From 091df082fc023c3ddd301ae1f59e64c96eee3be4 Mon Sep 17 00:00:00 2001 From: Laurent De Coninck Date: Tue, 8 Oct 2019 08:11:29 +0200 Subject: [PATCH] fix the access of the bank account of one user There are 3 ways to access this tab : 1. If the module holiday is enabled 2. If the module holidays is enabled 3. If the module expense report is enabled More over that, the application checks if the user can access the bank account of the selected user. The application does that twice (logical ^^), first to know if the tab has to be displayed or not. Second time, when you arrive on the page /user/bank.php to know if you have access (eg. if you type the url directly). In this second check, the check of the expense report module was missing (added by this PR). This caused the following issue: the tab was visible but when the user clicked on itn, he received an error as he cannot access the page. --- htdocs/user/bank.php | 1 + 1 file changed, 1 insertion(+) diff --git a/htdocs/user/bank.php b/htdocs/user/bank.php index 196819f1a4a..2e2091034f9 100644 --- a/htdocs/user/bank.php +++ b/htdocs/user/bank.php @@ -54,6 +54,7 @@ $ok=false; if ($user->id == $id) $ok=true; // A user can always read its own card if (! empty($user->rights->salaries->read)) $ok=true; if (! empty($user->rights->hrm->read)) $ok=true; +if (! empty($user->rights->expensereport->lire) && ($user->id == $object->id || $user->rights->expensereport->readall)) $ok=true; if (! $ok) { accessforbidden();