From a5e670291e8cedb47d0cb10e3c81841f41236b89 Mon Sep 17 00:00:00 2001 From: lmarcouiller Date: Wed, 8 Sep 2021 15:36:51 +0200 Subject: [PATCH 1/2] Fix permission for salaries module --- htdocs/core/lib/security.lib.php | 2 +- htdocs/salaries/card.php | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index b297c81035e..4c36244a5bf 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -611,7 +611,7 @@ function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $ta $feature = 'projet_task'; } - $check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salary', 'website'); // Test on entity only (Objects with no link to company) + $check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salaries', 'website'); // Test on entity only (Objects with no link to company) $checksoc = array('societe'); // Test for societe object $checkother = array('contact', 'agenda'); // Test on entity + link to third party on field $dbt_keyfield. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet', 'project'); // Test for project object diff --git a/htdocs/salaries/card.php b/htdocs/salaries/card.php index d3c7ba504cb..f83f879cf8e 100755 --- a/htdocs/salaries/card.php +++ b/htdocs/salaries/card.php @@ -67,9 +67,27 @@ $fk_user = GETPOSTINT('userid'); $object = new Salary($db); $extrafields = new ExtraFields($db); +$childids = $user->getAllChildIds(1); + // fetch optionals attributes and labels $extrafields->fetch_name_optionals_label($object->table_element); +if (($id > 0) || $ref) { + $object->fetch($id, $ref); + + // Check current user can read this leave request + $canread = 0; + if (!empty($user->rights->salaries->readall)) { + $canread = 1; + } + if (!empty($user->rights->salaries->read) && in_array($object->fk_user, $childids)) { + $canread = 1; + } + if (!$canread) { + accessforbidden(); + } +} + // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('salarycard', 'globalcard')); From b87ac639fd4ed060e73653f9123420cfa3354c8b Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 9 Sep 2021 03:02:18 +0200 Subject: [PATCH 2/2] Update card.php --- htdocs/salaries/card.php | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/htdocs/salaries/card.php b/htdocs/salaries/card.php index f83f879cf8e..6d30ae73e3d 100755 --- a/htdocs/salaries/card.php +++ b/htdocs/salaries/card.php @@ -72,28 +72,24 @@ $childids = $user->getAllChildIds(1); // fetch optionals attributes and labels $extrafields->fetch_name_optionals_label($object->table_element); -if (($id > 0) || $ref) { - $object->fetch($id, $ref); - - // Check current user can read this leave request - $canread = 0; - if (!empty($user->rights->salaries->readall)) { - $canread = 1; - } - if (!empty($user->rights->salaries->read) && in_array($object->fk_user, $childids)) { - $canread = 1; - } - if (!$canread) { - accessforbidden(); - } -} - // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('salarycard', 'globalcard')); $object = new Salary($db); if ($id > 0 || !empty($ref)) { $object->fetch($id, $ref); + + // Check current user can read this salary + $canread = 0; + if (!empty($user->rights->salaries->readall)) { + $canread = 1; + } + if (!empty($user->rights->salaries->read) && $object->fk_user > 0 && in_array($object->fk_user, $childids)) { + $canread = 1; + } + if (!$canread) { + accessforbidden(); + } } // Security check