From 14956302548adc47523071f77eb165bdabb9914e Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 16 Mar 2021 10:59:01 +0100
Subject: [PATCH] Fix #yogosha5645

---
 htdocs/holiday/card.php     |  4 +--
 htdocs/holiday/document.php | 60 ++++++++++++++++++++++++++++++++-----
 htdocs/holiday/info.php     | 30 ++++++++++++-------
 3 files changed, 75 insertions(+), 19 deletions(-)

diff --git a/htdocs/holiday/card.php b/htdocs/holiday/card.php
index 72b57de5a61..76d0e607e47 100644
--- a/htdocs/holiday/card.php
+++ b/htdocs/holiday/card.php
@@ -51,6 +51,8 @@ $fuserid = (GETPOST('fuserid', 'int') ?GETPOST('fuserid', 'int') : $user->id);
 // Load translation files required by the page
 $langs->loadLangs(array("other", "holiday", "mails"));
 
+$error = 0;
+
 $now = dol_now();
 
 $childids = $user->getAllChildIds(1);
@@ -60,8 +62,6 @@ if (!empty($conf->global->HOLIDAY_HIDE_FOR_NON_SALARIES)) {
 	$morefilter = 'AND employee = 1';
 }
 
-$error = 0;
-
 $object = new Holiday($db);
 
 $extrafields = new ExtraFields($db);
diff --git a/htdocs/holiday/document.php b/htdocs/holiday/document.php
index 1e2a643549a..02fe52a9a4d 100644
--- a/htdocs/holiday/document.php
+++ b/htdocs/holiday/document.php
@@ -44,12 +44,6 @@ $ref = GETPOST('ref', 'alpha');
 $action = GETPOST('action', 'aZ09');
 $confirm = GETPOST('confirm', 'alpha');
 
-// Security check
-if ($user->socid) {
-	$socid = $user->socid;
-}
-$result = restrictedArea($user, 'holiday', $id, 'holiday');
-
 // Get parameters
 $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;
 $sortfield = GETPOST('sortfield', 'aZ09comma');
@@ -69,12 +63,64 @@ if (!$sortfield) {
 }
 
 
+$childids = $user->getAllChildIds(1);
+
+$morefilter = '';
+if (!empty($conf->global->HOLIDAY_HIDE_FOR_NON_SALARIES)) {
+	$morefilter = 'AND employee = 1';
+}
+
 $object = new Holiday($db);
-$object->fetch($id, $ref);
+
+$extrafields = new ExtraFields($db);
+
+// fetch optionals attributes and labels
+$extrafields->fetch_name_optionals_label($object->table_element);
+
+if (($id > 0) || $ref) {
+	$object->fetch($id, $ref);
+
+	// Check current user can read this leave request
+	$canread = 0;
+	if (!empty($user->rights->holiday->readall)) {
+		$canread = 1;
+	}
+	if (!empty($user->rights->holiday->read) && in_array($object->fk_user, $childids)) {
+		$canread = 1;
+	}
+	if (!$canread) {
+		accessforbidden();
+	}
+}
+
+/*$cancreate = 0;
+
+if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && !empty($user->rights->holiday->writeall_advance)) {
+	$cancreate = 1;
+}
+if (!empty($user->rights->holiday->write) && in_array($fuserid, $childids)) {
+	$cancreate = 1;
+}
+
+$candelete = 0;
+if (!empty($user->rights->holiday->delete)) {
+	$candelete = 1;
+}
+if ($object->statut == Holiday::STATUS_DRAFT && $user->rights->holiday->write && in_array($object->fk_user, $childids)) {
+	$candelete = 1;
+}
+*/
 
 $upload_dir = $conf->holiday->dir_output.'/'.get_exdir(0, 0, 0, 1, $object, '');
 $modulepart = 'holiday';
 
+// Protection if external user
+if ($user->socid) {
+	$socid = $user->socid;
+}
+$result = restrictedArea($user, 'holiday', $object->id, 'holiday');
+
+
 
 /*
  * Actions
diff --git a/htdocs/holiday/info.php b/htdocs/holiday/info.php
index b710df5fe2a..3ec95e61a52 100644
--- a/htdocs/holiday/info.php
+++ b/htdocs/holiday/info.php
@@ -34,26 +34,30 @@ $langs->load("holiday");
 $id = GETPOST('id', 'int');
 $ref = GETPOST('ref', 'alpha');
 
+
 $childids = $user->getAllChildIds(1);
 
-// Security check
-if ($user->socid) {
-	$socid = $user->socid;
+$morefilter = '';
+if (!empty($conf->global->HOLIDAY_HIDE_FOR_NON_SALARIES)) {
+	$morefilter = 'AND employee = 1';
 }
-$result = restrictedArea($user, 'holiday', $id, 'holiday');
 
 $object = new Holiday($db);
-if (!$object->fetch($id, $ref) > 0) {
-	dol_print_error($db);
-}
 
-if ($object->id > 0) {
-	// Check current user can read this expense report
+$extrafields = new ExtraFields($db);
+
+// fetch optionals attributes and labels
+$extrafields->fetch_name_optionals_label($object->table_element);
+
+if (($id > 0) || $ref) {
+	$object->fetch($id, $ref);
+
+	// Check current user can read this leave request
 	$canread = 0;
 	if (!empty($user->rights->holiday->readall)) {
 		$canread = 1;
 	}
-	if (!empty($user->rights->holiday->lire) && in_array($object->fk_user_author, $childids)) {
+	if (!empty($user->rights->holiday->read) && in_array($object->fk_user, $childids)) {
 		$canread = 1;
 	}
 	if (!$canread) {
@@ -61,6 +65,12 @@ if ($object->id > 0) {
 	}
 }
 
+// Security check
+if ($user->socid) {
+	$socid = $user->socid;
+}
+$result = restrictedArea($user, 'holiday', $object->id, 'holiday');
+
 
 /*
  * View