diff --git a/includes/main/WebUI.php b/includes/main/WebUI.php
index 59ca3434556b94193140924113e4001ddbb66c21..bbc6e0aaf928ea146af2104af3158c365e7d1823 100644
--- a/includes/main/WebUI.php
+++ b/includes/main/WebUI.php
@@ -194,16 +194,16 @@ class Vtiger_WebUI extends Vtiger_EntryPoint {
}
//TODO : Need to review the design as there can potential security threat
- $skipList = array('Users', 'Home', 'CustomView', 'Import', 'Export', 'Inventory', 'Vtiger', 'PriceBooks', 'Migration', 'Install');
-
- if(!in_array($module, $skipList) && stripos($qualifiedModuleName, 'Settings') === false) {
- $this->triggerCheckPermission($handler, $request);
- }
+// $skipList = array('Users', 'Home', 'CustomView', 'Import', 'Export', 'Inventory', 'Vtiger', 'PriceBooks', 'Migration', 'Install');
+//
+// if(!in_array($module, $skipList) && stripos($qualifiedModuleName, 'Settings') === false) {
+// $this->triggerCheckPermission($handler, $request);
+// }
// Every settings page handler should implement this method
- if(stripos($qualifiedModuleName, 'Settings') === 0 || ($module == 'Users')) {
- $handler->checkPermission($request);
- }
+// if(stripos($qualifiedModuleName, 'Settings') === 0 || ($module == 'Users')) {
+ $handler->checkPermission($request);
+// }
$notPermittedModules = array('ModComments','Integration','DashBoard');
diff --git a/includes/runtime/Controller.php b/includes/runtime/Controller.php
index 962244a9f18accaf01a4c32a6b4548df9d99bb77..dee9aa491115a833b9a97920753e170bd26f84f3 100644
--- a/includes/runtime/Controller.php
+++ b/includes/runtime/Controller.php
@@ -128,6 +128,7 @@ abstract class Vtiger_Action_Controller extends Vtiger_Controller {
if(!Users_Privileges_Model::isPermitted($moduleParameter, $permission['action'], $recordParameter)) {
throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
}
+ if(Vtiger_Runtime::isRestricted('modules',$moduleParameter)){}
}
return true;
}
diff --git a/modules/Accounts/actions/TransferOwnership.php b/modules/Accounts/actions/TransferOwnership.php
index b77146e98334bb6d505e3cdf665926ed7a78a2f5..da52b84442a858ba77d12df57830089f375fa886 100644
--- a/modules/Accounts/actions/TransferOwnership.php
+++ b/modules/Accounts/actions/TransferOwnership.php
@@ -13,6 +13,7 @@ class Accounts_TransferOwnership_Action extends Vtiger_Action_Controller {
public function requiresPermission(\Vtiger_Request $request) {
$permissions = parent::requiresPermission($request);
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
$permissions[] = array('module_parameter' => 'module', 'action' => 'EditView', 'record_parameter' => 'record');
return $permissions;
}
diff --git a/modules/CustomView/actions/Delete.php b/modules/CustomView/actions/Delete.php
index 626eaffba4db6f78445fd5cad390d259cea40089..963cf6baf8f36af2811968d8fd358878039ba879 100644
--- a/modules/CustomView/actions/Delete.php
+++ b/modules/CustomView/actions/Delete.php
@@ -10,10 +10,24 @@
class CustomView_Delete_Action extends Vtiger_Action_Controller {
+ public function requiresPermission(\Vtiger_Request $request) {
+ $permissions = parent::requiresPermission($request);
+ $permissions[] = array('module_parameter' => 'sourceModule', 'action' => 'DetailView');
+ return $permissions;
+ }
+
+ public function checkPermission(Vtiger_Request $request) {
+ return parent::checkPermission($request);
+ }
+
public function process(Vtiger_Request $request) {
$customViewModel = CustomView_Record_Model::getInstanceById($request->get('record'));
$moduleModel = $customViewModel->getModule();
-
+ $customViewOwner = $customViewModel->getOwnerId();
+ $currentUser = Users_Record_Model::getCurrentUserModel();
+ if ((!$currentUser->isAdminUser()) || ($customViewOwner != $currentUser->getId())) {
+ throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+ }
$customViewModel->delete();
$listViewUrl = $moduleModel->getListViewUrl();
diff --git a/modules/CustomView/actions/DeleteAjax.php b/modules/CustomView/actions/DeleteAjax.php
index 1fedb6b72a684af63e12d98f377f43dc8a9cecba..d7932d621932b324e86e63cad37f0fc3861fc757 100644
