diff --git a/htdocs/expensereport/card.php b/htdocs/expensereport/card.php index e9fb3dd1b43..4046c4ddc4b 100644 --- a/htdocs/expensereport/card.php +++ b/htdocs/expensereport/card.php @@ -62,6 +62,8 @@ $comments=GETPOST('comments','none'); $fk_c_type_fees=GETPOST('fk_c_type_fees','int'); $socid = GETPOST('socid','int')?GETPOST('socid','int'):GETPOST('socid_id','int'); +$childids = $user->getAllChildIds(1); + // Security check $id=GETPOST("id",'int'); if ($user->societe_id) $socid=$user->societe_id; @@ -105,7 +107,17 @@ $permissionnote = $user->rights->expensereport->creer; // Used by the include $permissiondellink = $user->rights->expensereport->creer; // Used by the include of actions_dellink.inc.php $permissionedit = $user->rights->expensereport->creer; // Used by the include of actions_lineupdown.inc.php - +if ($object->id > 0) +{ + // Check current user can read this expense report + $canread = 0; + if (! empty($user->rights->expensereport->readall)) $canread=1; + if (! empty($user->rights->expensereport->lire) && in_array($object->fk_user_author, $childids)) $canread=1; + if (! $canread) + { + accessforbidden(); + } +} /* diff --git a/htdocs/holiday/card.php b/htdocs/holiday/card.php index d2097f30583..55bf2370fd6 100644 --- a/htdocs/holiday/card.php +++ b/htdocs/holiday/card.php @@ -66,6 +66,22 @@ if (! empty($conf->global->HOLIDAY_FOR_NON_SALARIES_TOO)) $morefilter = ''; $error = 0; +$object = new Holiday($db); +if ($id > 0) +{ + $object->fetch($id); + + // Check current user can read this leave request + $canread = 0; + if (! empty($user->rights->holiday->read_all)) $canread=1; + if (! empty($user->rights->holiday->read) && in_array($object->fk_user, $childids)) $canread=1; + if (! $canread) + { + accessforbidden(); + } +} + + /* * Actions */ @@ -78,7 +94,6 @@ if (GETPOST('cancel', 'alpha')) // If create a request if ($action == 'create') { - $object = new Holiday($db); // If no right to create a request if (! $cancreate) @@ -90,6 +105,8 @@ if ($action == 'create') if (! $error) { + $object = new Holiday($db); + $db->begin(); $date_debut = dol_mktime(0, 0, 0, GETPOST('date_debut_month'), GETPOST('date_debut_day'), GETPOST('date_debut_year')); @@ -199,7 +216,6 @@ if ($action == 'create') if ($action == 'update' && GETPOSTISSET('savevalidator') && ! empty($user->rights->holiday->approve)) { - $object = new Holiday($db); $object->fetch($id); $object->oldcopy = dol_clone($object); @@ -245,7 +261,6 @@ if ($action == 'update' && ! GETPOSTISSET('savevalidator')) exit; } - $object = new Holiday($db); $object->fetch($id); // If under validation @@ -329,7 +344,6 @@ if ($action == 'confirm_delete' && GETPOST('confirm') == 'yes' && $user->rights- $db->begin(); - $object = new Holiday($db); $object->fetch($id); // If this is a rough draft, approved, canceled or refused @@ -363,7 +377,6 @@ if ($action == 'confirm_delete' && GETPOST('confirm') == 'yes' && $user->rights- // Action validate (+ send email for approval) if ($action == 'confirm_send') { - $object = new Holiday($db); $object->fetch($id); // Si brouillon et créateur @@ -468,7 +481,6 @@ if ($action == 'confirm_send') // Approve leave request if ($action == 'confirm_valid') { - $object = new Holiday($db); $object->fetch($id); // Si statut en attente de validation et valideur = utilisateur @@ -582,7 +594,6 @@ if ($action == 'confirm_refuse' && GETPOST('confirm','alpha') == 'yes') { if (! empty($_POST['detail_refuse'])) { - $object = new Holiday($db); $object->fetch($id); // Si statut en attente de validation et valideur = utilisateur @@ -682,7 +693,6 @@ if ($action == 'confirm_draft' && GETPOST('confirm') == 'yes') { $error = 0; - $object = new Holiday($db); $object->fetch($id); $oldstatus = $object->statut; @@ -713,7 +723,6 @@ if ($action == 'confirm_cancel' && GETPOST('confirm') == 'yes') { $error = 0; - $object = new Holiday($db); $object->fetch($id); // Si statut en attente de validation et valideur = valideur ou utilisateur, ou droits de faire pour les autres