From 916954b301a1168064489a73d4111225f8ab5499 Mon Sep 17 00:00:00 2001
From: Maxime Kohlhaas <maxime@atm-consulting.fr>
Date: Sat, 30 Nov 2019 14:48:05 +0100
Subject: [PATCH] Fix #12371 : access rights on contacts

---
 htdocs/core/lib/company.lib.php | 2 +-
 htdocs/societe/contact.php      | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php
index 68ad744dee2..8528c25bac7 100644
--- a/htdocs/core/lib/company.lib.php
+++ b/htdocs/core/lib/company.lib.php
@@ -52,7 +52,7 @@ function societe_prepare_head(Societe $object)
 
     if (empty($conf->global->MAIN_SUPPORT_SHARED_CONTACT_BETWEEN_THIRDPARTIES))
     {
-	    if (empty($conf->global->MAIN_DISABLE_CONTACTS_TAB))
+	    if (empty($conf->global->MAIN_DISABLE_CONTACTS_TAB) && $user->rights->societe->contact->lire)
 		{
 		    //$nbContact = count($object->liste_contact(-1,'internal')) + count($object->liste_contact(-1,'external'));
 			$nbContact = 0;	// TODO
diff --git a/htdocs/societe/contact.php b/htdocs/societe/contact.php
index 37fb07eb652..8a988edc413 100644
--- a/htdocs/societe/contact.php
+++ b/htdocs/societe/contact.php
@@ -88,6 +88,7 @@ if (! empty($canvas))
 
 // Security check
 $result = restrictedArea($user, 'societe', $socid, '&societe', '', 'fk_soc', 'rowid', $objcanvas);
+if(empty($user->rights->societe->contact->lire)) accessforbidden();