From 51579817517c8ef8159702f81cea9a6aa883bb9b Mon Sep 17 00:00:00 2001
From: atm-ph <phf@atm-consulting.fr>
Date: Sun, 11 Jun 2017 12:59:54 +0200
Subject: [PATCH] Fix 6962 wrong permission check

---
 htdocs/expedition/card.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/htdocs/expedition/card.php b/htdocs/expedition/card.php
index 0077338aae5..a7f4043fcd1 100644
--- a/htdocs/expedition/card.php
+++ b/htdocs/expedition/card.php
@@ -73,7 +73,12 @@ $ref=GETPOST('ref','alpha');
 // Security check
 $socid='';
 if ($user->societe_id) $socid=$user->societe_id;
-$result=restrictedArea($user, $origin, $origin_id);
+
+if ($origin == 'expedition') $result=restrictedArea($user, $origin, $id);
+else {
+	$result=restrictedArea($user, 'expedition');
+	if (empty($user->rights->{$origin}->lire) && empty($user->rights->{$origin}->read)) accessforbidden();
+}
 
 $action		= GETPOST('action','alpha');
 $confirm	= GETPOST('confirm','alpha');