diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index b297c81035e..4c36244a5bf 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -611,7 +611,7 @@ function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $ta $feature = 'projet_task'; } - $check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salary', 'website'); // Test on entity only (Objects with no link to company) + $check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salaries', 'website'); // Test on entity only (Objects with no link to company) $checksoc = array('societe'); // Test for societe object $checkother = array('contact', 'agenda'); // Test on entity + link to third party on field $dbt_keyfield. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet', 'project'); // Test for project object diff --git a/htdocs/salaries/card.php b/htdocs/salaries/card.php index d3c7ba504cb..f83f879cf8e 100755 --- a/htdocs/salaries/card.php +++ b/htdocs/salaries/card.php @@ -67,9 +67,27 @@ $fk_user = GETPOSTINT('userid'); $object = new Salary($db); $extrafields = new ExtraFields($db); +$childids = $user->getAllChildIds(1); + // fetch optionals attributes and labels $extrafields->fetch_name_optionals_label($object->table_element); +if (($id > 0) || $ref) { + $object->fetch($id, $ref); + + // Check current user can read this leave request + $canread = 0; + if (!empty($user->rights->salaries->readall)) { + $canread = 1; + } + if (!empty($user->rights->salaries->read) && in_array($object->fk_user, $childids)) { + $canread = 1; + } + if (!$canread) { + accessforbidden(); + } +} + // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('salarycard', 'globalcard'));