From b87ac639fd4ed060e73653f9123420cfa3354c8b Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 9 Sep 2021 03:02:18 +0200
Subject: [PATCH] Update card.php

---
 htdocs/salaries/card.php | 28 ++++++++++++----------------
 1 file changed, 12 insertions(+), 16 deletions(-)

diff --git a/htdocs/salaries/card.php b/htdocs/salaries/card.php
index f83f879cf8e..6d30ae73e3d 100755
--- a/htdocs/salaries/card.php
+++ b/htdocs/salaries/card.php
@@ -72,28 +72,24 @@ $childids = $user->getAllChildIds(1);
 // fetch optionals attributes and labels
 $extrafields->fetch_name_optionals_label($object->table_element);
 
-if (($id > 0) || $ref) {
-	$object->fetch($id, $ref);
-
-	// Check current user can read this leave request
-	$canread = 0;
-	if (!empty($user->rights->salaries->readall)) {
-		$canread = 1;
-	}
-	if (!empty($user->rights->salaries->read) && in_array($object->fk_user, $childids)) {
-		$canread = 1;
-	}
-	if (!$canread) {
-		accessforbidden();
-	}
-}
-
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('salarycard', 'globalcard'));
 
 $object = new Salary($db);
 if ($id > 0 || !empty($ref)) {
 	$object->fetch($id, $ref);
+
+	// Check current user can read this salary
+	$canread = 0;
+	if (!empty($user->rights->salaries->readall)) {
+		$canread = 1;
+	}
+	if (!empty($user->rights->salaries->read) && $object->fk_user > 0 && in_array($object->fk_user, $childids)) {
+		$canread = 1;
+	}
+	if (!$canread) {
+		accessforbidden();
+	}
 }
 
 // Security check