From 09d1680ea072b4fef82bda3b9299b255f2ab2870 Mon Sep 17 00:00:00 2001
From: lainwir3d <rondu.richard@gmail.com>
Date: Mon, 6 Sep 2021 12:07:48 +0400
Subject: [PATCH] FIX #18627 Allow users with self read / modify rights to get
 own info.

---
 htdocs/user/class/api_users.class.php | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php
index e0cbd849092..4059402a8fc 100644
--- a/htdocs/user/class/api_users.class.php
+++ b/htdocs/user/class/api_users.class.php
@@ -151,7 +151,8 @@ class Users extends DolibarrApi
 	 */
 	public function get($id, $includepermissions = 0)
 	{
-		if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
+		if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin) &&
+			!(!empty(DolibarrApiAccess::$user->rights->user->self->creer) && (DolibarrApiAccess::$user->id == $id))) {
 			throw new RestException(401, 'Not allowed');
 		}
 
@@ -189,7 +190,8 @@ class Users extends DolibarrApi
 	 */
 	public function getByLogin($login, $includepermissions = 0)
 	{
-		if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
+		if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin) &&
+			!(!empty(DolibarrApiAccess::$user->rights->user->self->creer) && (DolibarrApiAccess::$user->login == $login))) {
 			throw new RestException(401, 'Not allowed');
 		}
 
@@ -223,7 +225,8 @@ class Users extends DolibarrApi
 	 */
 	public function getByEmail($email, $includepermissions = 0)
 	{
-		if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
+		if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin) &&
+			!(!empty(DolibarrApiAccess::$user->rights->user->self->creer) && (DolibarrApiAccess::$user->email == $email))) {
 			throw new RestException(401, 'Not allowed');
 		}
 
@@ -256,7 +259,7 @@ class Users extends DolibarrApi
 	 */
 	public function getInfo($includepermissions = 0)
 	{
-		if (empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
+		if(empty(DolibarrApiAccess::$user->rights->user->self->creer) && empty(DolibarrApiAccess::$user->rights->user->user->lire) && empty(DolibarrApiAccess::$user->admin)) {
 			throw new RestException(401, 'Not allowed');
 		}