Improper Privilege Management in dolibarr/dolibarr

Valid

Reported on

May 22nd 2021


💥 BUG

unprivileged user can see task associated with a project

💥 IMPACT

user dont have access to specific project but still can see task attached to this project .

💥 TESTED VERSION

dolibarr 14.0.0-beta

💥 STEP TO REPRODUCE

1. First goto admin account and add user B as normal user .
Now give user B bellow permission for Project module .
-->Read projects and tasks (shared project and projects I'm contact for). Can also enter time consumed, for me or my hierarchy, on assigned tasks (Timesheet).
So, user B can see only project that he is assigned to or owner and he cant modify any .

2. Now from admin account goto Project module and create a Project .
If user B try to open this project using url like http://localhost/dolibarr-develop/htdocs/projet/card.php?id=1 then he get permission denied .
Now admin add a task to this project .
So,here user B should not see this task and project .

3. Finally goto user B account and visit above task(created by admin ,attached to above project) using url like http://localhost/dolibarr-develop/htdocs/projet/tasks/task.php?id=1&withproject=1 and user B can see this task .

Laurent Destailleur confirmed that a fix has been merged on 2acb84 2 months ago
Laurent Destailleur has been awarded the fix bounty