From 2723cfdf6155960a9c0dea6881e01ab21fcbb177 Mon Sep 17 00:00:00 2001
From: Uma S <uma.s@vtiger.com>
Date: Tue, 13 Aug 2019 17:53:02 +0530
Subject: [PATCH] Check permission addresed on Vtiger core action files
---
modules/Products/actions/Mass.php | 6 ------
modules/Vtiger/actions/DashBoardTab.php | 12 ++++++++++++
modules/Vtiger/actions/DownloadAttachment.php | 11 +++++------
modules/Vtiger/actions/ExportData.php | 4 ----
modules/Vtiger/actions/GetData.php | 18 ++++++++++--------
modules/Vtiger/actions/Mass.php | 6 ++++++
modules/Vtiger/actions/MentionedUsers.php | 14 ++++++++------
modules/Vtiger/actions/NoteBook.php | 12 ++++++++++++
modules/Vtiger/actions/ProcessDuplicates.php | 10 ++++++++++
.../actions/RecipientPreferencesSaveAjax.php | 7 +++++++
modules/Vtiger/actions/RemoveWidget.php | 11 +++++++++++
modules/Vtiger/actions/SaveWidgetPositions.php | 11 +++++++++++
modules/Vtiger/actions/SaveWidgetSize.php | 11 +++++++++++
modules/Vtiger/views/AddNotePad.php | 12 ++++++++++++
modules/Vtiger/views/DashBoardTab.php | 12 ++++++++++++
15 files changed, 127 insertions(+), 30 deletions(-)
diff --git a/modules/Products/actions/Mass.php b/modules/Products/actions/Mass.php
index a719c0498..39e3286c9 100644
--- a/modules/Products/actions/Mass.php
+++ b/modules/Products/actions/Mass.php
@@ -15,12 +15,6 @@ class Products_Mass_Action extends Vtiger_Mass_Action {
$this->exposeMethod('isChildProduct');
}
- public function requiresPermission(\Vtiger_Request $request) {
- $permissions = parent::requiresPermission($request);
- $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
- return $permissions;
- }
-
public function process(Vtiger_Request $request) {
$mode = $request->getMode();
if(!empty($mode)) {
diff --git a/modules/Vtiger/actions/DashBoardTab.php b/modules/Vtiger/actions/DashBoardTab.php
index 6582ce89d..a67ed527c 100644
--- a/modules/Vtiger/actions/DashBoardTab.php
+++ b/modules/Vtiger/actions/DashBoardTab.php
@@ -17,6 +17,18 @@ class Vtiger_DashBoardTab_Action extends Vtiger_Action_Controller {
$this->exposeMethod('updateTabSequence');
}
+ public function requiresPermission(Vtiger_Request $request){
+ $permissions = parent::requiresPermission($request);
+ if($request->get('module') != 'Dashboard'){
+ $request->set('custom_module', 'Dashboard');
+ $permissions[] = array('module_parameter' => 'custom_module', 'action' => 'DetailView');
+ }else{
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+ }
+
+ return $permissions;
+ }
+
public function process(Vtiger_Request $request) {
$mode = $request->get('mode');
if ($mode) {
diff --git a/modules/Vtiger/actions/DownloadAttachment.php b/modules/Vtiger/actions/DownloadAttachment.php
index f06b6adaf..4ccf556b6 100644
--- a/modules/Vtiger/actions/DownloadAttachment.php
+++ b/modules/Vtiger/actions/DownloadAttachment.php
@@ -10,12 +10,11 @@
class Vtiger_DownloadAttachment_Action extends Vtiger_Action_Controller {
- public function checkPermission(Vtiger_Request $request) {
- $moduleName = $request->getModule();
-
- if (!Users_Privileges_Model::isPermitted($moduleName, 'DetailView', $request->get('record'))) {
- throw new AppException(vtranslate('LBL_PERMISSION_DENIED', $moduleName));
- }
+ public function requiresPermission(Vtiger_Request $request){
+ $permissions = parent::requiresPermission($request);
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+
+ return $permissions;
}
