lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #19065 from javieralapps4up/develop

Browse Source 
Access forbidden when the password of other users is changed
This commit is contained in:
Laurent Destailleur 2021-10-22 22:52:55 +02:00 committed by GitHub
commit 81882f8243
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/core/lib/security.lib.php
View File

@ -417,6 +417,9 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
if ($subfeature == 'user' && $user->id == $objectid && $user->rights->user->self->password) {
continue; // User can edit its own password
}
if ($subfeature == 'user' && $user->id != $objectid && $user->rights->user->user->password) {
continue; // User can edit another user's password
}
if (empty($user->rights->$feature->$subfeature->creer)
&& empty($user->rights->$feature->$subfeature->write)

6
htdocs/user/card.php
View File

@ -2036,7 +2036,11 @@ if ($action == 'create' || $action == 'adduserldap') {
// Civility
print '<tr><td class="titlefieldcreate"><label for="civility_code">'.$langs->trans("UserTitle").'</label></td><td colspan="3">';
print $formcompany->select_civility(GETPOSTISSET("civility_code") ? GETPOST("civility_code", 'aZ09') : $object->civility_code, 'civility_code');
if ($caneditfield && !$object->ldap_sid) {
print $formcompany->select_civility(GETPOSTISSET("civility_code") ? GETPOST("civility_code", 'aZ09') : $object->civility_code, 'civility_code');
} elseif ($object->civility_code) {
print $langs->trans("Civility".$object->civility_code);
}
print '</td></tr>';
// Lastname