FIX permission on payment file of a tax

htdocs/core/lib/security.lib.php

@@ -889,7 +889,10 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
 			$feature = 'agenda';
 			$dbtablename = 'actioncomm';
 		}
-		if ($feature == 'payment_sc') {
+		if ($feature == 'payment_sc' && empty($parenttableforentity)) {
+			// If we check perm on payment page but $parenttableforentity not defined, we force value on parent table
+			$parenttableforentity = '';
+			$dbtablename = "chargesociales";
 			$feature = "chargesociales";
 			$objectid = $object->fk_charge;
 		}
@@ -897,7 +900,7 @@ function checkUserAccessToObject($user, array $featuresarray, $object = 0, $tabl
 		$checkonentitydone = 0;
 
 		// Array to define rules of checks to do
-		$check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salaries', 'website', 'recruitment', 'chargesociales'); // Test on entity only (Objects with no link to company)
+		$check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'payment_sc', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salaries', 'website', 'recruitment', 'chargesociales'); // Test on entity only (Objects with no link to company)
 		$checksoc = array('societe'); // Test for object Societe
 		$checkparentsoc = array('agenda', 'contact', 'contrat'); // Test on entity + link to third party on field $dbt_keyfield. Allowed if link is empty (Ex: contacts...).
 		$checkproject = array('projet', 'project'); // Test for project object