public function process(Vtiger_Request $request) {
diff --git a/modules/Vtiger/actions/ExportData.php b/modules/Vtiger/actions/ExportData.php
index 721ef835a..8bbea58fe 100644
--- a/modules/Vtiger/actions/ExportData.php
+++ b/modules/Vtiger/actions/ExportData.php
@@ -17,10 +17,6 @@ class Vtiger_ExportData_Action extends Vtiger_Mass_Action {
$permissions[] = array('module_parameter' => 'source_module', 'action' => 'Export');
return $permissions;
}
-
- function checkPermission(Vtiger_Request $request) {
- parent::checkPermission($request);
- }
/**
* Function is called by the controller
diff --git a/modules/Vtiger/actions/GetData.php b/modules/Vtiger/actions/GetData.php
index 482f2c8e9..ed0274fd7 100644
--- a/modules/Vtiger/actions/GetData.php
+++ b/modules/Vtiger/actions/GetData.php
@@ -10,19 +10,21 @@
class Vtiger_GetData_Action extends Vtiger_IndexAjax_View {
+ public function requiresPermission(\Vtiger_Request $request) {
+ $permissions = parent::requiresPermission($request);
+ $permissions[] = array('module_parameter' => 'source_module', 'action' => 'DetailView', 'record_parameter' => 'record');
+ return $permissions;
+ }
+
public function process(Vtiger_Request $request) {
$record = $request->get('record');
$sourceModule = $request->get('source_module');
$response = new Vtiger_Response();
- $permitted = Users_Privileges_Model::isPermitted($sourceModule, 'DetailView', $record);
- if($permitted) {
- $recordModel = Vtiger_Record_Model::getInstanceById($record, $sourceModule);
- $data = $recordModel->getData();
- $response->setResult(array('success'=>true, 'data'=>array_map('decode_html',$data)));
- } else {
- $response->setResult(array('success'=>false, 'message'=>vtranslate('LBL_PERMISSION_DENIED')));
- }
+ $recordModel = Vtiger_Record_Model::getInstanceById($record, $sourceModule);
+ $data = $recordModel->getData();
+ $response->setResult(array('success'=>true, 'data'=>array_map('decode_html',$data)));
+
$response->emit();
}
}
diff --git a/modules/Vtiger/actions/Mass.php b/modules/Vtiger/actions/Mass.php
index 83a2e79a8..f077bcb7b 100644
--- a/modules/Vtiger/actions/Mass.php
+++ b/modules/Vtiger/actions/Mass.php
@@ -10,6 +10,12 @@
abstract class Vtiger_Mass_Action extends Vtiger_Action_Controller {
+ public function requiresPermission(\Vtiger_Request $request) {
+ $permissions = parent::requiresPermission($request);
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+ return $permissions;
+ }
+
protected function getRecordsListFromRequest(Vtiger_Request $request) {
$cvId = $request->get('viewname');
$module = $request->get('module');
diff --git a/modules/Vtiger/actions/MentionedUsers.php b/modules/Vtiger/actions/MentionedUsers.php
index 0b27e6286..ae906ccdc 100644
--- a/modules/Vtiger/actions/MentionedUsers.php
+++ b/modules/Vtiger/actions/MentionedUsers.php
@@ -10,14 +10,16 @@
class Vtiger_MentionedUsers_Action extends Vtiger_Action_Controller {
- function checkPermission(Vtiger_Request $request) {
- return true;
+ public function requiresPermission(Vtiger_Request $request){
+ $permissions = parent::requiresPermission($request);
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+ $permissions[] = array('module_parameter' => 'custom_module', 'action' => 'DetailView');
+ $request->set('custom_module', 'ModComments');
+
+ return $permissions;
}
-
+
public function process(Vtiger_Request $request) {
