lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: User can see events that are not assigned to it

Browse Source
This commit is contained in:
Ferran Marcet 2020-08-03 11:17:30 +02:00
parent b57ec55812
commit 63b15dd1b6
1 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
htdocs/core/lib/security.lib.php
View File

@ -1,6 +1,7 @@
<?php
/* Copyright (C) 2008-2011 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2008-2017 Regis Houssin <regis.houssin@inodbox.com>
* Copyright (C) 2020 Ferran Marcet <fmarcet@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -247,6 +248,26 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
{
if (! $user->rights->projet->lire && ! $user->rights->projet->all->lire) { $readok=0; $nbko++; }
}
elseif ($feature == 'agenda')
{
if ($objectid > 0) {
require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php';
$action = new ActionComm($db);
$action->fetch($objectid);
if (empty($user->rights->agenda->allactions->read) && (($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id,
$action->userassigned))) || empty($user->rights->agenda->myactions->read))) {
$readok = 0;
$nbko++;
}
}
else{
if (empty($user->rights->agenda->myactions->read) && empty($user->rights->agenda->allactions->read)) {
$readok = 0;
$nbko++;
}
}
}
elseif (! empty($feature2)) // This is for permissions on 2 levels
{
$tmpreadok=1;