Merge pull request #5299 from atm-maxime/fix_expensereport_rights

Fix rights check on expense reports
2016-06-04 18:40:45 +02:00 · 2016-06-04 18:40:45 +02:00 · a4411c7fe7
commit a4411c7fe7
parent aebc7b1233 abe84ef991
1 changed files with 6 additions and 6 deletions
--- a/htdocs/expensereport/card.php
+++ b/htdocs/expensereport/card.php
@ -805,7 +805,7 @@ if ($action == 'set_paid' && $id > 0 && $user->rights->expensereport->to_paid)
 	}
 }

-if ($action == "addline")
+if ($action == "addline" && $user->rights->expensereport->creer)
 {
 	$error = 0;

@ -896,7 +896,7 @@ if ($action == "addline")
 	$action='';
 }

-if ($action == 'confirm_delete_line' && GETPOST("confirm") == "yes")
+if ($action == 'confirm_delete_line' && GETPOST("confirm") == "yes" && $user->rights->expensereport->creer)
 {
 	$object = new ExpenseReport($db);
 	$object->fetch($id);
@ -939,7 +939,7 @@ if ($action == 'confirm_delete_line' && GETPOST("confirm") == "yes")
 	}
 }

-if ($action == "updateligne" )
+if ($action == "updateligne" && $user->rights->expensereport->creer)
 {
 	$object = new ExpenseReport($db);
 	$object->fetch($id);
@ -1647,7 +1647,7 @@ else
 							print '<td style="text-align:right;">'.$langs->trans('AmountTTC').'</td>';
 						}
 						// Ajout des boutons de modification/suppression
-						if ($object->fk_statut < 2 || $object->fk_statut==99)
+						if (($object->fk_statut < 2 || $object->fk_statut==99) && $user->rights->expensereport->creer)
 						{
 							print '<td style="text-align:right;"></td>';
 						}
@ -1690,7 +1690,7 @@ else
 								}

 								// Ajout des boutons de modification/suppression
-								if($object->fk_statut<2 OR $object->fk_statut==99)
+								if(($object->fk_statut<2 OR $object->fk_statut==99) && $user->rights->expensereport->creer)
 								{
 									print '<td style="text-align:right;" class="nowrap">';
 									print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=editline&amp;rowid='.$objp->rowid.'#'.$objp->rowid.'">';
@ -1770,7 +1770,7 @@ else
 					//print '</div>';

 					// Add a line
-					if (($object->fk_statut==0 || $object->fk_statut==99) && $action != 'editline')
+					if (($object->fk_statut==0 || $object->fk_statut==99) && $action != 'editline' && $user->rights->expensereport->creer)
 					{
 						print_fiche_titre($langs->trans("AddLine"),'','');