V-156500377::Amit::Permission check [200~Reports with selected_fields

modules/Reports/actions/Save.php

@@ -26,6 +26,21 @@ class Reports_Save_Action extends Vtiger_Save_Action {
 				throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
 			}
 		}
+                $selectedFields = $request->get('selected_fields');
+                if (count($selectedFields) > 0) {
+                    foreach ($selectedFields as $field) {
+                        list($tablename, $colname, $module_field, $fieldname, $single) = split(":", $field);
+                        list($module, $fieldName) = split("_", $module_field, 2);
+                        $moduleModel = Vtiger_Module_Model::getInstance($module);
+                        $fieldModel = Vtiger_Field_Model::getInstance($fieldname, $moduleModel);
+
+                        if ($fieldModel->table !== $tablename) {
+                            throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+                        } elseif ($fieldModel->column !== $colname) {
+                            throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+                        }
+                    }
+                }
 		return true;
 	}