From 3b934118c558be4b0973e980b98d5abe11e9c967 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@capnetworks.com>
Date: Fri, 26 Apr 2013 12:35:31 +0200
Subject: [PATCH] Fix: security problem with multicompany
---
htdocs/contact/class/contact.class.php | 1 +
htdocs/contact/exportimport.php | 14 ++++++++------
htdocs/contact/fiche.php | 2 +-
htdocs/contact/ldap.php | 12 +++++++-----
htdocs/contact/perso.php | 6 ++++--
htdocs/contact/vcard.php | 7 ++++++-
6 files changed, 27 insertions(+), 15 deletions(-)
diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php
index 4cbc1d7fbcd..db8b408e6ed 100644
--- a/htdocs/contact/class/contact.class.php
+++ b/htdocs/contact/class/contact.class.php
@@ -36,6 +36,7 @@ class Contact extends CommonObject
{
public $element='contact';
public $table_element='socpeople';
+ protected $ismultientitymanaged = 1; // 0=No test on entity, 1=Test with field entity, 2=Test with link by societe
var $id;
var $civilite_id; // In fact we store civility_code
diff --git a/htdocs/contact/exportimport.php b/htdocs/contact/exportimport.php
index c3f9f2605ee..5149eed9efb 100644
--- a/htdocs/contact/exportimport.php
+++ b/htdocs/contact/exportimport.php
@@ -29,26 +29,28 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/contact.lib.php';
$langs->load("companies");
// Security check
-$contactid = isset($_GET["id"])?$_GET["id"]:'';
+$id = GETPOST('id', 'int');
if ($user->societe_id) $socid=$user->societe_id;
-$result = restrictedArea($user, 'contact', $contactid, 'socpeople&societe');
+$result = restrictedArea($user, 'contact', $id, 'socpeople&societe');
/*
* View
*/
-llxHeader('',$langs->trans("ContactsAddresses"),'EN:Module_Third_Parties|FR:Module_Tiers|ES:Módulo_Empresas');
+$title = (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("Contacts") : $langs->trans("ContactsAddresses"));
+
+llxHeader('',$title,'EN:Module_Third_Parties|FR:Module_Tiers|ES:Módulo_Empresas');
$form = new Form($db);
$contact = new Contact($db);
-$contact->fetch($_GET["id"], $user);
+$contact->fetch($id, $user);
$head = contact_prepare_head($contact);
-dol_fiche_head($head, 'exportimport', $langs->trans("ContactsAddresses"), 0, 'contact');
+dol_fiche_head($head, 'exportimport', $title, 0, 'contact');
/*
@@ -97,7 +99,7 @@ print '</div>';
print '<br>';
print $langs->trans("ExportCardToFormat").': ';
-print '<a href="'.DOL_URL_ROOT.'/contact/vcard.php?id='.$_GET["id"].'">';
+print '<a href="'.DOL_URL_ROOT.'/contact/vcard.php?id='.$contact->id.'">';
print img_picto($langs->trans("VCard"),'vcard.png').' ';
print $langs->trans("VCard");
print '</a>';
diff --git a/htdocs/contact/fiche.php b/htdocs/contact/fiche.php
index 9711654fa03..18ae4e8d01e 100644
--- a/htdocs/contact/fiche.php
+++ b/htdocs/contact/fiche.php
@@ -67,7 +67,7 @@ if (! empty($canvas))
}
// Security check
-$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', '', $objcanvas); // If we create a contact with no company (shared contacts), no check on write permission
+$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', $objcanvas); // If we create a contact with no company (shared contacts), no check on write permission
// Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array
$hookmanager->initHooks(array('contactcard'));
diff --git a/htdocs/contact/ldap.php b/htdocs/contact/ldap.php
index bb1114c18da..f284ee1834d 100644
--- a/htdocs/contact/ldap.php
+++ b/htdocs/contact/ldap.php
@@ -35,12 +35,12 @@ $langs->load("admin");
$action=GETPOST('action');
// Security check
-$contactid = isset($_GET["id"])?$_GET["id"]:'';
+$id = GETPOST('id', 'int');
if ($user->societe_id) $socid=$user->societe_id;
-$result = restrictedArea($user, 'contact', $contactid, 'socpeople&societe');
+$result = restrictedArea($user, 'contact', $id, 'socpeople&societe');
$contact = new Contact($db);
-$contact->fetch($_GET["id"], $user);
+$contact->fetch($id, $user);
/*
@@ -79,13 +79,15 @@ if ($action == 'dolibarr2ldap')
* View
*/
-llxHeader('',$langs->trans("ContactsAddresses"),'EN:Module_Third_Parties|FR:Module_Tiers|ES:Módulo_Empresas');
+$title = (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("Contacts") : $langs->trans("ContactsAddresses"));
+
+llxHeader('',$title,'EN:Module_Third_Parties|FR:Module_Tiers|ES:Módulo_Empresas');
$form = new Form($db);
$head = contact_prepare_head($contact);
-dol_fiche_head($head, 'ldap', $langs->trans("ContactsAddresses"), 0, 'contact');
+dol_fiche_head($head, 'ldap', $title, 0, 'contact');
print '<table class="border" width="100%">';
diff --git a/htdocs/contact/perso.php b/htdocs/contact/perso.php
index d321e07a258..86462d05fae 100644
--- a/htdocs/contact/perso.php
+++ b/htdocs/contact/perso.php
@@ -69,7 +69,9 @@ if ($action == 'update' && ! $_POST["cancel"] && $user->rights->societe->contact
$now=dol_now();
-llxHeader('',$langs->trans("ContactsAddresses"),'EN:Module_Third_Parties|FR:Module_Tiers|ES:Módulo_Empresas');
+$title = (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("Contacts") : $langs->trans("ContactsAddresses"));
+
+llxHeader('',$title,'EN:Module_Third_Parties|FR:Module_Tiers|ES:Módulo_Empresas');
$form = new Form($db);
@@ -77,7 +79,7 @@ $object->fetch($id, $user);
$head = contact_prepare_head($object);
-dol_fiche_head($head, 'perso', $langs->trans("ContactsAddresses"), 0, 'contact');
+dol_fiche_head($head, 'perso', $title, 0, 'contact');
if ($action == 'edit')
{
diff --git a/htdocs/contact/vcard.php b/htdocs/contact/vcard.php
index f9f4c80fad1..48189eb60f6 100644
--- a/htdocs/contact/vcard.php
+++ b/htdocs/contact/vcard.php
@@ -29,8 +29,13 @@ require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
require_once DOL_DOCUMENT_ROOT.'/core/class/vcard.class.php';
+$id = GETPOST('id', 'int');
+
+// Security check
+$result = restrictedArea($user, 'contact', $id, 'socpeople&societe');
+
$contact = new Contact($db);
-$result=$contact->fetch($_GET["id"]);
+$result=$contact->fetch($id);
$physicalperson=1;
--
GitLab