- $mentionRule = Settings_Notifications_Task_Model::getInstance('Mention');
- $message = $request->get('message');
- $mentionedUsers = $mentionRule->getMentionedNames($message);
$commentId = $request->get('crmid');
$commentRecord = Vtiger_Record_Model::getInstanceById($commentId, Vtiger_Module_Model::getInstance('ModComments'));
$commentOwnerId = $commentRecord->get('creator');
diff --git a/modules/Vtiger/actions/NoteBook.php b/modules/Vtiger/actions/NoteBook.php
index 88e87b478..a553aee9b 100644
--- a/modules/Vtiger/actions/NoteBook.php
+++ b/modules/Vtiger/actions/NoteBook.php
@@ -14,6 +14,18 @@ class Vtiger_NoteBook_Action extends Vtiger_Action_Controller {
$this->exposeMethod('NoteBookCreate');
}
+ public function requiresPermission(Vtiger_Request $request){
+ $permissions = parent::requiresPermission($request);
+ if($request->get('module') != 'Dashboard'){
+ $request->set('custom_module', 'Dashboard');
+ $permissions[] = array('module_parameter' => 'custom_module', 'action' => 'DetailView');
+ }else{
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+ }
+
+ return $permissions;
+ }
+
function process(Vtiger_Request $request) {
$mode = $request->getMode();
diff --git a/modules/Vtiger/actions/ProcessDuplicates.php b/modules/Vtiger/actions/ProcessDuplicates.php
index 74e98275d..95e613f25 100644
--- a/modules/Vtiger/actions/ProcessDuplicates.php
+++ b/modules/Vtiger/actions/ProcessDuplicates.php
@@ -10,7 +10,16 @@
class Vtiger_ProcessDuplicates_Action extends Vtiger_Action_Controller {
+ public function requiresPermission(Vtiger_Request $request){
+ $permissions = parent::requiresPermission($request);
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'EditView');
+
+ return $permissions;
+ }
+
function checkPermission(Vtiger_Request $request) {
+ parent::checkPermission($request);
$module = $request->getModule();
$records = $request->get('records');
if($records) {
@@ -21,6 +30,7 @@ class Vtiger_ProcessDuplicates_Action extends Vtiger_Action_Controller {
}
}
}
+ return true;
}
function process (Vtiger_Request $request) {
diff --git a/modules/Vtiger/actions/RecipientPreferencesSaveAjax.php b/modules/Vtiger/actions/RecipientPreferencesSaveAjax.php
index 72b4f652a..74e4db4ee 100644
--- a/modules/Vtiger/actions/RecipientPreferencesSaveAjax.php
+++ b/modules/Vtiger/actions/RecipientPreferencesSaveAjax.php
@@ -10,6 +10,13 @@
class Vtiger_RecipientPreferencesSaveAjax_Action extends Vtiger_SaveAjax_Action {
+ public function requiresPermission(Vtiger_Request $request){
+ $permissions = parent::requiresPermission($request);
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+
+ return $permissions;
+ }
+
public function process(Vtiger_Request $request) {
$sourceModule = $request->get('source_module');
$selecltedFields = $request->get('selectedFields');
diff --git a/modules/Vtiger/actions/RemoveWidget.php b/modules/Vtiger/actions/RemoveWidget.php
index 3ace91794..bdaccd714 100644
--- a/modules/Vtiger/actions/RemoveWidget.php
+++ b/modules/Vtiger/actions/RemoveWidget.php
@@ -10,6 +10,17 @@
class Vtiger_RemoveWidget_Action extends Vtiger_IndexAjax_View {
+ public function requiresPermission(Vtiger_Request $request){
+ if($request->get('module') != 'Dashboard'){
+ $request->set('custom_module', 'Dashboard');
+ $permissions[] = array('module_parameter' => 'custom_module', 'action' => 'DetailView');
+ }else{
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+ }
+
