Copyright (C) 2016	Regis Houssin		<regis.houssin@capnetworks.com>
 --
 -- This program is free software; you can redistribute it and/or modify
 -- it under the terms of the GNU General Public License as published by
@@ -16,6 +17,7 @@
 --
 -- ===================================================================
+ALTER TABLE llx_holiday ADD INDEX idx_holiday_entity (entity);
 ALTER TABLE llx_holiday ADD INDEX idx_holiday_fk_user (fk_user);
 ALTER TABLE llx_holiday ADD INDEX idx_holiday_fk_user_create (fk_user_create);
 ALTER TABLE llx_holiday ADD INDEX idx_holiday_date_create (date_create);