Improper Privilege Management in dolibarr/dolibarrValid
May 19th 2021
unprivileged user can see all details of a product
💥 STEP TO REPRODUCE
1. From admin account add user B as normal user .
Now dont give any permission for Product module for user B .
So, user B should not see any product details .
2. Now from admin create a product .
3. Finally goto user B account and visit
http://localhost/dolibarr/htdocs/product/note.php?id=1 to see product details .