diff --git a/htdocs/expensereport/card.php b/htdocs/expensereport/card.php index 0d008cea93d..94754a71c7f 100644 --- a/htdocs/expensereport/card.php +++ b/htdocs/expensereport/card.php @@ -64,6 +64,8 @@ $comments=GETPOST('comments', 'none'); $fk_c_type_fees=GETPOST('fk_c_type_fees', 'int'); $socid = GETPOST('socid', 'int')?GETPOST('socid', 'int'):GETPOST('socid_id', 'int'); +$childids = $user->getAllChildIds(1); + // Security check $id=GETPOST("id", 'int'); if ($user->societe_id) $socid=$user->societe_id; @@ -111,6 +113,18 @@ $permissionedit = $user->rights->expensereport->creer; // Used by the include $upload_dir = $conf->expensereport->dir_output.'/'.dol_sanitizeFileName($object->ref); +if ($object->id > 0) +{ + // Check current user can read this expense report + $canread = 0; + if (! empty($user->rights->expensereport->readall)) $canread=1; + if (! empty($user->rights->expensereport->lire) && in_array($object->fk_user_author, $childids)) $canread=1; + if (! $canread) + { + accessforbidden(); + } +} + /* * Actions diff --git a/htdocs/holiday/card.php b/htdocs/holiday/card.php index c67daf8f92b..87305a19fd4 100644 --- a/htdocs/holiday/card.php +++ b/htdocs/holiday/card.php @@ -67,6 +67,22 @@ if (! empty($conf->global->HOLIDAY_FOR_NON_SALARIES_TOO)) $morefilter = ''; $error = 0; +$object = new Holiday($db); +if ($id > 0) +{ + $object->fetch($id); + + // Check current user can read this leave request + $canread = 0; + if (! empty($user->rights->holiday->read_all)) $canread=1; + if (! empty($user->rights->holiday->read) && in_array($object->fk_user, $childids)) $canread=1; + if (! $canread) + { + accessforbidden(); + } +} + + /* * Actions */ @@ -79,7 +95,6 @@ if (GETPOST('cancel', 'alpha')) // If create a request if ($action == 'create') { - $object = new Holiday($db); // If no right to create a request if (! $cancreate) @@ -91,6 +106,8 @@ if ($action == 'create') if (! $error) { + $object = new Holiday($db); + $db->begin(); $date_debut = dol_mktime(0, 0, 0, GETPOST('date_debut_month'), GETPOST('date_debut_day'), GETPOST('date_debut_year')); @@ -200,7 +217,6 @@ if ($action == 'create') if ($action == 'update' && GETPOSTISSET('savevalidator') && ! empty($user->rights->holiday->approve)) { - $object = new Holiday($db); $object->fetch($id); $object->oldcopy = dol_clone($object); @@ -246,7 +262,6 @@ if ($action == 'update' && ! GETPOSTISSET('savevalidator')) exit; } - $object = new Holiday($db); $object->fetch($id); // If under validation @@ -330,7 +345,6 @@ if ($action == 'confirm_delete' && GETPOST('confirm') == 'yes' && $user->rights- $db->begin(); - $object = new Holiday($db); $object->fetch($id); // If this is a rough draft, approved, canceled or refused @@ -364,7 +378,6 @@ if ($action == 'confirm_delete' && GETPOST('confirm') == 'yes' && $user->rights- // Action validate (+ send email for approval) if ($action == 'confirm_send') { - $object = new Holiday($db); $object->fetch($id); // Si brouillon et créateur @@ -469,7 +482,6 @@ if ($action == 'confirm_send') // Approve leave request if ($action == 'confirm_valid') { - $object = new Holiday($db); $object->fetch($id); // Si statut en attente de validation et valideur = utilisateur @@ -583,7 +595,6 @@ if ($action == 'confirm_refuse' && GETPOST('confirm', 'alpha') == 'yes') { if (! empty($_POST['detail_refuse'])) { - $object = new Holiday($db); $object->fetch($id); // Si statut en attente de validation et valideur = utilisateur @@ -683,7 +694,6 @@ if ($action == 'confirm_draft' && GETPOST('confirm') == 'yes') { $error = 0; - $object = new Holiday($db); $object->fetch($id); $oldstatus = $object->statut; @@ -714,7 +724,6 @@ if ($action == 'confirm_cancel' && GETPOST('confirm') == 'yes') { $error = 0; - $object = new Holiday($db); $object->fetch($id); // Si statut en attente de validation et valideur = valideur ou utilisateur, ou droits de faire pour les autres