lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX #19064

Browse Source 
Access forbidden when the password of other users is changed

Steps to reproduce the behavior

User with lire and password (user) perms, but no creer.

When this user saves or cancels the edition of the password of another user, he is sent to the prohibited page
This commit is contained in:
javieralapps4up 2021-10-21 18:17:43 +02:00 committed by GitHub
parent d264bbca3c
commit 5d854dcce1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/core/lib/security.lib.php
View File

@ -417,6 +417,9 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
if ($subfeature == 'user' && $user->id == $objectid && $user->rights->user->self->password) {
continue; // User can edit its own password
}
if ($subfeature == 'user' && $user->id != $objectid && $user->rights->user->user->password) {
continue; // User can edit its own password
}
if (empty($user->rights->$feature->$subfeature->creer)
&& empty($user->rights->$feature->$subfeature->write)