FIX CWE-269 - huntr - Can download files of an agenda event

Dolibarr · May 24, 2021 · 31af74f · 31af74f
1 parent d4310f4
commit 31af74f
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
@@ -2447,6 +2447,16 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
 		// Wrapping for events
 		if ($fuser->rights->agenda->myactions->{$read}) {
 			$accessallowed = 1;
+			// If we known $id of project, call checkUserAccessToObject to check permission on the given agenda event on properties and assigned users
+			if ($refname && !preg_match('/^specimen/i', $original_file)) {
+				include_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php';
+				$tmpobject = new ActionComm($db);
+				$tmpobject->fetch((int) $refname);
+				$accessallowed = checkUserAccessToObject($user, array('agenda'), $tmpobject->id, 'actioncomm&societe', 'myactions|allactions', 'fk_soc', 'id', '');
+				if ($user->socid && $tmpobject->socid) {
+					$accessallowed = checkUserAccessToObject($user, array('societe'), $tmpobject->socid);
+				}
+			}
 		}
 		$original_file = $conf->agenda->dir_output.'/'.$original_file;
 	} elseif ($modulepart == 'category' && !empty($conf->categorie->multidir_output[$entity])) {