--- a/modules/CustomView/actions/DeleteAjax.php
+++ b/modules/CustomView/actions/DeleteAjax.php
@@ -10,6 +10,16 @@
class CustomView_DeleteAjax_Action extends Vtiger_Action_Controller {
+ public function requiresPermission(\Vtiger_Request $request) {
+ $permissions = parent::requiresPermission($request);
+ $permissions[] = array('module_parameter' => 'sourceModule', 'action' => 'DetailView');
+ return $permissions;
+ }
+
+ public function checkPermission(Vtiger_Request $request) {
+ return parent::checkPermission($request);
+ }
+
function preProcess(Vtiger_Request $request) {
return true;
}
@@ -20,7 +30,11 @@ class CustomView_DeleteAjax_Action extends Vtiger_Action_Controller {
public function process(Vtiger_Request $request) {
$customViewModel = CustomView_Record_Model::getInstanceById($request->get('record'));
-
+ $customViewOwner = $customViewModel->getOwnerId();
+ $currentUser = Users_Record_Model::getCurrentUserModel();
+ if ((!$currentUser->isAdminUser()) || ($customViewOwner != $currentUser->getId())) {
+ throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+ }
$customViewModel->delete();
}
diff --git a/modules/CustomView/actions/Save.php b/modules/CustomView/actions/Save.php
index 19943227841cf0abb12aa5032214d7fb5dfdbd4a..a28abced87c34c7cdc2228a7ba21d9051a658f99 100644
--- a/modules/CustomView/actions/Save.php
+++ b/modules/CustomView/actions/Save.php
@@ -9,6 +9,15 @@
*************************************************************************************/
class CustomView_Save_Action extends Vtiger_Action_Controller {
+ public function requiresPermission(\Vtiger_Request $request) {
+ $permissions = parent::requiresPermission($request);
+ $permissions[] = array('module_parameter' => 'source_module', 'action' => 'DetailView');
+ return $permissions;
+ }
+
+ public function checkPermission(Vtiger_Request $request) {
+ return parent::checkPermission($request);
+ }
public function process(Vtiger_Request $request) {
$sourceModuleName = $request->get('source_module');
diff --git a/modules/CustomView/views/EditAjax.php b/modules/CustomView/views/EditAjax.php
index 0814e6303131ab7b92b2b3d72b6befee3aa88287..0fb95813e114ff59414416936c227dba16b881cc 100644
--- a/modules/CustomView/views/EditAjax.php
+++ b/modules/CustomView/views/EditAjax.php
@@ -10,6 +10,15 @@
Class CustomView_EditAjax_View extends Vtiger_IndexAjax_View {
+ public function requiresPermission(\Vtiger_Request $request) {
+ $permissions = parent::requiresPermission($request);
+ $permissions[] = array('module_parameter' => 'source_module', 'action' => 'DetailView');
+ return $permissions;
+ }
+ public function checkPermission(Vtiger_Request $request) {
+ return parent::checkPermission($request);
+ }
+
public function process(Vtiger_Request $request) {
$viewer = $this->getViewer ($request);
$moduleName = $request->get('source_module');
diff --git a/modules/Documents/actions/Folder.php b/modules/Documents/actions/Folder.php
index 3bbff59837d3b904ab11ab2fc2fd5688c389654d..681c7397ec7ff0c0f697afcbeee92dd9ed6b9b54 100644
--- a/modules/Documents/actions/Folder.php
+++ b/modules/Documents/actions/Folder.php
@@ -18,21 +18,7 @@ class Documents_Folder_Action extends Vtiger_Action_Controller {
public function requiresPermission(Vtiger_Request $request){
$permissions = parent::requiresPermission($request);
- $mode = $request->getMode();
- if(!empty($mode)) {
- switch ($mode) {
- case 'save':
- $permissions[] = array('module_parameter' => 'module', 'action' => 'EditView');
- break;
- case 'delete':
- $permissions[] = array('module_parameter' => 'module', 'action' => 'Delete');
- $request->set('custom_module', 'Calendar');
- break;
- default:
- $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
- break;
- }
- }
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
return $permissions;
}
diff --git a/modules/Documents/actions/MoveDocuments.php b/modules/Documents/actions/MoveDocuments.php
index ea1948a53b790047cced3e1171c421d2e188a80a..b89713d657efaa418858102a47139facf0a27292 100644
--- a/modules/Documents/actions/MoveDocuments.php
+++ b/modules/Documents/actions/MoveDocuments.php