+ return $permissions;
+ }
+
public function process(Vtiger_Request $request) {
$currentUser = Users_Record_Model::getCurrentUserModel();
$linkId = $request->get('linkid');
diff --git a/modules/Vtiger/actions/SaveWidgetPositions.php b/modules/Vtiger/actions/SaveWidgetPositions.php
index e87302b64..742d68ea7 100644
--- a/modules/Vtiger/actions/SaveWidgetPositions.php
+++ b/modules/Vtiger/actions/SaveWidgetPositions.php
@@ -10,6 +10,17 @@
class Vtiger_SaveWidgetPositions_Action extends Vtiger_IndexAjax_View {
+ public function requiresPermission(Vtiger_Request $request){
+ if($request->get('module') != 'Dashboard'){
+ $request->set('custom_module', 'Dashboard');
+ $permissions[] = array('module_parameter' => 'custom_module', 'action' => 'DetailView');
+ }else{
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+ }
+
+ return $permissions;
+ }
+
public function process(Vtiger_Request $request) {
$currentUser = Users_Record_Model::getCurrentUserModel();
diff --git a/modules/Vtiger/actions/SaveWidgetSize.php b/modules/Vtiger/actions/SaveWidgetSize.php
index 9f6e82365..4920b0640 100644
--- a/modules/Vtiger/actions/SaveWidgetSize.php
+++ b/modules/Vtiger/actions/SaveWidgetSize.php
@@ -10,6 +10,17 @@
class Vtiger_SaveWidgetSize_Action extends Vtiger_IndexAjax_View {
+ public function requiresPermission(Vtiger_Request $request){
+ if($request->get('module') != 'Dashboard'){
+ $request->set('custom_module', 'Dashboard');
+ $permissions[] = array('module_parameter' => 'custom_module', 'action' => 'DetailView');
+ }else{
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+ }
+
+ return $permissions;
+ }
+
public function process(Vtiger_Request $request) {
$currentUser = Users_Record_Model::getCurrentUserModel();
diff --git a/modules/Vtiger/views/AddNotePad.php b/modules/Vtiger/views/AddNotePad.php
index 182e40166..705c394bb 100644
--- a/modules/Vtiger/views/AddNotePad.php
+++ b/modules/Vtiger/views/AddNotePad.php
@@ -10,6 +10,18 @@
class Vtiger_AddNotePad_View extends Vtiger_Index_View {
+ public function requiresPermission(Vtiger_Request $request){
+ $permissions = parent::requiresPermission($request);
+ if($request->get('module') != 'Dashboard'){
+ $request->set('custom_module', 'Dashboard');
+ $permissions[] = array('module_parameter' => 'custom_module', 'action' => 'DetailView');
+ }else{
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+ }
+
+ return $permissions;
+ }
+
function process (Vtiger_Request $request) {
$currentUser = Users_Record_Model::getCurrentUserModel();
$viewer = $this->getViewer($request);
diff --git a/modules/Vtiger/views/DashBoardTab.php b/modules/Vtiger/views/DashBoardTab.php
index b737557e1..8ab58f8cd 100644
--- a/modules/Vtiger/views/DashBoardTab.php
+++ b/modules/Vtiger/views/DashBoardTab.php
@@ -17,6 +17,18 @@ class Vtiger_DashboardTab_View extends Vtiger_Index_View {
$this->exposeMethod('showDashBoardTabList');
}
+ public function requiresPermission(Vtiger_Request $request){
+ $permissions = parent::requiresPermission($request);
+ if($request->get('module') != 'Dashboard'){
+ $request->set('custom_module', 'Dashboard');
+ $permissions[] = array('module_parameter' => 'custom_module', 'action' => 'DetailView');
+ }else{
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+ }
+
+ return $permissions;
+ }
+
function process(Vtiger_Request $request) {
$mode = $request->getMode();
if(!empty($mode)) {
--
GitLab