BUG 8408 Acceso a Documentos por usuarios sin permiso... SOLVED

- Not validated the permission PM_FOLDERS_VIEW.
- the user must have this permit and may only view documents in the processes that participate, and for see all with the permission PM_ALLCASES.

workflow/engine/methods/appFolder/appFolderAjax.php

@@ -120,7 +120,9 @@ function expandNode(){
     $totalDocuments=0;
     
     if(($_POST['sendWhat']=="dirs")||($_POST['sendWhat']=="both")){
-        $folderListObj = $oPMFolder->getFolderList ( $_POST ['node'] != 'root' ? $_POST ['node'] == 'NA' ? "" : $_POST ['node'] : $rootFolder, $limit, $start );
+        
+        
+        $folderListObj = $oPMFolder->getFolderList ( $_POST ['node'] != 'root' ? $_POST ['node'] == 'NA' ? "" : $_POST ['node'] : $rootFolder, $limit, $start);
         //G::pr($folderListObj);
         $folderList=$folderListObj['folders'];
         $totalFolders=$folderListObj['totalFoldersCount'];
@@ -128,14 +130,15 @@ function expandNode(){
 
 //        G::pr($folderListObj);
     }
-    if(($_POST['sendWhat']=="files")||($_POST['sendWhat']=="both")){
-        $folderContentObj = $oPMFolder->getFolderContent ( $_POST ['node'] != 'root' ? $_POST ['node'] == 'NA' ? "" : $_POST ['node'] : $rootFolder, array(), NULL, NULL, $limit, $start );
+    if (($_POST['sendWhat'] == "files")||($_POST['sendWhat'] == "both")) {
+        global $RBAC;
+        $user = ($RBAC->userCanAccess('PM_ALLCASES') == 1)? '' : $_SESSION['USER_LOGGED'];
+        $folderContentObj = $oPMFolder->getFolderContent ( $_POST ['node'] != 'root' ? $_POST ['node'] == 'NA' ? "" : $_POST ['node'] : $rootFolder, array(), NULL, NULL, $limit, $start, $user);
         //G::pr($folderContentObj);
         $folderContent=$folderContentObj['documents'];
         $totalDocuments=$folderContentObj['totalDocumentsCount'];
         $totalItems+=count($folderContent);
-
-//G::pr($folderContent);
+        //G::pr($folderContent);
     }
 //    G::pr($folderList);
 //var_dump(isset($folderList));