From 7c9353d299b236c61f5f75523e1efe61d27c8be5 Mon Sep 17 00:00:00 2001
From: Eric <eric.espie@combodo.com>
Date: Tue, 22 Oct 2019 10:49:22 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B01888=20-=20Circumvention=20of=20the=20re?=
 =?UTF-8?q?striction=20of=20rights=20by=20organization?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 core/dbsearch.class.php | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/core/dbsearch.class.php b/core/dbsearch.class.php
index 5bc189a81..62680f7ee 100644
--- a/core/dbsearch.class.php
+++ b/core/dbsearch.class.php
@@ -1087,18 +1087,21 @@ abstract class DBSearch
 		$oSearch = $this;
 		if (!$this->IsAllDataAllowed() && !$this->IsDataFiltered())
 		{
-			$oVisibleObjects = UserRights::GetSelectFilter($this->GetClass(), $this->GetModifierProperties('UserRightsGetSelectFilter'));
-			if ($oVisibleObjects === false)
+			foreach ($this->GetSelectedClasses() as $sClass)
 			{
-				// Make sure this is a valid search object, saying NO for all
-				$oVisibleObjects = DBObjectSearch::FromEmptySet($this->GetClass());
-			}
-			if (is_object($oVisibleObjects))
-			{
-				$oVisibleObjects->AllowAllData();
-				$oSearch = $this->Intersect($oVisibleObjects);
-				/** @var DBSearch $oSearch */
-				$oSearch->SetDataFiltered();
+				$oVisibleObjects = UserRights::GetSelectFilter($sClass, $this->GetModifierProperties('UserRightsGetSelectFilter'));
+				if ($oVisibleObjects === false)
+				{
+					// Make sure this is a valid search object, saying NO for all
+					$oVisibleObjects = DBObjectSearch::FromEmptySet($sClass);
+				}
+				if (is_object($oVisibleObjects))
+				{
+					$oVisibleObjects->AllowAllData();
+					$oSearch = $this->Intersect($oVisibleObjects);
+					/** @var DBSearch $oSearch */
+					$oSearch->SetDataFiltered();
+				}
 			}
 		}
 		$oSQLQuery = $oSearch->GetSQLQueryStructure($aAttToLoad, $bGetCount, $aGroupByExpr, null, $aSelectExpr);