From b9ee95314ad89591be18b3aeff1615170615e2b7 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 2 Aug 2019 17:12:59 +0200
Subject: [PATCH] SEC restrictedArea protects also the 'update' action

---
 htdocs/core/lib/security.lib.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 051f3a5392a..2ee5a45c010 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -279,7 +279,7 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
 
 	// Check write permission from module (we need to know write permission to create but also to delete drafts record)
 	$createok=1; $nbko=0;
-	if (GETPOST('action', 'aZ09')  == 'create' || ((GETPOST("action", "aZ09")  == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09")  == 'delete'))
+	if (GETPOST('action', 'aZ09')  == 'create' || GETPOST('action', 'aZ09')  == 'update' || ((GETPOST("action", "aZ09")  == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09")  == 'delete'))
 	{
 		foreach ($featuresarray as $feature)
 		{
@@ -329,7 +329,7 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
 		// If a or and at least one ok
 		if (preg_match('/\|/', $features) && $nbko < count($featuresarray)) $createok=1;
 
-		if (GETPOST('action', 'aZ09') == 'create' && ! $createok) accessforbidden();
+		if ((GETPOST('action', 'aZ09') == 'create' || GETPOST('action', 'aZ09') == 'update') && ! $createok) accessforbidden();
 		//print "Write access is ok";
 	}