From d627a044a4a92c601a167ff7e7abf6e1713ee8a4 Mon Sep 17 00:00:00 2001
From: Uma S <uma.s@vtiger.com>
Date: Fri, 2 Aug 2019 18:14:23 +0530
Subject: [PATCH] Checkpermission is handled on SaveAjax operations

---
 modules/Calendar/actions/SaveAjax.php         | 15 ++----------
 modules/Events/actions/SaveAjax.php           | 23 -------------------
 modules/Portal/actions/SaveAjax.php           | 14 -----------
 .../Settings/CronTasks/actions/SaveAjax.php   |  1 +
 modules/Vtiger/actions/Save.php               |  6 +++--
 5 files changed, 7 insertions(+), 52 deletions(-)

diff --git a/modules/Calendar/actions/SaveAjax.php b/modules/Calendar/actions/SaveAjax.php
index 8cb299e75..a82692ec9 100644
--- a/modules/Calendar/actions/SaveAjax.php
+++ b/modules/Calendar/actions/SaveAjax.php
@@ -13,19 +13,8 @@ class Calendar_SaveAjax_Action extends Vtiger_SaveAjax_Action {
 	public function checkPermission(Vtiger_Request $request) {
 		$moduleName = $request->getModule();
 		$record = $request->get('record');
-
-		// Child class permission check support - DragDropAjax 
-		$recordId = $request->get('id');
-
-		$actionName = ($record || $recordId) ? 'EditView' : 'CreateView';
-		if(!Users_Privileges_Model::isPermitted($moduleName, $actionName, $record)) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
-
-		if(!Users_Privileges_Model::isPermitted($moduleName, 'Save', $record)) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
-
+		
+		parent::checkPermission($request);
 		if ($record) {
 			$activityModulesList = array('Calendar', 'Events');
 			$recordEntityName = getSalesEntityType($record);
diff --git a/modules/Events/actions/SaveAjax.php b/modules/Events/actions/SaveAjax.php
index 79d950f70..f6bd8e50c 100644
--- a/modules/Events/actions/SaveAjax.php
+++ b/modules/Events/actions/SaveAjax.php
@@ -10,29 +10,6 @@
 
 class Events_SaveAjax_Action extends Events_Save_Action {
 
-	public function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$record = $request->get('record');
-
-		$actionName = ($record) ? 'EditView' : 'CreateView';
-		if(!Users_Privileges_Model::isPermitted($moduleName, $actionName, $record)) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
-
-		if(!Users_Privileges_Model::isPermitted($moduleName, 'Save', $record)) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
-
-		if ($record) {
-			$activityModulesList = array('Calendar', 'Events');
-			$recordEntityName = getSalesEntityType($record);
-
-			if (!in_array($recordEntityName, $activityModulesList) || !in_array($moduleName, $activityModulesList)) {
-				throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-			}
-		}
-	}
-
 	public function process(Vtiger_Request $request) {
 		$response = new Vtiger_Response();
 		try {
diff --git a/modules/Portal/actions/SaveAjax.php b/modules/Portal/actions/SaveAjax.php
index 2bdd5be00..45ac1603d 100644
--- a/modules/Portal/actions/SaveAjax.php
+++ b/modules/Portal/actions/SaveAjax.php
@@ -10,20 +10,6 @@
 
 class Portal_SaveAjax_Action extends Vtiger_SaveAjax_Action {
     
-    public function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$record = $request->get('record');
-
-		$actionName = ($record) ? 'EditView' : 'CreateView';
-		if(!Users_Privileges_Model::isPermitted($moduleName, $actionName, $record)) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
-
-		if(!Users_Privileges_Model::isPermitted($moduleName, 'Save', $record)) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
-	}
-    
     public function process(Vtiger_Request $request) {
         $module = $request->getModule();
         $recordId = $request->get('record');
diff --git a/modules/Settings/CronTasks/actions/SaveAjax.php b/modules/Settings/CronTasks/actions/SaveAjax.php
index 2d1fa34da..c70b714c5 100644
--- a/modules/Settings/CronTasks/actions/SaveAjax.php
+++ b/modules/Settings/CronTasks/actions/SaveAjax.php
@@ -17,6 +17,7 @@ class Settings_CronTasks_SaveAjax_Action extends Settings_Vtiger_Index_Action {
 		if(!$recordId) {
 			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
 		}
+		return true;
 	}
 
 	public function process(Vtiger_Request $request) {
diff --git a/modules/Vtiger/actions/Save.php b/modules/Vtiger/actions/Save.php
index f2b4b4bcd..ce7754123 100644
--- a/modules/Vtiger/actions/Save.php
+++ b/modules/Vtiger/actions/Save.php
@@ -19,12 +19,14 @@ class Vtiger_Save_Action extends Vtiger_Action_Controller {
 			$moduleParameter = 'source_module';
 		}
 		$record = $request->get('record');
+		// Child class permission check support - DragDropAjax 
+		$recordId = $request->get('id');
 		if (!$record) {
 			$recordParameter = '';
 		}else{
 			$recordParameter = 'record';
 		}
-		$actionName = ($record) ? 'EditView' : 'CreateView';
+		$actionName = ($record || $recordId) ? 'EditView' : 'CreateView';
 		$permissions[] = array('module_parameter' => $moduleParameter, 'action' => $actionName, 'record_parameter' => $recordParameter);
 		return $permissions;
 	}
@@ -33,7 +35,7 @@ class Vtiger_Save_Action extends Vtiger_Action_Controller {
 		$moduleName = $request->getModule();
 		$record = $request->get('record');
 
-		$nonEntityModules = array('Users', 'Events', 'Calendar');
+		$nonEntityModules = array('Users', 'Events', 'Calendar', 'Reports');
 		if ($record && !in_array($moduleName, $nonEntityModules)) {
 			$recordEntityName = getSalesEntityType($record);
 			if ($recordEntityName !== $moduleName) {
-- 
GitLab