Merge pull request #36517 from atm-florianm/SEC/commented-out-restrictedArea

SEC: FIX #36430 permissions not checked on other tabs of HRM evaluation card

htdocs/hrm/evaluation_agenda.php

@@ -96,8 +96,9 @@ $permissiontoread = $user->rights->hrm->evaluation->read; // Used by the include
 // Security check (enable the most restrictive one)
 //if ($user->socid > 0) accessforbidden();
 //if ($user->socid > 0) $socid = $user->socid;
-//$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0);
+$isdraft = $object->status == Evaluation::STATUS_DRAFT ? 1 : 0;
-//restrictedArea($user, $object->module, $object->id, $object->table_element, $object->element, 'fk_soc', 'rowid', $isdraft);
+restrictedArea($user, $object->element, $object, $object->table_element, '', 'fk_soc', 'rowid', $isdraft);
+
 if (!isModEnabled('hrm')) {
 	accessforbidden();
 }

htdocs/hrm/evaluation_contact.php

@@ -62,10 +62,8 @@ $permission = $user->rights->hrm->evaluation->write;
 // Security check (enable the most restrictive one)
 //if ($user->socid > 0) accessforbidden();
 //if ($user->socid > 0) $socid = $user->socid;
-//$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0);
+$isdraft = $object->status == Evaluation::STATUS_DRAFT ? 1 : 0;
-//restrictedArea($user, $object->element, $object->id, $object->table_element, '', 'fk_soc', 'rowid', $isdraft);
+restrictedArea($user, $object->element, $object, $object->table_element, '', 'fk_soc', 'rowid', $isdraft);
-//if (empty($conf->hrm->enabled)) accessforbidden();
-//if (!$permissiontoread) accessforbidden();
 
 
 

htdocs/hrm/evaluation_document.php

@@ -85,10 +85,10 @@ $permissiontoadd  = $user->rights->hrm->evaluation->write; // Used by the includ
 $permissiontoread = $user->rights->hrm->evaluation->read;
 
 // Security check (enable the most restrictive one)
-//if ($user->socid > 0) accessforbidden();
+
-//if ($user->socid > 0) $socid = $user->socid;
+$isdraft = $object->status == Evaluation::STATUS_DRAFT ? 1 : 0;
-//$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0);
+restrictedArea($user, $object->element, $object, $object->table_element, '', 'fk_soc', 'rowid', $isdraft);
-//restrictedArea($user, $object->element, $object->id, $object->table_element, '', 'fk_soc', 'rowid', $isdraft);
+
 if (empty($conf->hrm->enabled)) accessforbidden();
 if (!$permissiontoread) accessforbidden();
 

htdocs/hrm/evaluation_note.php

@@ -66,10 +66,10 @@ $permissiontoread = $user->rights->hrm->evaluation->read;  // Used by the includ
 // Security check (enable the most restrictive one)
 //if ($user->socid > 0) accessforbidden();
 //if ($user->socid > 0) $socid = $user->socid;
-//$isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0);
+$isdraft = (($object->status == Evaluation::STATUS_DRAFT) ? 1 : 0);
-//restrictedArea($user, $object->element, $object->id, $object->table_element, '', 'fk_soc', 'rowid', $isdraft);
+restrictedArea($user, $object->element, $object, $object->table_element, '', 'fk_soc', 'rowid', $isdraft);
-//if (empty($conf->hrm->enabled)) accessforbidden();
+if (empty($conf->hrm->enabled)) accessforbidden();
-//if (!$permissiontoread) accessforbidden();
+if (!$permissiontoread) accessforbidden();
 
 
 /*