From 638b9a36af17144020613d8fa0fdcd5ef45629c5 Mon Sep 17 00:00:00 2001
From: Uma S <uma.s@vtiger.com>
Date: Fri, 19 Jul 2019 12:53:29 +0530
Subject: [PATCH] User level access permission enabled on view/action file

---
 modules/Vtiger/views/ListViewQuickPreview.php | 18 ++++++++++++++++++
 modules/Vtiger/views/MergeRecord.php          | 17 +++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/modules/Vtiger/views/ListViewQuickPreview.php b/modules/Vtiger/views/ListViewQuickPreview.php
index 619f085b6..04d350521 100644
--- a/modules/Vtiger/views/ListViewQuickPreview.php
+++ b/modules/Vtiger/views/ListViewQuickPreview.php
@@ -15,6 +15,24 @@ class Vtiger_ListViewQuickPreview_View extends Vtiger_Index_View {
 	function __construct() {
 		parent::__construct();
 	}
+	
+	function checkPermission(Vtiger_Request $request) {
+		$moduleName = $request->getModule();
+		$recordId = $request->get('record');
+
+		$recordPermission = Users_Privileges_Model::isPermitted($moduleName, 'DetailView', $recordId);
+		if(!$recordPermission) {
+			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+		}
+
+		if ($recordId) {
+			$recordEntityName = getSalesEntityType($recordId);
+			if ($recordEntityName !== $moduleName) {
+				throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+			}
+		}
+		return true;
+	}
 
 	function process(Vtiger_Request $request) {
 
diff --git a/modules/Vtiger/views/MergeRecord.php b/modules/Vtiger/views/MergeRecord.php
index ef946cdcd..3f5411b54 100644
--- a/modules/Vtiger/views/MergeRecord.php
+++ b/modules/Vtiger/views/MergeRecord.php
@@ -9,6 +9,23 @@
  **************************************************************************************/
 
 class Vtiger_MergeRecord_View extends Vtiger_Popup_View {
+	
+	public function checkPermission(Vtiger_Request $request) {
+		parent::checkPermission($request);
+		
+		$moduleName = $request->getModule();
+		$actionName = 'EditView';
+		
+		$records = $request->get('records');
+		$records = explode(',', $records);
+		
+		foreach ($records as $record) {
+			if(!Users_Privileges_Model::isPermitted($moduleName, $actionName, $record)) {
+				throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+			}
+		}
+	}
+	
 	function process(Vtiger_Request $request) {
 		$records = $request->get('records');
 		$records = explode(',', $records);
-- 
GitLab