lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: User can see events that are not assigned to it

Browse Source
This commit is contained in:
Ferran Marcet 2020-08-04 16:45:04 +02:00
parent 1a62a36b86
commit 7a077a2d99
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
htdocs/core/lib/security.lib.php
View File

@ -576,6 +576,18 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
$sql.= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
$sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
}
if ($feature == 'agenda')// Also check myactions rights
{
if ($objectid > 0 && empty($user->rights->agenda->allactions->read)) {
require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php';
$action = new ActionComm($db);
$action->fetch($objectid);
if ($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id,$action->userassigned))) {
return false;
}
}
}
}
elseif (in_array($feature, $checkproject))
{