bug fix that allowed to view /user/bank.php?id= for any other user id…

… (salaries read -> readall. + allowing user to edit their own bank account as well as personal email and phone. + allowing user to change their own bank account and allow useradmin to add a bank account for a user
Dolibarr · Mar 23, 2024 · dc3a46c · dc3a46c
1 parent e739c0d
commit dc3a46c
Showing 1 changed file with 12 additions and 10 deletions.
diff --git a/htdocs/user/bank.php b/htdocs/user/bank.php
@@ -85,19 +85,21 @@
 }
 
 // Define value to know what current user can do on users
+$selfpermission = ( $user->id == $id && $user->hasRight('user', 'self', 'creer'));
 $canadduser = (!empty($user->admin) || $user->hasRight('user', 'user', 'creer') || $user->hasRight('hrm', 'write_personal_information', 'write') );
 $canreaduser = (!empty($user->admin) || $user->hasRight('user', 'user', 'lire') || $user->hasRight('hrm', 'read_personal_information', 'read') );
-$permissiontoaddbankaccount = ($user->hasRight('salaries', 'write') || $user->hasRight('hrm', 'employee', 'write') || $user->hasRight('user', 'user', 'creer') || $user->hasRight('user', 'self', 'creer'));
+$permissiontoaddbankaccount = ($user->hasRight('salaries', 'write') || $user->hasRight('hrm', 'employee', 'write') || $user->hasRight('user', 'user', 'creer') || $selfpermission);
 $permissiontoreadhr = $user->hasRight('hrm', 'read_personal_information', 'read') || $user->hasRight('hrm', 'write_personal_information', 'write');
 $permissiontowritehr = $user->hasRight('hrm', 'write_personal_information', 'write');
+$permissiontosimpleedit = ( $selfpermission || $canadduser );
 
-// Ok if user->hasRight('salaries', 'read') or user->hasRight('hrm', 'read')
+// Ok if user->hasRight('salaries', 'readall') or user->hasRight('hrm', 'read')
 //$result = restrictedArea($user, 'salaries|hrm', $object->id, 'user&user', $feature2);
 $ok = false;
 if ($user->id == $id) {
 	$ok = true; // A user can always read its own card
 }
-if ($user->hasRight('salaries', 'read')) {
+if ($user->hasRight('salaries', 'readall')) {
 	$ok = true;
 }
 if ($user->hasRight('hrm', 'read')) {
@@ -201,7 +203,7 @@
 }
 
 // update personal email
-if ($action == 'setpersonal_email' && $canadduser && !$cancel) {
+if ($action == 'setpersonal_email' && $permissiontosimpleedit && !$cancel) {
 	$object->personal_email = (string) GETPOST('personal_email', 'alphanohtml');
 	$result = $object->update($user);
 	if ($result < 0) {
@@ -210,7 +212,7 @@
 }
 
 // update personal mobile
-if ($action == 'setpersonal_mobile' && $canadduser && !$cancel) {
+if ($action == 'setpersonal_mobile' && $permissiontosimpleedit && !$cancel) {
 	$object->personal_mobile = (string) GETPOST('personal_mobile', 'alphanohtml');
 	$result = $object->update($user);
 	if ($result < 0) {
@@ -493,7 +495,7 @@
 	}
 
 	// Personal email
-	if ($user->hasRight('hrm', 'read_personal_information', 'read') || $user->hasRight('hrm', 'write_personal_information', 'write')) {
+	if ($user->hasRight('hrm', 'read_personal_information', 'read') || $user->hasRight('hrm', 'write_personal_information', 'write') || $permissiontosimpleedit) {
 		print '<tr class="nowrap">';
 		print '<td>';
 		print $form->editfieldkey("UserPersonalEmail", 'personal_email', $object->personal_email, $object, $user->hasRight('user', 'user', 'creer') || $user->hasRight('hrm', 'write_personal_information', 'write'));
@@ -504,7 +506,7 @@
 	}
 
 	// Personal phone
-	if ($user->hasRight('hrm', 'read_personal_information', 'read') || $user->hasRight('hrm', 'write_personal_information', 'write')) {
+	if ($user->hasRight('hrm', 'read_personal_information', 'read') || $user->hasRight('hrm', 'write_personal_information', 'write') || $permissiontosimpleedit) {
 		print '<tr class="nowrap">';
 		print '<td>';
 		print $form->editfieldkey("UserPersonalMobile", 'personal_mobile', $object->personal_mobile, $object, $user->hasRight('user', 'user', 'creer') || $user->hasRight('hrm', 'write_personal_information', 'write'));
@@ -895,7 +897,7 @@
 }
 
 // Edit
-if ($id && ($action == 'edit' || $action == 'create') && $user->hasRight('user', 'user', 'creer')) {
+if ($id && ($action == 'edit' || $action == 'create') && $permissiontoaddbankaccount) {
 	$title = $langs->trans("User");
 	print dol_get_fiche_head($head, 'bank', $title, 0, 'user');
 
@@ -1030,11 +1032,11 @@
 	print $form->buttonsSaveCancel($action == 'create' ? "Create" : "Modify");
 }
 
-if ($id && $action == 'edit' && $user->hasRight('user', 'user', 'creer')) {
+if ($id && $action == 'edit' && $permissiontoaddbankaccount) {
 	print '</form>';
 }
 
-if ($id && $action == 'create' && $user->hasRight('user', 'user', 'creer')) {
+if ($id && $action == 'create' && $permissiontoaddbankaccount) {
 	print '</form>';
 }