mapiolca · mapiolca · Oct 24, 2025 · Oct 24, 2025 · Oct 24, 2025 · Oct 24, 2025
diff --git a/htdocs/core/modules/modProduct.class.php b/htdocs/core/modules/modProduct.class.php
@@ -10,6 +10,7 @@
  * Copyright (C) 2020-2021	Alexandre Spangaro		<[email protected]>
  * Copyright (C) 2024		MDW						<[email protected]>
  * Copyright (C) 2025       Frédéric France         <[email protected]>
+ * Copyright (C) 2025      Pierre Ardoin        <[email protected]>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -144,6 +145,15 @@ public function __construct($db)
 		$this->rights[$r][3] = 0; // La permission est-elle une permission par default
 		$this->rights[$r][4] = 'product_advance';
 		$this->rights[$r][5] = 'read_supplier_prices';
+		$r++;
+
+			// EN: Advanced permission to write supplier prices
+		$this->rights[$r][0] = 36; // id de la permission
+		$this->rights[$r][1] = 'Write supplier prices'; // libelle de la permission
+		$this->rights[$r][2] = 'w'; // type de la permission (deprecated)
+		$this->rights[$r][3] = 0; // La permission est-elle une permission par default
+		$this->rights[$r][4] = 'product_advance';
+		$this->rights[$r][5] = 'write_supplier_prices';
 		$r++;
 
 		$this->rights[$r][0] = 34; // id de la permission

diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang
@@ -773,7 +773,7 @@ Permission31=Read products
 Permission32=Create/modify products
 Permission33=Read prices products
 Permission34=Delete products
-Permission36=See/manage hidden products
+Permission36=Create/modify supplier prices
 Permission38=Export products
 Permission39=Can set a price lower than the minimum price of products
 Permission41=Read projects and tasks (shared projects and projects of which I am a contact).

diff --git a/htdocs/langs/fr_FR/admin.lang b/htdocs/langs/fr_FR/admin.lang
@@ -769,7 +769,7 @@ Permission31=Consulter les produits
 Permission32=Créer/modifier les produits
 Permission33=Lire les prix des produits
 Permission34=Supprimer les produits
-Permission36=Voir/gérer les produits cachés
+Permission36=créer/modifier les prix fournisseurs
 Permission38=Exporter les produits
 Permission39=Peut définir un prix inférieur au prix minimum de produits
 Permission41=Lire les projets et les tâches (projets partagés et projets dont je suis un contact).

diff --git a/htdocs/product/price_suppliers.php b/htdocs/product/price_suppliers.php
@@ -11,6 +11,7 @@
  * Copyright (C) 2019-2024	Frédéric France      <[email protected]>
  * Copyright (C) 2019      Tim Otte			    <[email protected]>
  * Copyright (C) 2020      Pierre Ardoin        <[email protected]>
+ * Copyright (C) 2025      Pierre Ardoin        <[email protected]>
  * Copyright (C) 2023	   Joachim Kueter		<[email protected]>
  * Copyright (C) 2025		MDW					<[email protected]>
  *
@@ -121,6 +122,8 @@
 
 $usercanread = (($object->type == Product::TYPE_PRODUCT && $user->hasRight('produit', 'lire')) || ($object->type == Product::TYPE_SERVICE && $user->hasRight('service', 'lire')));
 $usercancreate = (($object->type == Product::TYPE_PRODUCT && $user->hasRight('produit', 'creer')) || ($object->type == Product::TYPE_SERVICE && $user->hasRight('service', 'creer')));
+// EN: Manage advanced permission to write supplier prices
+$usercanwritesupplierprice = getDolGlobalString('MAIN_USE_ADVANCED_PERMS') ? $user->hasRight('product', 'product_advance', 'write_supplier_prices') : $usercancreate;
 
 if ($object->id > 0) {
 	if ($object->type == $object::TYPE_PRODUCT) {
@@ -133,6 +136,11 @@
 	restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
 }
 
+// EN: Stop unauthorized access to supplier price creation or edition forms
+if ((!$usercanwritesupplierprice) && ($action == 'create_price' || $action == 'edit_price')) {
+	accessforbidden();
+}
+
 
 /*
  * Actions
@@ -182,7 +190,7 @@
 		}
 	}
 
-	if ($action == 'confirm_remove_pf' && $usercancreate) {
+	if ($action == 'confirm_remove_pf' && $usercanwritesupplierprice) {
 		if ($rowid) {	// id of product supplier price to remove
 			$action = '';
 			$result = $object->remove_product_fournisseur_price($rowid);
@@ -196,7 +204,7 @@
 		}
 	}
 
