From 81bca34a08186b79909c41f87ea95c087530c219 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 18 Jun 2019 16:04:25 +0200 Subject: [PATCH] FIX A user may read holiday and expense report without permissions --- htdocs/expensereport/list.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php index 8b5ef11f128..0014cb7999c 100644 --- a/htdocs/expensereport/list.php +++ b/htdocs/expensereport/list.php @@ -58,8 +58,8 @@ if ($id > 0) { $canread=0; if ($id == $user->id) $canread=1; - if (! empty($user->rights->holiday->read_all)) $canread=1; - if (! empty($user->rights->holiday->read) && in_array($id, $childids)) $canread=1; + if (! empty($user->rights->expensereport->readall)) $canread=1; + if (! empty($user->rights->expensereport->lire) && in_array($id, $childids)) $canread=1; if (! $canread) { accessforbidden();