From d3b715974b5f50dfb73dde30e72e62c96aba7ba8 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 13 Oct 2007 00:25:16 +0000 Subject: [PATCH] Fix: Un utilisateur doit pouvoir lire ces propres infos --- htdocs/user/info.php | 11 ++++++----- htdocs/user/note.php | 9 +++++---- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/htdocs/user/info.php b/htdocs/user/info.php index 29ed71fa8e8..1a274c3c7fb 100644 --- a/htdocs/user/info.php +++ b/htdocs/user/info.php @@ -16,7 +16,6 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * * $Id$ - * $Source$ */ /** @@ -33,21 +32,23 @@ require_once(DOL_DOCUMENT_ROOT."/user.class.php"); $langs->load("user"); $user->getrights('user'); -if (!$user->rights->user->user->lire) - accessforbidden(); // Sécurité accés client et commerciaux $id = isset($_GET["id"])?$_GET["id"]:''; +// If user is not user read and no permission to read other users, we stop +if (($fuser->id != $user->id) && (! $user->rights->user->user->lire)) + accessforbidden(); - -llxHeader(); + /* * Visualisation de la fiche * */ +llxHeader(); + $user = new User($db); $user->id=$_GET["id"]; $user->fetch(); diff --git a/htdocs/user/note.php b/htdocs/user/note.php index f9e99258f87..3fe0297f8f3 100644 --- a/htdocs/user/note.php +++ b/htdocs/user/note.php @@ -17,7 +17,6 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * * $Id$ - * $Source$ */ /** @@ -40,13 +39,15 @@ $langs->load("companies"); $langs->load("members"); $langs->load("bills"); -if (!$user->rights->user->user->lire) - accessforbidden(); - $fuser = new User($db); $fuser->id = $id; $fuser->fetch(); +// If user is not user read and no permission to read other users, we stop +if (($fuser->id != $user->id) && (! $user->rights->user->user->lire)) + accessforbidden(); + + /******************************************************************************/ /* Actions */