-	if ($action == 'save_price' && $usercancreate) {
+	if ($action == 'save_price' && $usercanwritesupplierprice) {
 		$ref_fourn_price_id = GETPOSTINT('ref_fourn_price_id');
 		$id_fourn = GETPOSTINT("id_fourn");
 		if (empty($id_fourn)) {
@@ -390,6 +398,10 @@
 
 if ($id > 0 || $ref) {
 	if ($action == 'ask_remove_pf') {
+		// EN: Block action if user cannot write supplier prices
+		if (!$usercanwritesupplierprice) {
+			accessforbidden();
+		}
 		$form = new Form($db);
 		$formconfirm = $form->formconfirm($_SERVER["PHP_SELF"].'?id='.$id.'&rowid='.$rowid, $langs->trans('DeleteProductBuyPrice'), $langs->trans('ConfirmDeleteProductBuyPrice'), 'confirm_remove_pf', '', 0, 1);
 		echo $formconfirm;
@@ -482,7 +494,7 @@
 
 
 		// Form to add or update a price
-		if (($action == 'create_price' || $action == 'edit_price') && $usercancreate) {
+		if (($action == 'create_price' || $action == 'edit_price') && $usercanwritesupplierprice) {
 			$langs->load("suppliers");
 
 			print "<!-- form to add a supplier price -->\n";
@@ -927,12 +939,13 @@
 		if ($action != 'create_price' && $action != 'edit_price') {
 			$parameters = array();
 			$reshook = $hookmanager->executeHooks('addMoreActionsButtons', $parameters, $object, $action); // Note that $action and $object may have been modified by hook
-			if (empty($reshook)) {
-				if ($usercancreate) {
+                        if (empty($reshook)) {
+                                // EN: Display add button only when user can write supplier prices
+				if ($usercanwritesupplierprice) {
 					print '<a class="butAction" href="'.DOL_URL_ROOT.'/product/price_suppliers.php?id='.((int) $object->id).'&action=create_price&token='.newToken().'">';
 					print $langs->trans("AddSupplierPrice").'</a>';
 				}
 			}
 		}

 		print "</div>\n";
@@ -1143,16 +1156,17 @@
 					print '<tr class="oddeven">';
 
 					// Action column
-					if (getDolGlobalString('MAIN_CHECKBOX_LEFT_COLUMN')) {
-						print '<td class="center nowraponall">';
-						if ($usercancreate) {
+				if (getDolGlobalString('MAIN_CHECKBOX_LEFT_COLUMN')) {
+					print '<td class="center nowraponall">';
+					// EN: Allow editing and deletion when user can write supplier prices
+					if ($usercanwritesupplierprice) {
 							print '<a class="editfielda" href="'.$_SERVER['PHP_SELF'].'?id='.((int) $object->id).'&socid='.((int) $productfourn->fourn_id).'&action=edit_price&token='.newToken().'&rowid='.((int) $productfourn->product_fourn_price_id).'">'.img_edit()."</a>";
 							print ' &nbsp; ';
 							print '<a href="'.$_SERVER['PHP_SELF'].'?id='.((int) $object->id).'&socid='.((int) $productfourn->fourn_id).'&action=ask_remove_pf&token='.newToken().'&rowid='.((int) $productfourn->product_fourn_price_id).'">'.img_picto($langs->trans("Remove"), 'delete').'</a>';
 						}

 						print '</td>';
 					}

 					// Date from
 					if (!empty($arrayfields['pfp.datec']['checked'])) {
@@ -1165,7 +1179,7 @@
 					}
 
 					// Supplier ref
-					if ($usercancreate) { // change required right here
+					if ($usercanwritesupplierprice) { // EN: Supplier link allowed when user can write supplier prices
 						print '<td class="tdoverflowmax150">'.$productfourn->getNomUrl().'</td>';
 					} else {
 						print '<td class="tdoverflowmax150">'.dol_escape_htmltag($productfourn->fourn_ref).'</td>';
@@ -1335,7 +1349,8 @@
 					// Modify-Remove
 					if (!getDolGlobalString('MAIN_CHECKBOX_LEFT_COLUMN')) {
 						print '<td class="center nowraponall">';
-						if ($usercancreate) {
+						// EN: Allow editing and deletion when user can write supplier prices
+						if ($usercanwritesupplierprice) {
 							print '<a class="editfielda" href="'.$_SERVER['PHP_SELF'].'?id='.((int) $object->id).'&socid='.((int) $productfourn->fourn_id).'&action=edit_price&token='.newToken().'&rowid='.((int) $productfourn->product_fourn_price_id).'">'.img_edit()."</a>";
 							print ' &nbsp; ';
 							print '<a href="'.$_SERVER['PHP_SELF'].'?id='.((int) $object->id).'&socid='.((int) $productfourn->fourn_id).'&action=ask_remove_pf&token='.newToken().'&rowid='.((int) $productfourn->product_fourn_price_id).'">'.img_picto($langs->trans("Remove"), 'delete').'</a>';