From 24128ac28d782f8522ec4c72988f54dc45eea998 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@inodbox.com>
Date: Wed, 16 Jan 2019 11:07:58 +0100
Subject: [PATCH] TODO security broken with Multicompany

---
 htdocs/user/card.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index 6db383ed515..d84c52068cc 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -85,7 +85,7 @@ if ($user->societe_id > 0) $socid = $user->societe_id;
 $feature2='user';
 if ($user->id == $id) { $feature2=''; $canreaduser=1; } // A user can always read its own card
 
-if (! $canreaduser) {
+if (! $canreaduser) {	// TODO security broken with Multicompany
 	$result = restrictedArea($user, 'user', $id, 'user&user', $feature2);
 }