TriggerCheckPermission from webui is been removed, to make sure all handlers...

TriggerCheckPermission from webui is been removed, to make sure all handlers pass through checkPermission

includes/main/WebUI.php

@@ -194,16 +194,16 @@ class Vtiger_WebUI extends Vtiger_EntryPoint {
 				}
 
 				//TODO : Need to review the design as there can potential security threat
-				$skipList = array('Users', 'Home', 'CustomView', 'Import', 'Export', 'Inventory', 'Vtiger', 'PriceBooks', 'Migration', 'Install');
-
-				if(!in_array($module, $skipList) && stripos($qualifiedModuleName, 'Settings') === false) {
-					$this->triggerCheckPermission($handler, $request);
-				}
+//				$skipList = array('Users', 'Home', 'CustomView', 'Import', 'Export', 'Inventory', 'Vtiger', 'PriceBooks', 'Migration', 'Install');
+//
+//				if(!in_array($module, $skipList) && stripos($qualifiedModuleName, 'Settings') === false) {
+//					$this->triggerCheckPermission($handler, $request);
+//				}
 
 				// Every settings page handler should implement this method
-				if(stripos($qualifiedModuleName, 'Settings') === 0 || ($module == 'Users')) {
-					$handler->checkPermission($request);
-				}
+//				if(stripos($qualifiedModuleName, 'Settings') === 0 || ($module == 'Users')) {
+				$handler->checkPermission($request);
+//				}
 
 				$notPermittedModules = array('ModComments','Integration','DashBoard');
 

includes/runtime/Controller.php

@@ -128,6 +128,7 @@ abstract class Vtiger_Action_Controller extends Vtiger_Controller {
 			if(!Users_Privileges_Model::isPermitted($moduleParameter, $permission['action'], $recordParameter)) {
 				throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
 			}
+			if(Vtiger_Runtime::isRestricted('modules',$moduleParameter)){}
 		}
 		return true;
 	}

modules/Accounts/actions/TransferOwnership.php

@@ -13,6 +13,7 @@ class Accounts_TransferOwnership_Action extends Vtiger_Action_Controller {
 	
 	public function requiresPermission(\Vtiger_Request $request) {
 		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
 		$permissions[] = array('module_parameter' => 'module', 'action' => 'EditView', 'record_parameter' => 'record');
 		return $permissions;
 	}

modules/CustomView/actions/Delete.php

@@ -10,10 +10,24 @@
 
 class CustomView_Delete_Action extends Vtiger_Action_Controller {
 
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'sourceModule', 'action' => 'DetailView');
+		return $permissions;
+	}
+	
+	public function checkPermission(Vtiger_Request $request) {
+		return parent::checkPermission($request);
+	}
+	
 	public function process(Vtiger_Request $request) {
 		$customViewModel = CustomView_Record_Model::getInstanceById($request->get('record'));
 		$moduleModel = $customViewModel->getModule();
-
+		$customViewOwner = $customViewModel->getOwnerId();
+		$currentUser = Users_Record_Model::getCurrentUserModel();
+		if ((!$currentUser->isAdminUser()) || ($customViewOwner != $currentUser->getId())) {
+			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+		}
 		$customViewModel->delete();
 
 		$listViewUrl = $moduleModel->getListViewUrl();

modules/CustomView/actions/DeleteAjax.php

@@ -10,6 +10,16 @@
 
 class CustomView_DeleteAjax_Action extends Vtiger_Action_Controller {
 
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'sourceModule', 'action' => 'DetailView');
+		return $permissions;
+	}
+	
+	public function checkPermission(Vtiger_Request $request) {
+		return parent::checkPermission($request);
+	}
+	
 	function preProcess(Vtiger_Request $request) {
 		return true;
 	}
@@ -20,7 +30,11 @@ class CustomView_DeleteAjax_Action extends Vtiger_Action_Controller {
 
 	public function process(Vtiger_Request $request) {
 		$customViewModel = CustomView_Record_Model::getInstanceById($request->get('record'));
-
+		$customViewOwner = $customViewModel->getOwnerId();
+		$currentUser = Users_Record_Model::getCurrentUserModel();
+		if ((!$currentUser->isAdminUser()) || ($customViewOwner != $currentUser->getId())) {
+			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+		}
 		$customViewModel->delete();
 	}
     

modules/CustomView/actions/Save.php

@@ -9,6 +9,15 @@
  *************************************************************************************/
 
 class CustomView_Save_Action extends Vtiger_Action_Controller {
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'source_module', 'action' => 'DetailView');
+		return $permissions;
+	}
+	
+	public function checkPermission(Vtiger_Request $request) {
+		return parent::checkPermission($request);
+	}
 
