From f32fdf3f29a0e11cd62e8471a20b279016fb039b Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 4 Feb 2023 10:58:00 +0100 Subject: [PATCH] FIX #yogosha14972 --- htdocs/core/lib/security.lib.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 4700c9dc5a0..51c3434a456 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -811,6 +811,7 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl $checkproject = array('projet', 'project'); // Test for project object $checktask = array('projet_task'); // Test for task object $checkhierarchy = array('expensereport', 'holiday'); // check permission among the hierarchy of user + $checkuser = array('bookmark'); // check permission among the fk_user (must be myself or null) $nocheck = array('barcode', 'stock'); // No test //$checkdefault = 'all other not already defined'; // Test on entity + link to third party on field $dbt_keyfield. Not allowed if link is empty (Ex: invoice, orders...). @@ -1033,6 +1034,15 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl } } + // For some object, we also have to check it is public or owned by user + // Param $object must be the full object and not a simple id to have this test possible. + if (in_array($feature, $checkuser) && is_object($object) && $objectid > 0) { + $useridtocheck = $object->fk_user; + if (!empty($useridtocheck) && $useridtocheck > 0 && $useridtocheck != $user->id && empty($user->admin)) { + return false; + } + } + if ($sql) { $resql = $db->query($sql); if ($resql) {