From d785da5c033355310108a1a1f6a1b6eb641b0433 Mon Sep 17 00:00:00 2001
From: Uma S <uma.s@vtiger.com>
Date: Fri, 9 Aug 2019 17:28:55 +0530
Subject: [PATCH] Checkpermission handled on security issue - 38184248

---
 include/ListView/ListViewController.php       |  4 ++--
 languages/en_us/Vtiger.php                    |  1 +
 modules/Vtiger/actions/DeleteImage.php        | 16 +++++++------
 modules/Vtiger/actions/ExportData.php         | 18 +++++++-------
 modules/Vtiger/actions/RelatedRecordsAjax.php | 24 +++++++++++++++++--
 modules/Vtiger/actions/TagCloud.php           | 16 ++++++-------
 modules/Vtiger/views/ExportExtensionLog.php   | 19 ++++++++-------
 modules/Vtiger/views/ExtensionViews.php       | 11 +++++++++
 8 files changed, 70 insertions(+), 39 deletions(-)

diff --git a/include/ListView/ListViewController.php b/include/ListView/ListViewController.php
index c496d13eb..a88722332 100644
--- a/include/ListView/ListViewController.php
+++ b/include/ListView/ListViewController.php
@@ -283,7 +283,7 @@ class ListViewController {
 					$fileIdRes = $db->pquery($fileIdQuery,array($recordId));
 					$fileId = $db->query_result($fileIdRes,0,'attachmentsid');
 					if($fileName != '' && $status == 1) {
-						if($downloadType == 'I' ) {
+						if($downloadType == 'I' && $fileId) {
 							$value = '<a href="index.php?module=Documents&action=DownloadFile&record='.$recordId.'&fileid='.$fileId.'"'.
 									' title="'.	getTranslatedString('LBL_DOWNLOAD_FILE',$module).
 									'" >'.textlength_check($value).
@@ -291,7 +291,7 @@ class ListViewController {
 						} elseif($downloadType == 'E') {
 							$value = '<a onclick="event.stopPropagation()"'.
 									' href="'.$fileName.'" target="_blank"'.
-									' title="'.	getTranslatedString('LBL_DOWNLOAD_FILE',$module).
+									' title="'.	getTranslatedString('LBL_DOWNLOAD_FILE',$module).	
 									'" >'.textlength_check($value).
 									'</a>';
 						} else {
diff --git a/languages/en_us/Vtiger.php b/languages/en_us/Vtiger.php
index 20c2bfa09..c38bc6495 100644
--- a/languages/en_us/Vtiger.php
+++ b/languages/en_us/Vtiger.php
@@ -1387,6 +1387,7 @@ $languageStrings = array(
 	'LBL_RECENT_UPDATES' => 'Recent Updates',
 	'LBL_VIEW_UPDATES_IN_DETAIL' => 'Read More ...',
 	'LBL_DEFAULT_DASHBOARD_TOOLTIP'=>'Make this dashboard as default by reordering it as the first tab!',
+	'LBL_RELATED_MODULES_PERMISSION_DENIED' => 'Related modules permission is denied',
 );
 
 $jsLanguageStrings = array(
diff --git a/modules/Vtiger/actions/DeleteImage.php b/modules/Vtiger/actions/DeleteImage.php
index 44e2bd772..3553de8f4 100644
--- a/modules/Vtiger/actions/DeleteImage.php
+++ b/modules/Vtiger/actions/DeleteImage.php
@@ -10,13 +10,15 @@
 
 class Vtiger_DeleteImage_Action extends Vtiger_Action_Controller {
 
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'Delete', 'record_parameter' => 'record');
+		return $permissions;
+	}
+	
 	public function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$record = $request->get('id');
-
-		if (!(Users_Privileges_Model::isPermitted($moduleName, 'EditView', $record) && Users_Privileges_Model::isPermitted($moduleName, 'Delete', $record))) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
+		parent::checkPermission($request);
 	}
 
 	public function process(Vtiger_Request $request) {
@@ -26,7 +28,7 @@ class Vtiger_DeleteImage_Action extends Vtiger_Action_Controller {
 
 		$response = new Vtiger_Response();
 		if ($recordId) {
-			$recordModel = Vtiger_Record_Model::getInstanceById($recordId, $moduleModel);
+			$recordModel = Vtiger_Record_Model::getInstanceById($recordId, $moduleName);
 			$status = $recordModel->deleteImage($imageId);
 			if ($status) {
 				$response->setResult(array(vtranslate('LBL_IMAGE_DELETED_SUCCESSFULLY', $moduleName)));
diff --git a/modules/Vtiger/actions/ExportData.php b/modules/Vtiger/actions/ExportData.php
index 3d116b4b9..721ef835a 100644
--- a/modules/Vtiger/actions/ExportData.php
+++ b/modules/Vtiger/actions/ExportData.php
@@ -11,17 +11,15 @@
 class Vtiger_ExportData_Action extends Vtiger_Mass_Action {
 
 	var $moduleCall = false;
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'Export');
+		$permissions[] = array('module_parameter' => 'source_module', 'action' => 'Export');
+		return $permissions;
+	}
+	
 	function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$sourceModule = $request->get('source_module');
-		$moduleModel = Vtiger_Module_Model::getInstance($moduleName);
-		$sourceModuleModel = Vtiger_Module_Model::getInstance($sourceModule);
-
-		$currentUserPriviligesModel = Users_Privileges_Model::getCurrentUserPrivilegesModel();
-		if(!$currentUserPriviligesModel->hasModuleActionPermission($moduleModel->getId(), 'Export') || 
-		  !$currentUserPriviligesModel->hasModuleActionPermission($sourceModuleModel->getId(), 'Export')) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
+		parent::checkPermission($request);
 	}
 
