From 45a7e0356236705c516e8098112cca0c7a2566ca Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@inodbox.com>
Date: Wed, 16 Jan 2019 19:13:21 +0100
Subject: [PATCH] FIX a user can always read its own card

---
 htdocs/core/lib/security.lib.php | 4 +++-
 htdocs/user/card.php             | 5 +----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index d12ee339909..d8193f8067e 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -181,7 +181,7 @@ function dol_verifyHash($chain, $hash, $type='0')
  */
 function restrictedArea($user, $features, $objectid=0, $tableandshare='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $objcanvas=null, $isdraft=0)
 {
-	global $db, $conf;
+	global $db, $conf, $user;
 	global $hookmanager;
 
 	//dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select");
@@ -253,6 +253,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
 			$tmpreadok=1;
 			foreach($feature2 as $subfeature)
 			{
+				if ($subfeature == 'user' && $user->id == $objectid) continue; // A user can always read its own card
 				if (! empty($subfeature) && empty($user->rights->$feature->$subfeature->lire) && empty($user->rights->$feature->$subfeature->read)) { $tmpreadok=0; }
 				else if (empty($subfeature) && empty($user->rights->$feature->lire) && empty($user->rights->$feature->read)) { $tmpreadok=0; }
 				else { $tmpreadok=1; break; } // Break is to bypass second test if the first is ok
@@ -262,6 +263,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
 				$readok=0;	// All tests are ko (we manage here the and, the or will be managed later using $nbko).
 				$nbko++;
 			}
+			var_dump($readok);
 		}
 		else if (! empty($feature) && ($feature!='user' && $feature!='usergroup'))		// This is for old permissions
 		{
diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index d84c52068cc..19e85962038 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -83,11 +83,8 @@ if ($id)
 $socid=0;
 if ($user->societe_id > 0) $socid = $user->societe_id;
 $feature2='user';
-if ($user->id == $id) { $feature2=''; $canreaduser=1; } // A user can always read its own card
 
-if (! $canreaduser) {	// TODO security broken with Multicompany
-	$result = restrictedArea($user, 'user', $id, 'user&user', $feature2);
-}
+$result = restrictedArea($user, 'user', $id, 'user&user', $feature2);
 
 if ($user->id <> $id && ! $canreaduser) accessforbidden();