From 7a077a2d9934e2cdababc6c610c7b8b2d1d21dc5 Mon Sep 17 00:00:00 2001
From: Ferran Marcet <fmarcet@2byte.es>
Date: Tue, 4 Aug 2020 16:45:04 +0200
Subject: [PATCH] Fix: User can see events that are not assigned to it

---
 htdocs/core/lib/security.lib.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index e4dde96b464..41534d8aac3 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -576,6 +576,18 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
 				$sql.= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
 				$sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
 			}
+
+			if ($feature == 'agenda')// Also check myactions rights
+			{
+				if ($objectid > 0 && empty($user->rights->agenda->allactions->read)) {
+					require_once DOL_DOCUMENT_ROOT . '/comm/action/class/actioncomm.class.php';
+					$action = new ActionComm($db);
+					$action->fetch($objectid);
+					if ($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id,$action->userassigned))) {
+						return false;
+					}
+				}
+			}
 		}
 		elseif (in_array($feature, $checkproject))
 		{