Fix #6365

Dolibarr · Feb 3, 2017 · 76280f8 · 76280f8
1 parent d740bdb
commit 76280f8
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/htdocs/api/class/api.class.php b/htdocs/api/class/api.class.php
@@ -171,9 +171,6 @@ function _cleanObjectDatas($object) {
 	 */
 	static function _checkAccessToResource($resource, $resource_id=0, $dbtablename='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid') {
 
-        // For backward compatibility
-        if ($resource == 'member') $resource='adherent';
-
 		// Features/modules to check
 		$featuresarray = array($resource);
 		if (preg_match('/&/', $resource)) {
@@ -188,7 +185,7 @@ static function _checkAccessToResource($resource, $resource_id=0, $dbtablename='
 			$feature2 = explode("|", $feature2);
 		}
 
-		return checkUserAccessToObject(DolibarrApiAccess::$user, $featuresarray,$resource_id,$dbtablename,$feature2,$dbt_keyfield,$dbt_select);
+		return checkUserAccessToObject(DolibarrApiAccess::$user, $featuresarray, $resource_id, $dbtablename, $feature2, $dbt_keyfield, $dbt_select);
 	}
 
 	/**

diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
@@ -343,7 +343,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
  * This function is also called by restrictedArea
  *
  * @param User		$user			User to check
- * @param array		$featuresarray	Features/modules to check
+ * @param array		$featuresarray	Features/modules to check. Example: ('user','service') 
  * @param int		$objectid		Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
  * @param string	$tableandshare	'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity. Not used if objectid is null (optional)
  * @param string	$feature2		Feature to check, second level of permission (optional). Can be or check with 'level1|level2'.
@@ -365,6 +365,9 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh
 	{
 		$sql='';
 
+		// For backward compatibility
+		if ($feature == 'member') $feature='adherent';
+
 		$check = array('adherent','banque','user','usergroup','produit','service','produit|service','categorie'); // Test on entity only (Objects with no link to company)
 		$checksoc = array('societe');	 // Test for societe object
 		$checkother = array('contact');	 // Test on entity and link to societe. Allowed if link is empty (Ex: contacts...).