Improper Privilege Management in dolibarr/dolibarr
May 23rd 2021
unprivileged user can attach agenda with leave.
user who dont have any access in leave can add agenda to this leave
💥 TESTED VERSION
💥 STEP TO REPRODUCE
1. First goto admin account and add user B as normal user .
Now give user B bellow permission for
Agenda module .
-->Read actions (events or tasks) linked to his user account (if owner of event or just assigned to)
-->Create/modify actions (events or tasks) linked to his user account (if owner of event)
Now dont give any permission for
Leave Request Management module .
So, user B cant see any leave .
2. Now from admin account goto HRM module and add a new leave .Leave aprooval and owner of this leave will be admin himself .
3. Finally goto user B account and visit url
Now user B will get a form to created a agenda . After submiiting the form this agenda will be attached to above created leave .
So, user B dont have any permission in leave management but still can attach agenda to a leave .