From 76280f8ae2044f3c0d2d4b5c80e2193d4dcddb87 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 3 Feb 2017 11:42:49 +0100
Subject: [PATCH] Fix #6365

---
 htdocs/api/class/api.class.php   | 5 +----
 htdocs/core/lib/security.lib.php | 5 ++++-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/htdocs/api/class/api.class.php b/htdocs/api/class/api.class.php
index 37843be90b9..1204fded0aa 100644
--- a/htdocs/api/class/api.class.php
+++ b/htdocs/api/class/api.class.php
@@ -171,9 +171,6 @@ class DolibarrApi
 	 */
 	static function _checkAccessToResource($resource, $resource_id=0, $dbtablename='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid') {
         
-        // For backward compatibility
-        if ($resource == 'member') $resource='adherent';
-        
 		// Features/modules to check
 		$featuresarray = array($resource);
 		if (preg_match('/&/', $resource)) {
@@ -188,7 +185,7 @@ class DolibarrApi
 			$feature2 = explode("|", $feature2);
 		}
 
-		return checkUserAccessToObject(DolibarrApiAccess::$user, $featuresarray,$resource_id,$dbtablename,$feature2,$dbt_keyfield,$dbt_select);
+		return checkUserAccessToObject(DolibarrApiAccess::$user, $featuresarray, $resource_id, $dbtablename, $feature2, $dbt_keyfield, $dbt_select);
 	}
 	
 	/**
diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index ced20a79ea6..31ea31aca14 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -343,7 +343,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu
  * This function is also called by restrictedArea
  *
  * @param User		$user			User to check
- * @param array		$featuresarray	Features/modules to check
+ * @param array		$featuresarray	Features/modules to check. Example: ('user','service') 
  * @param int		$objectid		Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
  * @param string	$tableandshare	'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity. Not used if objectid is null (optional)
  * @param string	$feature2		Feature to check, second level of permission (optional). Can be or check with 'level1|level2'.
@@ -365,6 +365,9 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh
 	{
 		$sql='';
 
+		// For backward compatibility
+		if ($feature == 'member') $feature='adherent';
+		
 		$check = array('adherent','banque','user','usergroup','produit','service','produit|service','categorie'); // Test on entity only (Objects with no link to company)
 		$checksoc = array('societe');	 // Test for societe object
 		$checkother = array('contact');	 // Test on entity and link to societe. Allowed if link is empty (Ex: contacts...).
-- 
GitLab