lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX security check. A user can see holiday with link without permissions

Browse Source
This commit is contained in:
Laurent Destailleur 2019-11-01 21:27:19 +01:00
parent a3a326b25e
commit cf2ee892ee
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
htdocs/holiday/card.php
View File

@ -44,10 +44,6 @@ $id=GETPOST('id', 'int');
$ref=GETPOST('ref', 'alpha');
$fuserid = (GETPOST('fuserid', 'int')?GETPOST('fuserid', 'int'):$user->id);
// Protection if external user
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'holiday', $id, 'holiday');
$now=dol_now();
// Load translation files required by the page
@ -61,9 +57,9 @@ if (! empty($conf->global->HOLIDAY_FOR_NON_SALARIES_TOO)) $morefilter = '';
$error = 0;
$object = new Holiday($db);
if ($id > 0)
if (($id > 0) || $ref)
{
$object->fetch($id);
$object->fetch($id, $ref);
// Check current user can read this leave request
$canread = 0;
@ -83,6 +79,12 @@ $candelete = 0;
if (! empty($user->rights->holiday->delete)) $candelete=1;
if ($object->statut == Holiday::STATUS_DRAFT && $user->rights->holiday->write && in_array($object->fk_user, $childids)) $candelete=1;
// Protection if external user
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'holiday', $object->id, 'holiday');
/*
* Actions
*/