FIX missing access security checking with multicompany

Dolibarr · Feb 14, 2019 · aa4c5ae · aa4c5ae
1 parent 53a8f1c
commit aa4c5ae
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 7 deletions.
diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
@@ -451,12 +451,12 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh
 		if ($feature == 'project') $feature='projet';
 		if ($feature == 'task')    $feature='projet_task';
 
-		$check = array('adherent','banque','don','user','usergroup','product','produit','service','produit|service','categorie','resource'); // Test on entity only (Objects with no link to company)
+		$check = array('adherent','banque','don','user','usergroup','product','produit','service','produit|service','stock','categorie','resource'); // Test on entity only (Objects with no link to company)
 		$checksoc = array('societe');	 // Test for societe object
 		$checkother = array('contact','agenda');	 // Test on entity and link to third party. Allowed if link is empty (Ex: contacts...).
 		$checkproject = array('projet','project'); // Test for project object
 		$checktask = array('projet_task');
-		$nocheck = array('barcode','stock');	// No test
+		$nocheck = array('barcode');	// No test
 		$checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...).
 
 		// If dbtablename not defined, we use same name for table than module name

diff --git a/htdocs/product/stock/card.php b/htdocs/product/stock/card.php
@@ -52,7 +52,7 @@
 $backtopage=GETPOST('backtopage','alpha');
 
 // Security check
-$result=restrictedArea($user,'stock');
+$result=restrictedArea($user,'stock', $id, 'entrepot&stock');
 
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('warehousecard','globalcard'));

diff --git a/htdocs/product/stock/info.php b/htdocs/product/stock/info.php
@@ -33,7 +33,7 @@
 $ref = GETPOST('ref','alpha');
 
 // Security check
-$result=restrictedArea($user,'stock');
+$result=restrictedArea($user,'stock', $id, 'entrepot&stock');
 
 
 /*

diff --git a/htdocs/product/stock/mouvement.php b/htdocs/product/stock/mouvement.php
@@ -46,9 +46,6 @@
 $langs->loadLangs(array('products', 'stocks'));
 if (! empty($conf->productbatch->enabled)) $langs->load("productbatch");
 
-// Security check
-$result=restrictedArea($user,'stock');
-
 $id=GETPOST('id','int');
 $ref = GETPOST('ref','alpha');
 $msid=GETPOST('msid','int');
@@ -57,6 +54,9 @@
 $cancel=GETPOST('cancel','alpha');
 $contextpage=GETPOST('contextpage','aZ')?GETPOST('contextpage','aZ'):'movementlist';
 
+// Security check
+$result=restrictedArea($user,'stock', $id, 'entrepot&stock');
+
 $idproduct = GETPOST('idproduct','int');
 $year = GETPOST("year");
 $month = GETPOST("month");