From 6660923e94aac1bf5be7c4341cdec9906fe281bf Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 17 Jun 2020 13:29:43 +0200
Subject: [PATCH] FIX Privilege escalation reported by wizlynx WLX-2020-011

---
 htdocs/core/lib/security.lib.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 0c8f6fceca5..7c4a10f3a18 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -277,9 +277,12 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
 	if (!$readok) accessforbidden();
 	//print "Read access is ok";
 
-	// Check write permission from module (we need to know write permission to create but also to delete drafts record)
+	// Check write permission from module (we need to know write permission to create but also to delete drafts record or to upload files)
 	$createok = 1; $nbko = 0;
-	if (GETPOST('action', 'aZ09') == 'create' || GETPOST('action', 'aZ09') == 'update' || ((GETPOST("action", "aZ09") == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09") == 'delete'))
+	$wemustcheckpermissionforcreate = (GETPOST('sendit', 'alpha') || GETPOST('linkit', 'alpha') || GETPOST('action', 'aZ09') == 'create' || GETPOST('action', 'aZ09') == 'update');
+	$wemustcheckpermissionfordeletedraft = ((GETPOST("action", "aZ09") == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09") == 'delete');
+
+	if ($wemustcheckpermissionforcreate || $wemustcheckpermissionfordeletedraft)
 	{
 		foreach ($featuresarray as $feature)
 		{
@@ -341,7 +344,7 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
 		// If a or and at least one ok
 		if (preg_match('/\|/', $features) && $nbko < count($featuresarray)) $createok = 1;
 
-		if ((GETPOST('action', 'aZ09') == 'create' || GETPOST('action', 'aZ09') == 'update') && !$createok) accessforbidden();
+		if ($wemustcheckpermissionforcreate && !$createok) accessforbidden();
 		//print "Write access is ok";
 	}