Browse Source

Fix vulnerabiity: External users can set a public note

Laurent Destailleur 4 years ago
parent
commit
8cc100012d
1 changed files with 13 additions and 11 deletions
  1. 13 11
      htdocs/core/actions_setnotes.inc.php

+ 13 - 11
htdocs/core/actions_setnotes.inc.php

@@ -67,16 +67,18 @@ if ($action == 'setnote_public' && !empty($permissionnote) && !GETPOST('cancel',
 			}
 		}
 	}
-} elseif ($action == 'setnote_private' && !empty($permissionnote) && !GETPOST('cancel', 'alpha')) {
-	// Set public note
-	if (empty($action) || !is_object($object) || empty($id)) {
-		dol_print_error('', 'Include of actions_setnotes.inc.php was done but required variable was not set before');
-	}
-	if (empty($object->id)) {
-		$object->fetch($id); // Fetch may not be already done
-	}
-	$result = $object->update_note(dol_html_entity_decode(GETPOST('note_private', 'restricthtml'), ENT_QUOTES | ENT_HTML5), '_private');
-	if ($result < 0) {
-		setEventMessages($object->error, $object->errors, 'errors');
+} elseif ($action == 'setnote_private' && !empty($permissionnote) && !GETPOST('cancel', 'alpha')) {	// Set public note
+	if (empty($user->socid)) {
+		// Private notes (always hidden to external users)
+		if (empty($action) || !is_object($object) || empty($id)) {
+			dol_print_error('', 'Include of actions_setnotes.inc.php was done but required variable was not set before');
+		}
+		if (empty($object->id)) {
+			$object->fetch($id); // Fetch may not be already done
+		}
+		$result = $object->update_note(dol_html_entity_decode(GETPOST('note_private', 'restricthtml'), ENT_QUOTES | ENT_HTML5), '_private');
+		if ($result < 0) {
+			setEventMessages($object->error, $object->errors, 'errors');
+		}
 	}
 }