Merge branch '39751983_Security_access_any_record' into 'master'

Fixes#1147::Uma::User level access permission enabled on view file

See merge request !359

modules/Vtiger/views/ListViewQuickPreview.php

@@ -15,6 +15,24 @@ class Vtiger_ListViewQuickPreview_View extends Vtiger_Index_View {
 	function __construct() {
 		parent::__construct();
 	}
+	
+	function checkPermission(Vtiger_Request $request) {
+		$moduleName = $request->getModule();
+		$recordId = $request->get('record');
+
+		$recordPermission = Users_Privileges_Model::isPermitted($moduleName, 'DetailView', $recordId);
+		if(!$recordPermission) {
+			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+		}
+
+		if ($recordId) {
+			$recordEntityName = getSalesEntityType($recordId);
+			if ($recordEntityName !== $moduleName) {
+				throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+			}
+		}
+		return true;
+	}
 
 	function process(Vtiger_Request $request) {
 

modules/Vtiger/views/MergeRecord.php

@@ -9,6 +9,23 @@
  **************************************************************************************/
 
 class Vtiger_MergeRecord_View extends Vtiger_Popup_View {
+	
+	public function checkPermission(Vtiger_Request $request) {
+		parent::checkPermission($request);
+		
+		$moduleName = $request->getModule();
+		$actionName = 'EditView';
+		
+		$records = $request->get('records');
+		$records = explode(',', $records);
+		
+		foreach ($records as $record) {
+			if(!Users_Privileges_Model::isPermitted($moduleName, $actionName, $record)) {
+				throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+			}
+		}
+	}
+	
 	function process(Vtiger_Request $request) {
 		$records = $request->get('records');
 		$records = explode(',', $records);