Improper Privilege Management in dolibarr/dolibarr


Reported on

May 22nd 2021


unprivileged user can see task associated with a project


user dont have access to specific project but still can see task attached to this project .


dolibarr 14.0.0-beta


1. First goto admin account and add user B as normal user .
Now give user B bellow permission for Project module .
-->Read projects and tasks (shared project and projects I'm contact for). Can also enter time consumed, for me or my hierarchy, on assigned tasks (Timesheet).
So, user B can see only project that he is assigned to or owner and he cant modify any .

2. Now from admin account goto Project module and create a Project .
If user B try to open this project using url like http://localhost/dolibarr-develop/htdocs/projet/card.php?id=1 then he get permission denied .
Now admin add a task to this project .
So,here user B should not see this task and project .

3. Finally goto user B account and visit above task(created by admin ,attached to above project) using url like http://localhost/dolibarr-develop/htdocs/projet/tasks/task.php?id=1&withproject=1 and user B can see this task .

Laurent Destailleur marked this as fixed with commit 2acb84 2 years ago
Laurent Destailleur has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation