From 63b15dd1b643d01235685220712499ae6f54f320 Mon Sep 17 00:00:00 2001 From: Ferran Marcet Date: Mon, 3 Aug 2020 11:17:30 +0200 Subject: [PATCH 1/5] Fix: User can see events that are not assigned to it --- htdocs/core/lib/security.lib.php | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 1a8045df014..ed0424d8968 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -1,6 +1,7 @@ * Copyright (C) 2008-2017 Regis Houssin + * Copyright (C) 2020 Ferran Marcet * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -247,6 +248,26 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f { if (! $user->rights->projet->lire && ! $user->rights->projet->all->lire) { $readok=0; $nbko++; } } + elseif ($feature == 'agenda') + { + if ($objectid > 0) { + require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php'; + $action = new ActionComm($db); + $action->fetch($objectid); + if (empty($user->rights->agenda->allactions->read) && (($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id, + $action->userassigned))) || empty($user->rights->agenda->myactions->read))) { + $readok = 0; + $nbko++; + } + } + else{ + if (empty($user->rights->agenda->myactions->read) && empty($user->rights->agenda->allactions->read)) { + $readok = 0; + $nbko++; + } + } + + } elseif (! empty($feature2)) // This is for permissions on 2 levels { $tmpreadok=1; From 9926eac1926877bc97e3ceab8376053e48a098f0 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Mon, 3 Aug 2020 09:26:36 +0000 Subject: [PATCH 2/5] Fixing style errors. --- htdocs/core/lib/security.lib.php | 1 - 1 file changed, 1 deletion(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index ed0424d8968..e4dde96b464 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -266,7 +266,6 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f $nbko++; } } - } elseif (! empty($feature2)) // This is for permissions on 2 levels { From 7a077a2d9934e2cdababc6c610c7b8b2d1d21dc5 Mon Sep 17 00:00:00 2001 From: Ferran Marcet Date: Tue, 4 Aug 2020 16:45:04 +0200 Subject: [PATCH 3/5] Fix: User can see events that are not assigned to it --- htdocs/core/lib/security.lib.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index e4dde96b464..41534d8aac3 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -576,6 +576,18 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand $sql.= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } + + if ($feature == 'agenda')// Also check myactions rights + { + if ($objectid > 0 && empty($user->rights->agenda->allactions->read)) { + require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php'; + $action = new ActionComm($db); + $action->fetch($objectid); + if ($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id,$action->userassigned))) { + return false; + } + } + } } elseif (in_array($feature, $checkproject)) { From 70ad2fcee074bbd1947f067d508d3e5c1fe4eb85 Mon Sep 17 00:00:00 2001 From: Ferran Marcet Date: Tue, 4 Aug 2020 16:45:57 +0200 Subject: [PATCH 4/5] Fix: User can see events that are not assigned to it --- htdocs/core/lib/security.lib.php | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 41534d8aac3..f9db2a0e796 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -248,25 +248,6 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f { if (! $user->rights->projet->lire && ! $user->rights->projet->all->lire) { $readok=0; $nbko++; } } - elseif ($feature == 'agenda') - { - if ($objectid > 0) { - require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php'; - $action = new ActionComm($db); - $action->fetch($objectid); - if (empty($user->rights->agenda->allactions->read) && (($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id, - $action->userassigned))) || empty($user->rights->agenda->myactions->read))) { - $readok = 0; - $nbko++; - } - } - else{ - if (empty($user->rights->agenda->myactions->read) && empty($user->rights->agenda->allactions->read)) { - $readok = 0; - $nbko++; - } - } - } elseif (! empty($feature2)) // This is for permissions on 2 levels { $tmpreadok=1; From 8d8821743471e1359bd9f5d6da720c0f6ed4d2a9 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Tue, 4 Aug 2020 14:48:15 +0000 Subject: [PATCH 5/5] Fixing style errors. --- htdocs/core/lib/security.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index f9db2a0e796..804414d04df 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -564,7 +564,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php'; $action = new ActionComm($db); $action->fetch($objectid); - if ($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id,$action->userassigned))) { + if ($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id, $action->userassigned))) { return false; } }