From 7c9d85d091ba0d3754bc474e5e9cf47af07e3420 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@inodbox.com>
Date: Tue, 15 Jan 2019 12:18:04 +0100
Subject: [PATCH 1/2] FIX problem with multicompany transverse mode

Signed-off-by: Regis Houssin <regis.houssin@inodbox.com>
---
 htdocs/core/lib/security.lib.php | 6 +++---
 htdocs/user/card.php             | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index d2b768d75d5..d12ee339909 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -484,9 +484,9 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh
 					{
 						$sql.= ",".MAIN_DB_PREFIX."usergroup_user as ug";
 						$sql.= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
-						$sql.= " AND (ug.fk_user = dbt.rowid";
-						$sql.= " AND ug.entity IN (".getEntity('user')."))";
-						$sql.= " OR dbt.entity = 0"; // Show always superadmin
+						$sql.= " AND ((ug.fk_user = dbt.rowid";
+						$sql.= " AND ug.entity IN (".getEntity('usergroup')."))";
+						$sql.= " OR dbt.entity = 0)"; // Show always superadmin
 					}
 				}
 				else {
diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index f0b3fb819f2..bb3d7e7d8f6 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -84,9 +84,9 @@ $socid=0;
 if ($user->societe_id > 0) $socid = $user->societe_id;
 $feature2='user';
 if ($user->id == $id) { $feature2=''; $canreaduser=1; } // A user can always read its own card
-if (!$canreaduser) {
-	$result = restrictedArea($user, 'user', $id, 'user&user', $feature2);
-}
+
+$result = restrictedArea($user, 'user', $id, 'user&user', $feature2);
+
 if ($user->id <> $id && ! $canreaduser) accessforbidden();
 
 // Load translation files required by page

From adc442232398b95825e0559c894b2b0925514aba Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 15 Jan 2019 17:57:30 +0100
Subject: [PATCH 2/2] Update card.php

---
 htdocs/user/card.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index bb3d7e7d8f6..6db383ed515 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -85,7 +85,9 @@ if ($user->societe_id > 0) $socid = $user->societe_id;
 $feature2='user';
 if ($user->id == $id) { $feature2=''; $canreaduser=1; } // A user can always read its own card
 
-$result = restrictedArea($user, 'user', $id, 'user&user', $feature2);
+if (! $canreaduser) {
+	$result = restrictedArea($user, 'user', $id, 'user&user', $feature2);
+}
 
 if ($user->id <> $id && ! $canreaduser) accessforbidden();