Merged master into fixing-broken-features

workflow/engine/classes/class.case.php

@@ -6569,11 +6569,11 @@ class Cases
         }
 
         global $RBAC;
-        //Adding the actual user if this has the PM_REASSIGNCASE permission assigned.
-        if ($RBAC->userCanAccess('PM_REASSIGNCASE') == 1){
-        	if(!in_array($RBAC->aUserInfo['USER_INFO']['USR_UID'], $row)){
-        	    $row[] = $RBAC->aUserInfo['USER_INFO']['USR_UID'];
-        	}
+        //Adding the actual user if this has the PM_SUPERVISOR permission assigned.
+        if ($RBAC->userCanAccess('PM_SUPERVISOR') == 1) {
+            if(!in_array($RBAC->aUserInfo['USER_INFO']['USR_UID'], $row)) {
+                $row[] = $RBAC->aUserInfo['USER_INFO']['USR_UID'];
+            }
         }
 
         require_once 'classes/model/Users.php';

workflow/engine/methods/login/login.php

@@ -36,7 +36,7 @@ $aFields = array();
 if (!isset($_GET['u'])) {
     $aFields['URL'] = '';
 } else {
-    $aFields['URL'] = urldecode(htmlentities($_GET['u']));
+    $aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['u']))))));
 }
 
 if (!isset($_SESSION['G_MESSAGE'])) {

workflow/engine/methods/login/retrivePassword.php

@@ -8,7 +8,7 @@ G::LoadClass("system");
 
 $rbacUser = new RbacUsers();
 $user = new Users();
-
+$data['USR_USERNAME'] = strip_tags($data['USR_USERNAME']);
 $userData = $rbacUser->getByUsername($data['USR_USERNAME']);
 
 if ($userData['USR_EMAIL'] != '' && $userData['USR_EMAIL'] === $data['USR_EMAIL'] && ($userData['USR_AUTH_TYPE'] === '' || $userData['USR_AUTH_TYPE'] == 'MYSQL') ) {