From 2d34d9aeeaf9b75f674c15e38fb978893ee49fe6 Mon Sep 17 00:00:00 2001
From: Arturo Gonzalez <arturo.gonzalez@artica.es>
Date: Thu, 20 Apr 2017 17:49:01 +0200
Subject: [PATCH 1/2] Changed get dashboards function

---
 pandora_console/include/functions.php | 29 ++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/pandora_console/include/functions.php b/pandora_console/include/functions.php
index 6228989430..8561fc4d61 100644
--- a/pandora_console/include/functions.php
+++ b/pandora_console/include/functions.php
@@ -1987,9 +1987,32 @@ function get_os_name ($id_os) {
  * @return array Dashboard name of the given user.
  */
 function get_user_dashboards ($id_user) {
-	$sql = "SELECT name
-		FROM tdashboard
-		WHERE id_user="."'".$id_user."'";
+	if (users_is_admin($id_user)) {
+		$sql = "SELECT name
+			FROM tdashboard";
+	}
+	else {
+		$user_can_manage_all = users_can_manage_group_all('RR');
+		if ($user_can_manage_all) {
+			$sql = "SELECT name
+				FROM tdashboard";
+		}
+		else {
+			$user_groups = users_get_groups($id_user, "RR", false);
+			if (empty($user_groups)) {
+				return false;
+			}
+
+			$u_groups = array();
+			foreach ($user_groups as $id => $group_name) {
+				$u_groups[] = $id;
+			}
+
+			$sql = "SELECT name
+				FROM tdashboard
+				WHERE id_group IN (" . implode(",", $u_groups) . ")";
+		}
+	}
 	
 	return db_get_all_rows_sql ($sql);
 }

From 9973a11fd64caf3d7e9553ee2294be99317a90d7 Mon Sep 17 00:00:00 2001
From: Arturo Gonzalez <arturo.gonzalez@artica.es>
Date: Thu, 20 Apr 2017 18:04:58 +0200
Subject: [PATCH 2/2] Added more restrictions to user dashboard function

---
 pandora_console/include/functions.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pandora_console/include/functions.php b/pandora_console/include/functions.php
index 8561fc4d61..eb79896f51 100644
--- a/pandora_console/include/functions.php
+++ b/pandora_console/include/functions.php
@@ -1989,13 +1989,13 @@ function get_os_name ($id_os) {
 function get_user_dashboards ($id_user) {
 	if (users_is_admin($id_user)) {
 		$sql = "SELECT name
-			FROM tdashboard";
+			FROM tdashboard WHERE id_user = '" . $id_user ."' OR id_user = ''";
 	}
 	else {
 		$user_can_manage_all = users_can_manage_group_all('RR');
 		if ($user_can_manage_all) {
 			$sql = "SELECT name
-				FROM tdashboard";
+				FROM tdashboard WHERE id_user = '" . $id_user ."' OR id_user = ''";
 		}
 		else {
 			$user_groups = users_get_groups($id_user, "RR", false);
@@ -2010,7 +2010,7 @@ function get_user_dashboards ($id_user) {
 
 			$sql = "SELECT name
 				FROM tdashboard
-				WHERE id_group IN (" . implode(",", $u_groups) . ")";
+				WHERE id_group IN (" . implode(",", $u_groups) . ") AND (id_user = '" . $id_user ."' OR id_user = '')";
 		}
 	}