@@ -12,8 +12,7 @@ class Documents_MoveDocuments_Action extends Vtiger_Mass_Action {
public function requiresPermission(Vtiger_Request $request){
$permissions = parent::requiresPermission($request);
-
- $permissions[] = array('module_parameter' => 'module', 'action' => 'EditView');
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
return $permissions;
}
diff --git a/modules/Documents/views/AddFolder.php b/modules/Documents/views/AddFolder.php
index 315caf6edd89fdfa0ee9bf9968e696dd666a7ac9..d9bff852f1537a34efa78b10c90a06cf46e772b6 100644
--- a/modules/Documents/views/AddFolder.php
+++ b/modules/Documents/views/AddFolder.php
@@ -13,7 +13,7 @@ class Documents_AddFolder_View extends Vtiger_IndexAjax_View {
public function requiresPermission(Vtiger_Request $request){
$permissions = parent::requiresPermission($request);
- $permissions[] = array('module_parameter' => 'module', 'action' => 'CreateView');
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
return $permissions;
}
diff --git a/modules/Documents/views/EditAjax.php b/modules/Documents/views/EditAjax.php
index e5cd97374b58816495ed5645a43562739d8ec3af..f40193eaf3145529f5324813b24473daad71e1e6 100644
--- a/modules/Documents/views/EditAjax.php
+++ b/modules/Documents/views/EditAjax.php
@@ -10,18 +10,6 @@
class Documents_EditAjax_View extends Vtiger_QuickCreateAjax_View {
- public function requiresPermission(Vtiger_Request $request){
- $permissions = parent::requiresPermission($request);
-
- $permissions[] = array('module_parameter' => 'module', 'action' => 'CreateView');
- return $permissions;
- }
-
-
- public function checkPermission(Vtiger_Request $request) {
- return parent::checkPermission($request);
- }
-
public function getFields($documentType){
switch($documentType){
case 'I' : case 'E' : return array('filename','assigned_user_id','folderid');
diff --git a/modules/Documents/views/List.php b/modules/Documents/views/List.php
index cbeceb8bf6387463b8da9ead7151a76d7747b459..a40df10f0b1dceea3226f20c0b677c0bd8672de3 100644
--- a/modules/Documents/views/List.php
+++ b/modules/Documents/views/List.php
@@ -13,6 +13,17 @@ class Documents_List_View extends Vtiger_List_View {
parent::__construct();
}
+ public function requiresPermission(Vtiger_Request $request){
+ $permissions = parent::requiresPermission($request);
+
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+ return $permissions;
+ }
+
+
+ public function checkPermission(Vtiger_Request $request) {
+ return parent::checkPermission($request);
+ }
function preProcess (Vtiger_Request $request) {
$viewer = $this->getViewer ($request);
$moduleName = $request->getModule();
diff --git a/modules/Documents/views/MoveDocuments.php b/modules/Documents/views/MoveDocuments.php
index cc739152a0e55d9408edeefa5bb9b5e4dcd0bf6d..d17d7c1753fc1d105160f4d3fe2aa5be84041f36 100644
--- a/modules/Documents/views/MoveDocuments.php
+++ b/modules/Documents/views/MoveDocuments.php
@@ -13,7 +13,7 @@ class Documents_MoveDocuments_View extends Vtiger_Index_View {
public function requiresPermission(Vtiger_Request $request){
$permissions = parent::requiresPermission($request);
- $permissions[] = array('module_parameter' => 'module', 'action' => 'EditView');
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
return $permissions;
}
diff --git a/modules/Vtiger/views/Detail.php b/modules/Vtiger/views/Detail.php
index 6a75d8b7c8ff014a9678cd977ddf48269ca8ddbf..488fdaf11f2f5c7d46eb02ef4fc65187486ed806 100644
--- a/modules/Vtiger/views/Detail.php
+++ b/modules/Vtiger/views/Detail.php
@@ -29,6 +29,7 @@ class Vtiger_Detail_View extends Vtiger_Index_View {
public function requiresPermission(Vtiger_Request $request){
$permissions = parent::requiresPermission($request);
$mode = $request->getMode();
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
if(!empty($mode)) {
switch ($mode) {
case 'showModuleDetailView':
@@ -50,7 +51,6 @@ class Vtiger_Detail_View extends Vtiger_Index_View {
$request->set('custom_module', 'Calendar');
break;
default:
- $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
break;
}
}