Merge branch '1933-TMB-eventos-varios' into 'develop'

Fixed permission checks in event_acl

See merge request artica/pandorafms!1303

pandora_console/include/functions_events.php

@@ -1981,6 +1981,11 @@ function events_get_response_target($event_id, $response_id, $server_id, $histor
 		$event_st = events_display_status($event['estado']);
 		$target = str_replace('_event_status_',	$event_st["title"],	$target);
 	}
+	if (strpos($target, '_group_custom_id_') !== false) {
+		$group_custom_id = db_get_value($dbh, "SELECT custom_id FROM tgrupo WHERE id_grupo=?", $event["id_grupo"]);
+		$event_st = events_display_status($event['estado']);
+		$target = str_replace('_group_custom_id_', $group_custom_id, $target);
+	}
 	// Parse the event custom data
 	if (!empty($event['custom_data'])){
 		$custom_data = json_decode (base64_decode ($event['custom_data']));

pandora_console/include/functions_tags.php

@@ -1481,10 +1481,20 @@ function tags_checks_event_acl($id_user, $id_group, $access, $tags = array(), $c
 			}
 			$group_ids = implode(',', $childrens_ids);
 		}
+		$tag_conds = "";
+
+		if(!empty($tags_str)) {
+			$tag_conds = " AND (tags IN ('$tags_str') OR tags = '') ";
+		}
+		else {
+			$tag_conds = " AND tags = '' ";
+		}
+
 		$sql = "SELECT id_usuario FROM tusuario_perfil
-					WHERE id_usuario = '".$config["id_user"]."' AND tags IN ('$tags_str')
-					AND id_perfil IN (SELECT id_perfil FROM tperfil WHERE ".get_acl_column($access)."=1)
-					AND id_grupo IN ($group_ids)";
+			WHERE id_usuario = '".$config["id_user"]."' $tag_conds 
+			AND id_perfil IN (SELECT id_perfil FROM tperfil WHERE ".get_acl_column($access)."=1)
+			AND id_grupo IN ($group_ids)";
+
 		$has_perm = db_get_value_sql ($sql);
 		
 		if ($has_perm) {