Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Merge pull request #10341 from hregis/8.0_bug

Browse Source 
FIX security broken with Multicompany
This commit is contained in:
Laurent Destailleur
2019-01-26 14:28:13 +01:00
committed by GitHub
parent b4400b95db d5b66eeffb
commit fd192f10c4
10 changed files with 13 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
htdocs/core/lib/security.lib.php
View File

@@ -252,6 +252,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
$tmpreadok=1;
foreach($feature2 as $subfeature)
{
if ($subfeature == 'user' && $user->id == $objectid) continue; // A user can always read its own card
if (! empty($subfeature) && empty($user->rights->$feature->$subfeature->lire) && empty($user->rights->$feature->$subfeature->read)) { $tmpreadok=0; }
else if (empty($subfeature) && empty($user->rights->$feature->lire) && empty($user->rights->$feature->read)) { $tmpreadok=0; }
else { $tmpreadok=1; break; } // Break is to bypass second test if the first is ok