From 3fb6978bc8c288deaabfb2f6228351d1204ec7a2 Mon Sep 17 00:00:00 2001
From: gauthier <gauthier.verdol@atm-consulting.fr>
Date: Thu, 14 Mar 2019 17:36:49 +0100
Subject: [PATCH 1/2] FIX : no need to test anything to display documents tabs
 on expense report

---
 htdocs/core/lib/security.lib.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index c204809e9a1..9162676795c 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -382,7 +382,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh
 		$checkother = array('contact','agenda');	 // Test on entity and link to third party. Allowed if link is empty (Ex: contacts...).
 		$checkproject = array('projet','project'); // Test for project object
 		$checktask = array('projet_task');
-		$nocheck = array('barcode','stock');	// No test
+		$nocheck = array('barcode','stock','expensereport');	// No test
 		$checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...).
 
 		// If dbtablename not defined, we use same name for table than module name

From 8375b47e743fab913332e027513f7e7d73e7aa48 Mon Sep 17 00:00:00 2001
From: gauthier <gauthier.verdol@atm-consulting.fr>
Date: Fri, 15 Mar 2019 10:21:50 +0100
Subject: [PATCH 2/2] FIX : in fact expensereport must be in $check array

---
 htdocs/core/lib/security.lib.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 9162676795c..50f6e516a9f 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -377,12 +377,12 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh
 		if ($feature == 'project') $feature='projet';
 		if ($feature == 'task') $feature='projet_task';
 
-		$check = array('adherent','banque','user','usergroup','produit','service','produit|service','categorie'); // Test on entity only (Objects with no link to company)
+		$check = array('adherent','banque','user','usergroup','produit','service','produit|service','categorie','expensereport'); // Test on entity only (Objects with no link to company)
 		$checksoc = array('societe');	 // Test for societe object
 		$checkother = array('contact','agenda');	 // Test on entity and link to third party. Allowed if link is empty (Ex: contacts...).
 		$checkproject = array('projet','project'); // Test for project object
 		$checktask = array('projet_task');
-		$nocheck = array('barcode','stock','expensereport');	// No test
+		$nocheck = array('barcode','stock');	// No test
 		$checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...).
 
 		// If dbtablename not defined, we use same name for table than module name