 	public function process(Vtiger_Request $request) {
         $sourceModuleName = $request->get('source_module');

modules/CustomView/views/EditAjax.php

@@ -10,6 +10,15 @@
 
 Class CustomView_EditAjax_View extends Vtiger_IndexAjax_View {
 
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'source_module', 'action' => 'DetailView');
+		return $permissions;
+	}
+	public function checkPermission(Vtiger_Request $request) {
+		return parent::checkPermission($request);
+	}
+	
 	public function process(Vtiger_Request $request) {
 		$viewer = $this->getViewer ($request);
 		$moduleName = $request->get('source_module');

modules/Documents/actions/Folder.php

@@ -18,21 +18,7 @@ class Documents_Folder_Action extends Vtiger_Action_Controller {
 	
 	public function requiresPermission(Vtiger_Request $request){
 		$permissions = parent::requiresPermission($request);
-		$mode = $request->getMode();
-		if(!empty($mode)) {
-			switch ($mode) {
-				case 'save':
-					$permissions[] = array('module_parameter' => 'module', 'action' => 'EditView');
-					break;
-				case 'delete':
-					$permissions[] = array('module_parameter' => 'module', 'action' => 'Delete');
-					$request->set('custom_module', 'Calendar');
-					break;
-				default:
-					$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
-					break;
-			}
-		}
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
 		return $permissions;
 	}
 

modules/Documents/actions/MoveDocuments.php

@@ -12,8 +12,7 @@ class Documents_MoveDocuments_Action extends Vtiger_Mass_Action {
 	
 	public function requiresPermission(Vtiger_Request $request){
 		$permissions = parent::requiresPermission($request);
-		
-		$permissions[] = array('module_parameter' => 'module', 'action' => 'EditView');
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
 		return $permissions;
 	}
 

modules/Documents/views/AddFolder.php

@@ -13,7 +13,7 @@ class Documents_AddFolder_View extends Vtiger_IndexAjax_View {
 	public function requiresPermission(Vtiger_Request $request){
 		$permissions = parent::requiresPermission($request);
 		
-		$permissions[] = array('module_parameter' => 'module', 'action' => 'CreateView');
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
 		return $permissions;
 	}
 

modules/Documents/views/EditAjax.php

@@ -10,18 +10,6 @@
 
 class Documents_EditAjax_View extends Vtiger_QuickCreateAjax_View {
 
-	public function requiresPermission(Vtiger_Request $request){
-		$permissions = parent::requiresPermission($request);
-		
-		$permissions[] = array('module_parameter' => 'module', 'action' => 'CreateView');
-		return $permissions;
-	}
-
-
-	public function checkPermission(Vtiger_Request $request) {
-		return parent::checkPermission($request);
-	}
-
 	public function getFields($documentType){
 		switch($documentType){
 			case 'I' : case 'E' : return array('filename','assigned_user_id','folderid');

modules/Documents/views/List.php

@@ -13,6 +13,17 @@ class Documents_List_View extends Vtiger_List_View {
 		parent::__construct();
 	}
 	
+	public function requiresPermission(Vtiger_Request $request){
+		$permissions = parent::requiresPermission($request);
+		
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+		return $permissions;
+	}
+
+
+	public function checkPermission(Vtiger_Request $request) {
+		return parent::checkPermission($request);
+	}
 	function preProcess (Vtiger_Request $request) {
 		$viewer = $this->getViewer ($request);
 		$moduleName = $request->getModule();

modules/Documents/views/MoveDocuments.php

@@ -13,7 +13,7 @@ class Documents_MoveDocuments_View extends Vtiger_Index_View {
 	public function requiresPermission(Vtiger_Request $request){
 		$permissions = parent::requiresPermission($request);
 		
-		$permissions[] = array('module_parameter' => 'module', 'action' => 'EditView');
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
 		return $permissions;
 	}
 

modules/Vtiger/views/Detail.php

@@ -29,6 +29,7 @@ class Vtiger_Detail_View extends Vtiger_Index_View {
 	public function requiresPermission(Vtiger_Request $request){
 		$permissions = parent::requiresPermission($request);
 		$mode = $request->getMode();
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
 		if(!empty($mode)) {
 			switch ($mode) {
 				case 'showModuleDetailView':
@@ -50,7 +51,6 @@ class Vtiger_Detail_View extends Vtiger_Index_View {
 					$request->set('custom_module', 'Calendar');
 					break;
 				default:
-					$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
 					break;
 			}
 		}