 	/**
diff --git a/modules/Vtiger/actions/RelatedRecordsAjax.php b/modules/Vtiger/actions/RelatedRecordsAjax.php
index ae927a9ea..a79509587 100644
--- a/modules/Vtiger/actions/RelatedRecordsAjax.php
+++ b/modules/Vtiger/actions/RelatedRecordsAjax.php
@@ -9,13 +9,33 @@
  *************************************************************************************/
 
 class Vtiger_RelatedRecordsAjax_Action extends Vtiger_Action_Controller {
-
+	var $relationModules = array();
 	function __construct() {
 		parent::__construct();
 		$this->exposeMethod('getRelatedRecordsCount');
 	}
 
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'recordId');
+		return $permissions;
+	}
+	
 	function checkPermission(Vtiger_Request $request) {
+		parent::checkPermission($request);
+		$parentModule = $request->get("module");
+		$parentModuleModel = Vtiger_Module_Model::getInstance($parentModule);
+		$relationModels = $parentModuleModel->getRelations();
+		foreach ($relationModels as $relation) {
+			$relatedModuleName = $relation->get('relatedModuleName');
+			$permissionStatus  = Users_Privileges_Model::isPermitted($relatedModuleName,  'DetailView');
+			if($permissionStatus){
+				$this->relationModules[] = $relation;
+			}
+		}
+		if(empty($this->relationModules)){
+			throw new AppException(vtranslate('LBL_RELATED_MODULES_PERMISSION_DENIED'));
+		}
 	}
 
 	public function process(Vtiger_Request $request) {
@@ -35,7 +55,7 @@ class Vtiger_RelatedRecordsAjax_Action extends Vtiger_Action_Controller {
 		$parentModule = $request->get("module");
 		$parentModuleModel = Vtiger_Module_Model::getInstance($parentModule);
 		$parentRecordModel = Vtiger_Record_Model::getInstanceById($parentRecordId, $parentModuleModel);
-		$relationModels = $parentModuleModel->getRelations();
+		$relationModels = $this->relationModules;
 		$relatedRecordsCount = array();
 		foreach ($relationModels as $relation) {
 			$relationId = $relation->getId();
diff --git a/modules/Vtiger/actions/TagCloud.php b/modules/Vtiger/actions/TagCloud.php
index 0c4bd2995..860998bb6 100644
--- a/modules/Vtiger/actions/TagCloud.php
+++ b/modules/Vtiger/actions/TagCloud.php
@@ -19,16 +19,14 @@ class Vtiger_TagCloud_Action extends Vtiger_Mass_Action {
 		$this->exposeMethod('remove');
 	}
 
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+		return $permissions;
+	}
+	
 	function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$moduleModel = Vtiger_Module_Model::getInstance($moduleName);
-
-		$userPrivilegesModel = Users_Privileges_Model::getCurrentUserPrivilegesModel();
-		$permission = $userPrivilegesModel->hasModulePermission($moduleModel->getId());
-		if(!$permission) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
-		return true;
+		parent::checkPermission($request);
 	}
 
 	public function process(Vtiger_Request $request) {
diff --git a/modules/Vtiger/views/ExportExtensionLog.php b/modules/Vtiger/views/ExportExtensionLog.php
index 50cf1abe9..0b71c03c2 100644
--- a/modules/Vtiger/views/ExportExtensionLog.php
+++ b/modules/Vtiger/views/ExportExtensionLog.php
@@ -11,6 +11,16 @@ require_once 'modules/WSAPP/WSAPPLogs.php';
 
 class Vtiger_ExportExtensionLog_View extends Vtiger_View_Controller {
 
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'custom_module', 'action' => 'DetailView');
+		$request->set('custom_module', 'WSAPP');
+		return $permissions;
+	}
+	
+	public function checkPermission(Vtiger_Request $request) {
+		parent::checkPermission($request);
+	}
 	function preProcess(Vtiger_Request $request) {
 		return false;
 	}
@@ -19,15 +29,6 @@ class Vtiger_ExportExtensionLog_View extends Vtiger_View_Controller {
 		return false;
 	}
 
-	function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$moduleModel = Vtiger_Module_Model::getInstance($moduleName);
-
-		$currentUserPriviligesModel = Users_Privileges_Model::getCurrentUserPrivilegesModel();
-		if (!$currentUserPriviligesModel->hasModulePermission($moduleModel->getId())) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
-	}
 
 	/**
 	 * Function to convert log details to user format
diff --git a/modules/Vtiger/views/ExtensionViews.php b/modules/Vtiger/views/ExtensionViews.php
index 3cda8aabe..26b2528e9 100644
--- a/modules/Vtiger/views/ExtensionViews.php
+++ b/modules/Vtiger/views/ExtensionViews.php
@@ -16,6 +16,17 @@ class Vtiger_ExtensionViews_View extends Vtiger_Index_View {
 		$this->exposeMethod('showLogs');
 		$this->exposeMethod('showLogDetail');
 	}
+	
+	function checkPermission(Vtiger_Request $request) {
+		parent::checkPermission($request);
+	}
+	
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'custom_module', 'action' => 'DetailView');
+		$request->set('custom_module', 'WSAPP');
+		return $permissions;
+	}
 
 	function process(Vtiger_Request $request) {
 		$mode = $request->get('mode');
-- 
GitLab