Fix: big security problem with multicompany

34036c2a · Regis Houssin · 3b934118 · 34036c2a · 34036c2a · 34036c2a
Commit 34036c2a authored 11 years ago by Regis Houssin
--- a/htdocs/comm/action/class/actioncomm.class.php
+++ b/htdocs/comm/action/class/actioncomm.class.php
@@ -35,7 +35,7 @@ class ActionComm extends CommonObject
    public $element='action';
    public $table_element = 'actioncomm';
    public $table_rowid = 'id';
-    protected $ismultientitymanaged = 2;	// 0=No test on entity, 1=Test with field entity, 2=Test with link by societe
+    protected $ismultientitymanaged = 1;	// 0=No test on entity, 1=Test with field entity, 2=Test with link by societe

    var $id;


--- a/htdocs/comm/action/document.php
+++ b/htdocs/comm/action/document.php
@@ -51,6 +51,8 @@ if ($user->societe_id > 0)
 	$socid = $user->societe_id;
 }

+$result = restrictedArea($user, 'agenda', $objectid, 'actioncomm&societe', 'myactions&allactions', '', 'id');
+
 $act = new ActionComm($db);

 if ($objectid > 0)

--- a/htdocs/comm/action/fiche.php
+++ b/htdocs/comm/action/fiche.php
@@ -53,7 +53,7 @@ $contactid=GETPOST('contactid','int');
 $socid = GETPOST('socid','int');
 $id = GETPOST('id','int');
 if ($user->societe_id) $socid=$user->societe_id;
-//$result = restrictedArea($user, 'agenda', $id, 'actioncomm', 'actions', '', 'id');
+$result = restrictedArea($user, 'agenda', $id, 'actioncomm&societe', 'myactions&allactions', '', 'id');

 $error=GETPOST("error");
 $mesg='';

--- a/htdocs/comm/action/info.php
+++ b/htdocs/comm/action/info.php
@@ -31,6 +31,8 @@ require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php';

 $langs->load("commercial");

+$id = GETPOST('id','int');
+
 // Security check
 if ($user->societe_id > 0)
 {
@@ -38,6 +40,7 @@ if ($user->societe_id > 0)
  $socid = $user->societe_id;
 }

+$result = restrictedArea($user, 'agenda', $id, 'actioncomm&societe', 'myactions&allactions', '', 'id');


 /*
@@ -48,8 +51,8 @@ $help_url='EN:Module_Agenda_En|FR:Module_Agenda|ES:M&omodulodulo_Agenda';
 llxHeader('',$langs->trans("Agenda"),$help_url);

 $act = new ActionComm($db);
-$act->fetch($_GET["id"]);
-$act->info($_GET["id"]);
+$act->fetch($id);
+$act->info($act->id);

 $head=actions_prepare_head($act);
 dol_fiche_head($head, 'info', $langs->trans("Action"),0,'action');

--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -112,11 +112,14 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
        if (method_exists($objcanvas->control,'restrictedArea')) return $objcanvas->control->restrictedArea($user,$features,$objectid,$dbtablename,$feature2,$dbt_keyfield,$dbt_select);
    }

-    if ($dbt_select != 'rowid') $objectid = "'".$objectid."'";
+    if ($dbt_select != 'rowid' && $dbt_select != 'id') $objectid = "'".$objectid."'";

    // More features to check
    $features = explode("&", $features);

+    // More subfeatures to check
+    $feature2 = explode("&", $feature2);
+
    // More parameters
    $params = explode('&', $dbtablename);
    $dbtablename=(! empty($params[0]) ? $params[0] : '');
@@ -160,8 +163,11 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
        }
        else if (! empty($feature2))	// This should be used for future changes
        {
-            if (empty($user->rights->$feature->$feature2->lire)
-            && empty($user->rights->$feature->$feature2->read)) $readok=0;
+        	foreach($feature2 as $subfeature)
+        	{
+        		if (empty($user->rights->$feature->$subfeature->lire) && empty($user->rights->$feature->$subfeature->read)) $readok=0;
+        		else $readok=1;
+        	}
        }
        else if (! empty($feature) && ($feature!='user' && $feature!='usergroup'))		// This is for old permissions
        {
@@ -206,8 +212,11 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
            }
            else if (! empty($feature2))	// This should be used for future changes
            {
-                if (empty($user->rights->$feature->$feature2->creer)
-                && empty($user->rights->$feature->$feature2->write)) $createok=0;
+            	foreach($feature2 as $subfeature)
+            	{
+            		if (empty($user->rights->$feature->$subfeature->creer) && empty($user->rights->$feature->$subfeature->write)) $createok=0;
+            		else $createok=1;
+            	}
            }
            else if (! empty($feature))		// This is for old permissions
            {
@@ -267,8 +276,11 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
            }
            else if (! empty($feature2))	// This should be used for future changes
            {
-                if (empty($user->rights->$feature->$feature2->supprimer)
-                && empty($user->rights->$feature->$feature2->delete)) $deleteok=0;
+            	foreach($feature2 as $subfeature)
+            	{
+            		if (empty($user->rights->$feature->$subfeature->supprimer) && empty($user->rights->$feature->$subfeature->delete)) $deleteok=0;
+            		else $deleteok=1;
+            	}
            }
            else if (! empty($feature))		// This is for old permissions
            {