Fix: Use correct permission on correct field.

htdocs/compta/deplacement/class/deplacementstats.class.php

@@ -45,7 +45,7 @@ class DeplacementStats extends Stats
 	 *
 	 * @param 	DoliDB		$db		   Database handler
 	 * @param 	int			$socid	   Id third party
-     * @param   int			$userid    Id user for filter
+     * @param   mixed		$userid    Id user for filter or array of user ids
 	 * @return 	void
 	 */
 	function __construct($db, $socid=0, $userid=0)
@@ -66,7 +66,8 @@ class DeplacementStats extends Stats
 		{
 			$this->where.=" AND fk_soc = ".$this->socid;
 		}
-        if ($this->userid > 0) $this->where.=' AND fk_user = '.$this->userid;
+		if (is_array($this->userid) && count($this->userid) > 0) $this->where.=' AND fk_user IN ('.join(',',$this->userid).')';
+        else if ($this->userid > 0) $this->where.=' AND fk_user = '.$this->userid;
 	}
 
 

htdocs/compta/deplacement/index.php

@@ -67,7 +67,7 @@ $totalnb=0;
 $sql = "SELECT count(d.rowid) as nb, sum(d.km) as km, d.type";
 $sql.= " FROM ".MAIN_DB_PREFIX."deplacement as d";
 $sql.= " WHERE d.entity = ".$conf->entity;
-if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous)) $sql.=' AND d.fk_user_author IN ('.join(',',$childids).')';
+if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous)) $sql.=' AND d.fk_user IN ('.join(',',$childids).')';
 $sql.= " GROUP BY d.type";
 $sql.= " ORDER BY d.type";
 
@@ -138,7 +138,7 @@ $sql.= " FROM ".MAIN_DB_PREFIX."deplacement as d, ".MAIN_DB_PREFIX."user as u";
 if (!$user->rights->societe->client->voir && !$user->societe_id) $sql.= ", ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."societe_commerciaux as sc";
 $sql.= " WHERE u.rowid = d.fk_user";
 $sql.= " AND d.entity = ".$conf->entity;
-if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous)) $sql.=' AND d.fk_user_author IN ('.join(',',$childids).')';
+if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous)) $sql.=' AND d.fk_user IN ('.join(',',$childids).')';
 if (!$user->rights->societe->client->voir && !$user->societe_id) $sql.= " AND d.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
 if ($socid) $sql.= " AND d.fk_soc = ".$socid;
 $sql.= $db->order("d.tms","DESC");

htdocs/compta/deplacement/list.php

@@ -58,6 +58,9 @@ $search_ref=GETPOST('search_ref','alpha');
 $tripandexpense_static=new Deplacement($db);
 $userstatic = new User($db);
 
+$childids = $user->getAllChildIds();
+$childids[]=$user->id;
+
 llxHeader();
 
 $sql = "SELECT s.nom, s.rowid as socid,";				// Ou
@@ -70,6 +73,7 @@ $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON d.fk_soc = s.rowid";
 if (!$user->rights->societe->client->voir && !$socid) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON s.rowid = sc.fk_soc";
 $sql.= " WHERE d.fk_user = u.rowid";
 $sql.= " AND d.entity = ".$conf->entity;
+if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous)) $sql.=' AND d.fk_user IN ('.join(',',$childids).')';
 if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND sc.fk_user = " .$user->id;
 if ($socid) $sql.= " AND s.rowid = ".$socid;
 if (trim($search_ref) != '')
@@ -167,6 +171,7 @@ else
 {
     dol_print_error($db);
 }
-$db->close();
 
 llxFooter();
+
+$db->close();

htdocs/compta/deplacement/stats/index.php

@@ -45,6 +45,18 @@ if ($user->societe_id > 0)
 if ($user->societe_id) $socid=$user->societe_id;
 $result = restrictedArea($user, 'deplacement', $id,'');
 
+// Other security check
+$childids = $user->getAllChildIds();
+$childids[]=$user->id;
+if ($userid > 0)
+{
+	if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous) && ! in_array($userid, $childids))
+	{
+		accessforbidden();
+		exit;
+	}
+}
+
 $nowyear=strftime("%Y", dol_now());
 $year = GETPOST('year')>0?GETPOST('year'):$nowyear;
 //$startyear=$year-2;
@@ -60,6 +72,7 @@ $mode=GETPOST("mode")?GETPOST("mode"):'customer';
 
 $form=new Form($db);
 
+
 llxHeader();
 
 $title=$langs->trans("TripsAndExpensesStatistics");
@@ -69,7 +82,14 @@ print_fiche_titre($title, $mesg);
 
 dol_mkdir($dir);
 
-$stats = new DeplacementStats($db, $socid, $userid);
+$useridtofilter=$userid;	// Filter from parameters
+if (empty($useridtofilter))
+{
+	$useridtofilter=$childids;
+	if (! empty($user->rights->deplacement->readall) || ! empty($user->rights->deplacement->lire_tous)) $useridtofilter=0;
+}
+
+$stats = new DeplacementStats($db, $socid, $useridtofilter);
 
 
 // Build graphic number of object
@@ -220,7 +240,9 @@ print $form->select_company($socid,'socid',$filter,1,1);
 print '</td></tr>';
 // User
 print '<tr><td>'.$langs->trans("User").'</td><td>';
-print $form->select_dolusers($userid,'userid',1);
+$include='';
+if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous)) $include='hierarchy';
+print $form->select_dolusers($userid,'userid',1,'',0,$include);
 print '</td></tr>';
 // Year
 print '<tr><td>'.$langs->trans("Year").'</td><td>';

htdocs/compta/hrm.php

@@ -60,6 +60,8 @@ if ($user->societe_id > 0) accessforbidden();
 $holiday = new Holiday($db);
 $holidaystatic=new Holiday($db);
 
+$childids = $user->getAllChildIds();
+$childids[]=$user->id;
 
 llxHeader(array(),$langs->trans('HRMArea'));
 
@@ -118,6 +120,7 @@ $sql.= " FROM ".MAIN_DB_PREFIX."deplacement as d, ".MAIN_DB_PREFIX."user as u";
 if (!$user->rights->societe->client->voir && !$user->societe_id) $sql.= ", ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."societe_commerciaux as sc";
 $sql.= " WHERE u.rowid = d.fk_user";
 $sql.= " AND d.entity = ".$conf->entity;
+if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous)) $sql.=' AND d.fk_user IN ('.join(',',$childids).')';
 if (!$user->rights->societe->client->voir && !$user->societe_id) $sql.= " AND d.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
 if (!empty($socid)) $sql.= " AND d.fk_soc = ".$socid;
 $sql.= $db->order("d.tms","DESC");