lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: User can see events that are not assigned to it

Browse Source
This commit is contained in:
Ferran Marcet 2020-08-04 16:45:57 +02:00
parent 7a077a2d99
commit 70ad2fcee0
1 changed files with 0 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
htdocs/core/lib/security.lib.php
View File

@ -248,25 +248,6 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
{
if (! $user->rights->projet->lire && ! $user->rights->projet->all->lire) { $readok=0; $nbko++; }
}
elseif ($feature == 'agenda')
{
if ($objectid > 0) {
require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php';
$action = new ActionComm($db);
$action->fetch($objectid);
if (empty($user->rights->agenda->allactions->read) && (($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id,
$action->userassigned))) || empty($user->rights->agenda->myactions->read))) {
$readok = 0;
$nbko++;
}
}
else{
if (empty($user->rights->agenda->myactions->read) && empty($user->rights->agenda->allactions->read)) {
$readok = 0;
$nbko++;
}
}
}
elseif (! empty($feature2)) // This is for permissions on 2 levels
{
$tmpreadok=1;