Merge pull request #22981 from ibuiv/develop

Fix #19789 Visibility of private contacts

htdocs/contact/card.php

@@ -86,6 +86,7 @@ $hookmanager->initHooks(array('contactcard', 'globalcard'));
 
 if ($id > 0) {
 	$object->fetch($id);
+	$object->info($id);
 }
 
 if (!($object->id > 0) && $action == 'view') {
@@ -101,6 +102,9 @@ $permissiontoadd = $user->rights->societe->contact->creer;
 if ($user->socid) {
 	$socid = $user->socid;
 }
+if ($object->priv && $object->user_creation->id != $user->id) {
+	accessforbidden();
+}
 $result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', 0); // If we create a contact with no company (shared contacts), no check on write permission
 
 

htdocs/core/lib/company.lib.php

@@ -1123,6 +1123,7 @@ function show_contacts($conf, $langs, $db, $object, $backtopage = '', $showuserl
 	$sql .= " FROM ".MAIN_DB_PREFIX."socpeople as t";
 	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."socpeople_extrafields as ef on (t.rowid = ef.fk_object)";
 	$sql .= " WHERE t.fk_soc = ".((int) $object->id);
+	$sql .= " AND ((t.fk_user_creat = ".((int) $user->id)." AND t.priv = 1) OR t.priv = 0)";
 	if ($search_rowid) {
 		$sql .= natural_search('t.rowid', $search_rowid);
 	}