Improper Privilege Management in dolibarr/dolibarr
May 22nd 2021
unprivileged user can see task associated with a project
user dont have access to specific project but still can see task attached to this project .
💥 TESTED VERSION
💥 STEP TO REPRODUCE
1. First goto admin account and add user B as normal user .
Now give user B bellow permission for
Project module .
-->Read projects and tasks (shared project and projects I'm contact for). Can also enter time consumed, for me or my hierarchy, on assigned tasks (Timesheet).
So, user B can see only project that he is assigned to or owner and he cant modify any .
2. Now from admin account goto
Project module and create a Project .
If user B try to open this project using url like
http://localhost/dolibarr-develop/htdocs/projet/card.php?id=1 then he get permission denied .
Now admin add a task to this project .
So,here user B should not see this task and project .
3. Finally goto user B account and visit above task(created by admin ,attached to above project) using url like
http://localhost/dolibarr-develop/htdocs/projet/tasks/task.php?id=1&withproject=1 and user B can see this task .