New: works on sharings between entities

Fix: index or list just verify rights access

New: works on sharings between entities
cd420e00 · Regis Houssin · 783c050d · cd420e00 · cd420e00 · cd420e00
Commit cd420e00 authored 13 years ago by Regis Houssin
--- a/htdocs/lib/functions.lib.php
+++ b/htdocs/lib/functions.lib.php
@@ -1903,7 +1903,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''

 	// If we have a particular object to check permissions on, we check this object
 	// is linked to a company allowed to $user.
-	if (!empty($objectid) && $objectid > 0)
+	if (! empty($objectid) && $objectid > 0)
 	{
 		foreach ($features as $feature)
 		{
@@ -1918,6 +1918,14 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''

 			// If dbtable not defined, we use same name for table than module name
 			if (empty($dbtablename)) $dbtablename = $feature;
+			
+			// Sharings between entities
+			if ($conf->global->MAIN_MODULE_MULTICOMPANY)
+			{
+				dol_include_once('/multicompany/class/actions_multicompany.class.php');
+				$mc = new ActionsMulticompany($db);
+				$mc->getEntitySharing($dbtablename);
+			}

 			// Check permission for object with entity
 			if (in_array($feature,$check))
@@ -1925,7 +1933,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 				$sql = "SELECT dbt.".$dbt_select;
 				$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
 				$sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
-				$sql.= " AND dbt.entity IN (0,".$conf->entity.")";
+				$sql.= " AND dbt.entity IN (0,".($mc->share ? $mc->share : $conf->entity).")";
 			}
 			else if (in_array($feature,$checksoc))
 			{
@@ -1943,7 +1951,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 					$sql.= " WHERE sc.fk_soc = ".$objectid;
 					$sql.= " AND sc.fk_user = ".$user->id;
 					$sql.= " AND sc.fk_soc = s.rowid";
-					$sql.= " AND s.entity = ".$conf->entity;
+					$sql.= " AND s.entity IN (0,".($mc->share ? $mc->share : $conf->entity).")";
 				}
 				// If multicompany and internal users with all permissions, check user is in correct entity
 				else if ($conf->global->MAIN_MODULE_MULTICOMPANY)
@@ -1951,7 +1959,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 					$sql = "SELECT s.rowid";
 					$sql.= " FROM ".MAIN_DB_PREFIX."societe as s";
 					$sql.= " WHERE s.rowid = ".$objectid;
-					$sql.= " AND s.entity = ".$conf->entity;
+					$sql.= " AND s.entity IN (0,".($mc->share ? $mc->share : $conf->entity).")";
 				}
 			}
 			else if (in_array($feature,$checkother))
@@ -1972,7 +1980,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 					$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = '".$user->id."'";
 					$sql.= " WHERE dbt.rowid = ".$objectid;
 					$sql.= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)";	// Contact not linked to a company or to a company of user
-					$sql.= " AND dbt.entity = ".$conf->entity;
+					$sql.= " AND dbt.entity IN (0,".($mc->share ? $mc->share : $conf->entity).")";
 				}
 				// If multicompany and internal users with all permissions, check user is in correct entity
 				else if ($conf->global->MAIN_MODULE_MULTICOMPANY)
@@ -1980,7 +1988,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 					$sql = "SELECT dbt.rowid";
 					$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
 					$sql.= " WHERE dbt.rowid = ".$objectid;
-					$sql.= " AND dbt.entity = ".$conf->entity;
+					$sql.= " AND dbt.entity IN (0,".($mc->share ? $mc->share : $conf->entity).")";
 				}
 			}
 			else if (in_array($feature,$checkproject))
@@ -1994,7 +2002,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
                    if (! in_array($objectid,$tmparray)) accessforbidden();
                }
            }
-			else if (!in_array($feature,$nocheck))	// By default we check with link to third party
+			else if (! in_array($feature,$nocheck))	// By default we check with link to third party
 			{
 				// If external user: Check permission for external users
 				if ($user->societe_id > 0)
@@ -2014,7 +2022,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 					$sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
 					$sql.= " AND sc.fk_soc = dbt.".$dbt_keyfield;
 					$sql.= " AND dbt.".$dbt_keyfield." = s.rowid";
-					$sql.= " AND s.entity = ".$conf->entity;
+					$sql.= " AND s.entity IN (0,".($mc->share ? $mc->share : $conf->entity).")";
 					$sql.= " AND sc.fk_user = ".$user->id;
 				}
 				// If multicompany and internal users with all permissions, check user is in correct entity
@@ -2023,7 +2031,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 					$sql = "SELECT dbt.".$dbt_select;
 					$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
 					$sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
-					$sql.= " AND dbt.entity = ".$conf->entity;
+					$sql.= " AND dbt.entity IN (0,".($mc->share ? $mc->share : $conf->entity).")";
 				}
 			}


--- a/htdocs/product/index.php
+++ b/htdocs/product/index.php
@@ -33,9 +33,9 @@ if ($type =='' && !$user->rights->produit->lire) $type='1';	// Force global page
 if ($type =='' && !$user->rights->service->lire) $type='0';	// Force global page on prpduct page only

 // Security check
-if ($type=='0') $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
-else if ($type=='1') $result=restrictedArea($user,'service',$id,'service','','',$fieldid);
-else $result=restrictedArea($user,'produit|service',$id,'service','','',$fieldid);
+if ($type=='0') $result=restrictedArea($user,'produit');
+else if ($type=='1') $result=restrictedArea($user,'service');
+else $result=restrictedArea($user,'produit|service');

 $langs->load("products");


--- a/htdocs/product/liste.php
+++ b/htdocs/product/liste.php
@@ -69,16 +69,16 @@ if (! empty($canvas))
    //$objcanvas->getCanvas('product','xxx',$canvas);

    // Security check
-    if ($type=='0') $result=$objcanvas->restrictedArea($user,'produit',$id,'product','','',$fieldid);
-    else if ($type=='1') $result=$objcanvas->restrictedArea($user,'service',$id,'service','','',$fieldid);
-    else $result=$objcanvas->restrictedArea($user,'produit|service',$id,'service','','',$fieldid);
+    if ($type=='0') $result=$objcanvas->restrictedArea($user,'produit');
+    else if ($type=='1') $result=$objcanvas->restrictedArea($user,'service');
+    else $result=$objcanvas->restrictedArea($user,'produit|service');
 }
 else
 {
    // Security check
-    if ($type=='0') $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
-    else if ($type=='1') $result=restrictedArea($user,'service',$id,'service','','',$fieldid);
-    else $result=restrictedArea($user,'produit|service',$id,'service','','',$fieldid);
+    if ($type=='0') $result=restrictedArea($user,'produit');
+    else if ($type=='1') $result=restrictedArea($user,'service');
+    else $result=restrictedArea($user,'produit|service');
 }

 // Sharings between entities