Fix all dropdowns

cedric-anne · btry · commit 12a66de930be · 2024-03-13T10:32:10.000+01:00
diff --git a/inc/field/actorfield.class.php b/inc/field/actorfield.class.php
@@ -128,7 +128,7 @@ public function getRenderedHtml($domain, $canEdit = true): string {
          'display_emptychoice' => false,
          'values'          => array_keys($value),
          'valuesnames'     => array_values($value),
-         '_idor_token'     => Session::getNewIDORToken(User::getType()),
+         '_idor_token'     => Session::getNewIDORToken(User::getType(), ['entity_restrict' => -1]),
       ];
       $html .= \PluginFormcreatorCommon::jsAjaxDropdown(
          $fieldName . '[]',
diff --git a/inc/field/dropdownfield.class.php b/inc/field/dropdownfield.class.php
@@ -383,7 +383,15 @@ public function getRenderedHtml($domain, $canEdit = true): string {
       $dparams = [];
       $dparams = $this->buildParams($rand);
       $dparams['display'] = false;
-      $dparams['_idor_token'] = Session::getNewIDORToken($itemtype);
+
+      $idor_params = [];
+      foreach (['condition', 'displaywith', 'entity_restrict', 'right'] as $sensitive_param) {
+         if (array_key_exists($sensitive_param, $dparams)) {
+            $idor_params[$sensitive_param] = $dparams[$sensitive_param];
+         }
+      }
+      $dparams['_idor_token'] = Session::getNewIDORToken($itemtype, $idor_params);
+
       $html .= $itemtype::dropdown($dparams);
       $html .= PHP_EOL;
       $html .= Html::scriptBlock("$(function() {
