lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #14355 from fmarcet/10.0

Browse Source 
Fix: User can see events that are not assigned to it
This commit is contained in:
Laurent Destailleur 2020-08-07 14:54:39 +02:00 committed by GitHub
commit 5482a3134a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
htdocs/core/lib/security.lib.php
View File

@ -1,6 +1,7 @@
<?php
/* Copyright (C) 2008-2011 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2008-2017 Regis Houssin <regis.houssin@inodbox.com>
* Copyright (C) 2020 Ferran Marcet <fmarcet@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -556,6 +557,18 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
$sql.= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
$sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
}
if ($feature == 'agenda')// Also check myactions rights
{
if ($objectid > 0 && empty($user->rights->agenda->allactions->read)) {
require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php';
$action = new ActionComm($db);
$action->fetch($objectid);
if ($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id, $action->userassigned))) {
return false;
}
}
}
}
elseif (in_array($feature, $checkproject))
{