lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix permission on expense report

Browse Source
This commit is contained in:
Laurent Destailleur 2017-03-02 12:11:25 +01:00
parent 07d121a7a0
commit 29618890f4
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
htdocs/expensereport/index.php
View File

@ -150,7 +150,14 @@ $sql = "SELECT u.rowid as uid, u.lastname, u.firstname, u.login, u.statut, u.pho
$sql.= " FROM ".MAIN_DB_PREFIX."expensereport as d, ".MAIN_DB_PREFIX."user as u";
if (!$user->rights->societe->client->voir && !$user->societe_id) $sql.= ", ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."societe_commerciaux as sc";
$sql.= " WHERE u.rowid = d.fk_user_author";
if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)) $sql.=' AND d.fk_user_author IN ('.join(',',$childids).')';
// RESTRICT RIGHTS
if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)
&& (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance)))
{
$childids = $user->getAllChildIds();
$childids[]=$user->id;
$sql.= " AND d.fk_user_author IN (".join(',',$childids).")\n";
}
$sql.= ' AND d.entity IN ('.getEntity('expensereport', 1).')';
if (!$user->rights->societe->client->voir && !$user->societe_id) $sql.= " AND d.fk_user_author = s.rowid AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
if ($socid) $sql.= " AND d.fk_user_author = ".$socid;