From fb4e64fdabd8b775578c7bfce3396ed82325e7ff Mon Sep 17 00:00:00 2001 From: BENKE Charles Date: Tue, 29 Jul 2014 11:28:46 +0200 Subject: [PATCH] Update consumption.php security access fix : we don't have right to access of invoice and order if we are not agreed --- htdocs/societe/consumption.php | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/htdocs/societe/consumption.php b/htdocs/societe/consumption.php index dc825ae4eb487..797ab688e5c13 100644 --- a/htdocs/societe/consumption.php +++ b/htdocs/societe/consumption.php @@ -67,7 +67,12 @@ } // Customer or supplier selected in drop box $thirdTypeSelect = GETPOST("third_select_id"); -$type_element = GETPOST('type_element')?GETPOST('type_element'):'invoice'; +if ($conf->facture->enabled && $user->rights->facture->lire) + $type_element = 'invoice'; +elseif ($conf->commande->enabled && $user->rights->commande->lire) + $type_element = 'order'; +$type_element = GETPOST('type_element')?GETPOST('type_element'):$type_element; + $langs->load("companies"); $langs->load("bills"); @@ -126,8 +131,8 @@ $obj = $db->fetch_object($resql); $nbFactsClient = $obj->nb; $thirdTypeArray['customer']=$langs->trans("customer"); - if ($conf->facture->enabled) $elementTypeArray['invoice']=$langs->trans('Invoices'); - if ($conf->commande->enabled) $elementTypeArray['order']=$langs->trans('Orders'); + if($conf->facture->enabled && $user->rights->facture->lire) $elementTypeArray['invoice']=$langs->trans('Invoices'); + if ($conf->commande->enabled && $user->rights->commande->lire) $elementTypeArray['order']=$langs->trans('Orders'); } if ($object->fournisseur) @@ -144,8 +149,8 @@ $obj = $db->fetch_object($resql); $nbCmdsFourn = $obj->nb; $thirdTypeArray['supplier']=$langs->trans("supplier"); - if ($conf->fournisseur->enabled) $elementTypeArray['supplier_invoice']=$langs->trans('SuppliersInvoices'); - if ($conf->fournisseur->enabled) $elementTypeArray['supplier_order']=$langs->trans('SuppliersOrders'); + if ($conf->fournisseur->enabled && $user->rights->fournisseur->facture->lire) $elementTypeArray['supplier_invoice']=$langs->trans('SuppliersInvoices'); + if ($conf->fournisseur->enabled && $user->rights->fournisseur->commande->lire) $elementTypeArray['supplier_order']=$langs->trans('SuppliersOrders'); } print '';