diff --git a/workflow/engine/classes/class.case.php b/workflow/engine/classes/class.case.php index 17dcab0ff..2a1a47f62 100755 --- a/workflow/engine/classes/class.case.php +++ b/workflow/engine/classes/class.case.php @@ -6569,11 +6569,11 @@ class Cases } global $RBAC; - //Adding the actual user if this has the PM_REASSIGNCASE permission assigned. - if ($RBAC->userCanAccess('PM_REASSIGNCASE') == 1){ - if(!in_array($RBAC->aUserInfo['USER_INFO']['USR_UID'], $row)){ - $row[] = $RBAC->aUserInfo['USER_INFO']['USR_UID']; - } + //Adding the actual user if this has the PM_SUPERVISOR permission assigned. + if ($RBAC->userCanAccess('PM_SUPERVISOR') == 1) { + if(!in_array($RBAC->aUserInfo['USER_INFO']['USR_UID'], $row)) { + $row[] = $RBAC->aUserInfo['USER_INFO']['USR_UID']; + } } require_once 'classes/model/Users.php'; diff --git a/workflow/engine/methods/login/login.php b/workflow/engine/methods/login/login.php index c41d91393..f5ec92edf 100755 --- a/workflow/engine/methods/login/login.php +++ b/workflow/engine/methods/login/login.php @@ -36,7 +36,7 @@ $aFields = array(); if (!isset($_GET['u'])) { $aFields['URL'] = ''; } else { - $aFields['URL'] = urldecode(htmlentities($_GET['u'])); + $aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['u'])))))); } if (!isset($_SESSION['G_MESSAGE'])) { diff --git a/workflow/engine/methods/login/retrivePassword.php b/workflow/engine/methods/login/retrivePassword.php index 09b805123..a4db15b51 100755 --- a/workflow/engine/methods/login/retrivePassword.php +++ b/workflow/engine/methods/login/retrivePassword.php @@ -8,7 +8,7 @@ G::LoadClass("system"); $rbacUser = new RbacUsers(); $user = new Users(); - +$data['USR_USERNAME'] = strip_tags($data['USR_USERNAME']); $userData = $rbacUser->getByUsername($data['USR_USERNAME']); if ($userData['USR_EMAIL'] != '' && $userData['USR_EMAIL'] === $data['USR_EMAIL'] && ($userData['USR_AUTH_TYPE'] === '' || $userData['USR_AUTH_TYPE'] == 'MYSQL') ) {