Fixes: Broken access control in migration module issue has been addressed

include/utils/VtlibUtils.php

@@ -145,10 +145,16 @@ function vtlib_moduleAlwaysActive() {
  * Toggle the module (enable/disable)
  */
 function vtlib_toggleModuleAccess($modules, $enable_disable) {
-	global $adb, $__cache_module_activeinfo;
-
+	global $adb, $__cache_module_activeinfo, $current_user;
+	
 	include_once('vtlib/Vtiger/Module.php');
-
+	
+	// Checks if the user is admin or not
+	$isAdmin = is_admin($current_user);
+	if(!$isAdmin) {
+		throw new AppException('Permission denied! Only admin users can toggle modules');
+	}
+	
 	if(is_string($modules)) $modules = array($modules);
 	$event_type = false;
 
@@ -158,8 +164,8 @@ function vtlib_toggleModuleAccess($modules, $enable_disable) {
 	} else if($enable_disable === false) {
 		$enable_disable = 1;
 		$event_type = Vtiger_Module::EVENT_MODULE_DISABLED;
-        //Update default landing page to dashboard if module is disabled.
-        $adb->pquery('UPDATE vtiger_users SET defaultlandingpage = ? WHERE defaultlandingpage IN(' . generateQuestionMarks($modules) . ')', array_merge(array('Home'), $modules));
+		//Update default landing page to dashboard if module is disabled.
+		$adb->pquery('UPDATE vtiger_users SET defaultlandingpage = ? WHERE defaultlandingpage IN(' . generateQuestionMarks($modules) . ')', array_merge(array('Home'), $modules));
 	}
 
 	$checkResult = $adb->pquery('SELECT name FROM vtiger_tab WHERE name IN ('. generateQuestionMarks($modules) .')', array($modules));

modules/Migration/actions/DisableModules.php

@@ -9,6 +9,15 @@
  ************************************************************************************/
 
 class Migration_DisableModules_Action extends Vtiger_Action_Controller {
+	
+	public function checkPermission(\Vtiger_Request $request) {
+		parent::checkPermission($request);
+		$currentUserModel = Users_Record_Model::getCurrentUserModel();
+		if(!$currentUserModel->isAdminUser()) {
+			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
+		}
+        return true;
+	}
 
 	public function process(Vtiger_Request $request) {
 		$modulesList = $request->get('modulesList');

modules/Migration/actions/Extract.php

@@ -21,32 +21,37 @@ class Migration_Extract_Action extends Vtiger_Action_Controller {
 
 		$user = CRMEntity::getInstance('Users');
 		$user->column_fields['user_name'] = $userName;
-		if ($user->doLogin($password)) {
-			$zip = new ZipArchive();
-			$fileName = 'vtiger8.zip';
-			if ($zip->open($fileName)) {
-				if ($zip->extractTo($root_directory)) {
-					$zip->close();
+		$userid = $user->retrieve_user_id($userName);
+		$userRecordModel = Users_Privileges_Model::getInstanceById($userid, 'Users');
+		if($userRecordModel->isAdminUser()) {
+			if ($user->doLogin($password)) {
+				$zip = new ZipArchive();
+				$fileName = 'vtiger8.zip';
+				if ($zip->open($fileName)) {
+					if ($zip->extractTo($root_directory)) {
+						$zip->close();
+						$_SESSION['authenticated_user_id'] = $userid;
+						$_SESSION['app_unique_key'] = vglobal('application_unique_key');
 
-					$userid = $user->retrieve_user_id($userName);
-					$_SESSION['authenticated_user_id'] = $userid;
-					$_SESSION['app_unique_key'] = vglobal('application_unique_key');
+						/* Give time for PHP runtime to pickup new changes after zip 
+						 * for files that are include/require once previously */
+						sleep(5);
 
-					/* Give time for PHP runtime to pickup new changes after zip 
-					 * for files that are include/require once previously */
-					sleep(5);
-
-					header('Location: index.php?module=Migration&view=Index&mode=step1');
+						header('Location: index.php?module=Migration&view=Index&mode=step1');
+					} else {
+						$errorMessage = 'ERROR EXTRACTING MIGRATION ZIP FILE!';
+						header('Location: migrate/index.php?error='.$errorMessage);
+					}
 				} else {
-					$errorMessage = 'ERROR EXTRACTING MIGRATION ZIP FILE!';
+					$errorMessage = 'ERROR READING MIGRATION ZIP FILE!';
 					header('Location: migrate/index.php?error='.$errorMessage);
 				}
 			} else {
-				$errorMessage = 'ERROR READING MIGRATION ZIP FILE!';
+				$errorMessage = 'INVALID CREDENTIALS';
 				header('Location: migrate/index.php?error='.$errorMessage);
 			}
 		} else {
-			$errorMessage = 'INVALID CREDENTIALS';
+			$errorMessage = 'PERMISSION DENIED! ONLY ADMIN USERS CAN ACCESS';
 			header('Location: migrate/index.php?error='.$errorMessage);
 		}
 	}

modules/Migration/views/Index.php

@@ -18,7 +18,12 @@ class Migration_Index_View extends Vtiger_View_Controller {
 	}
 
 	public function checkPermission(Vtiger_Request $request){
-		return true;
+		parent::checkPermission($request);
+		$currentUserModel = Users_Record_Model::getCurrentUserModel();
+		if(!$currentUserModel->isAdminUser()) {
+			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
+		}
+        return true;
 	}
 
 	public function process(Vtiger_Request $request) {