Security fix for invoice view.

[timetracker.git] / invoice_view.php

diff --git a/invoice_view.php b/invoice_view.php
index 7661d9c92026cfa47c88459a75ee2e3c6dc499b3..4a6027a5b86f81bb04c24e59e194fa242ed7fa9a 100644 (file)
--- a/invoice_view.php
+++ b/invoice_view.php
@@ -33,7 +33,7 @@ import('ttClientHelper');
 import('form.Form');
 
 // Access check.
-if (!ttAccessCheck(right_view_invoices) || !$user->isPluginEnabled('iv')) {
+if (!(ttAccessAllowed('manage_invoices') || ttAccessAllowed('view_own_invoices')) || !$user->isPluginEnabled('iv')) {
   header('Location: access_denied.php');
   exit();
 }