Fix: Un utilisateur doit pouvoir lire ces propres infos

2007-10-13 00:25:16 +00:00 · 2007-10-13 00:25:16 +00:00 · d3b715974b
commit d3b715974b
parent 03a28119f9
2 changed files with 11 additions and 9 deletions
--- a/htdocs/user/info.php
+++ b/htdocs/user/info.php
@ -16,7 +16,6 @@
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 * $Id$
- * $Source$
 */

 /**
@ -33,21 +32,23 @@ require_once(DOL_DOCUMENT_ROOT."/user.class.php");
 $langs->load("user");

 $user->getrights('user');
-if (!$user->rights->user->user->lire)
-  accessforbidden();

 // Sécurité accés client et commerciaux
 $id = isset($_GET["id"])?$_GET["id"]:'';

+// If user is not user read and no permission to read other users, we stop
+if (($fuser->id != $user->id) && (! $user->rights->user->user->lire))
+  accessforbidden();

-
-llxHeader();
+  

 /*
 * Visualisation de la fiche
 *
 */

+llxHeader();
+
 $user = new User($db);
 $user->id=$_GET["id"];
 $user->fetch();
--- a/htdocs/user/note.php
+++ b/htdocs/user/note.php
@ -17,7 +17,6 @@
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 * $Id$
- * $Source$
 */

 /**
@ -40,13 +39,15 @@ $langs->load("companies");
 $langs->load("members");
 $langs->load("bills");

-if (!$user->rights->user->user->lire)
-  accessforbidden();
-
 $fuser = new User($db);
 $fuser->id = $id;
 $fuser->fetch();

+// If user is not user read and no permission to read other users, we stop
+if (($fuser->id != $user->id) && (! $user->rights->user->user->lire))
+  accessforbidden();
+
+

 /******************************************************************************/
 /*                     Actions                                                */