Improper Privilege Management in dolibarr/dolibarr
May 19th 2021
unprivileged user can see all details of a product
💥 STEP TO REPRODUCE
1. From admin account add user B as normal user .
Now dont give any permission for Product module for user B .
So, user B should not see any product details .
2. Now from admin create a product .
3. Finally goto user B account and visit
http://localhost/dolibarr/htdocs/product/note.php?id=1 to see product details .
Laurent Destailleur Laurent
commented 2 years ago
This occurs when user has permission to read services and not permission to read product. A lack of test make the user able to read a product of type "product" only when having permission to read "service".
to join this conversation