diff --git a/htdocs/user/fiche.php b/htdocs/user/fiche.php index 86ffa2d77fe..2dc0b4b9d9d 100644 --- a/htdocs/user/fiche.php +++ b/htdocs/user/fiche.php @@ -51,7 +51,10 @@ if ($_GET["id"]) } // Security check -$result = restrictedArea($user, 'user', $_GET["id"], '', 'user'); +$socid=0; +if ($user->societe_id > 0) $socid = $user->societe_id; +$feature2 = (($socid && $user->rights->user->self->creer)?'':'user'); +$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2); if ($user->id <> $_GET["id"] && ! $canreadperms) accessforbidden(); $langs->load("users"); diff --git a/htdocs/user/info.php b/htdocs/user/info.php index 729ee34750e..911ae2fc501 100644 --- a/htdocs/user/info.php +++ b/htdocs/user/info.php @@ -35,6 +35,13 @@ $id = isset($_GET["id"])?$_GET["id"]:''; $fuser = new User($db); $fuser->id = $id; $fuser->fetch(); + +// Security check +$socid=0; +if ($user->societe_id > 0) $socid = $user->societe_id; +$feature2 = (($socid && $user->rights->user->self->creer)?'':'user'); +$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2); + // If user is not user read and no permission to read other users, we stop if (($fuser->id != $user->id) && (! $user->rights->user->user->lire)) accessforbidden(); diff --git a/htdocs/user/ldap.php b/htdocs/user/ldap.php index 276e6d40077..f4ff52deb44 100644 --- a/htdocs/user/ldap.php +++ b/htdocs/user/ldap.php @@ -37,11 +37,11 @@ $langs->load("ldap"); // Protection quand utilisateur externe $contactid = isset($_GET["id"])?$_GET["id"]:''; +// Security check $socid=0; -if ($user->societe_id > 0) -{ - $socid = $user->societe_id; -} +if ($user->societe_id > 0) $socid = $user->societe_id; +$feature2 = (($socid && $user->rights->user->self->creer)?'':'user'); +$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2); $fuser = new User($db, $_GET["id"]); $fuser->fetch(); diff --git a/htdocs/user/note.php b/htdocs/user/note.php index 5a3dce893a4..eaed67dfafa 100644 --- a/htdocs/user/note.php +++ b/htdocs/user/note.php @@ -45,6 +45,12 @@ $fuser->fetch(); // If user is not user read and no permission to read other users, we stop if (($fuser->id != $user->id) && (! $user->rights->user->user->lire)) accessforbidden(); + +// Security check +$socid=0; +if ($user->societe_id > 0) $socid = $user->societe_id; +$feature2 = (($socid && $user->rights->user->self->creer)?'':'user'); +$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2); diff --git a/htdocs/user/param_ihm.php b/htdocs/user/param_ihm.php index bd39eacb3ad..fc8ee5a664e 100644 --- a/htdocs/user/param_ihm.php +++ b/htdocs/user/param_ihm.php @@ -41,10 +41,14 @@ if ($_REQUEST["id"]) $caneditfield=( (($user->id == $_REQUEST["id"]) && $user->rights->user->self->creer) || (($user->id != $_REQUEST["id"]) && $user->rights->user->user->creer)); } -if ($user->id <> $_REQUEST["id"] && ! $canreadperms) -{ - accessforbidden(); -} + +// Security check +$socid=0; +if ($user->societe_id > 0) $socid = $user->societe_id; +$feature2 = (($socid && $user->rights->user->self->creer)?'':'user'); +$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2); +if ($user->id <> $_REQUEST["id"] && ! $canreadperms) accessforbidden(); + $id=isset($_GET["id"])?$_GET["id"]:$_POST["id"]; $dirtop = "../includes/menus/barre_top"; diff --git a/htdocs/user/perms.php b/htdocs/user/perms.php index e9af7285e49..28be70cd9cc 100644 --- a/htdocs/user/perms.php +++ b/htdocs/user/perms.php @@ -32,16 +32,20 @@ require_once(DOL_DOCUMENT_ROOT."/lib/usergroups.lib.php"); $langs->load("users"); $langs->load("admin"); -$form = new Form($db); - $module=isset($_GET["module"])?$_GET["module"]:$_POST["module"]; -if (! isset($_GET["id"])) accessforbidden(); +if (! isset($_GET["id"]) || empty($_GET["id"])) accessforbidden(); // Defini si peux modifier utilisateurs et permisssions $caneditperms=($user->admin || $user->rights->user->user->creer); +// Security check +$socid=0; +if ($user->societe_id > 0) $socid = $user->societe_id; +$feature2 = (($socid && $user->rights->user->self->creer)?'':'user'); +$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2); +if ($user->id <> $_REQUEST["id"] && ! $canreadperms) accessforbidden(); /**