From 3af639e1d5ad5b826e227294f212c42e43a5a2d1 Mon Sep 17 00:00:00 2001
From: Uma S <uma.s@vtiger.com>
Date: Mon, 12 Aug 2019 16:59:45 +0530
Subject: [PATCH] checkpermission addressed on
 Portal,Opportunities,Products,PriceBooks and Core files

---
 modules/Portal/actions/DeleteAjax.php         | 11 +++-----
 modules/Portal/actions/MassDelete.php         | 13 +++-------
 modules/Portal/actions/SaveAjax.php           |  9 +++++--
 modules/Portal/views/Detail.php               |  7 ++++++
 modules/Portal/views/EditAjax.php             |  7 ++++++
 modules/Portal/views/List.php                 |  7 ++++++
 modules/Potentials/views/ConvertPotential.php | 16 ++++++------
 .../Potentials/views/SaveConvertPotential.php | 18 ++++++-------
 .../PriceBooks/actions/ProductListPrice.php   | 13 ++++------
 modules/PriceBooks/actions/RelationAjax.php   | 17 ++++++++++++-
 modules/PriceBooks/views/ListPriceUpdate.php  | 17 ++++++-------
 modules/Products/actions/Mass.php             |  8 +++---
 modules/Products/actions/RelationAjax.php     | 25 +++++++++++++++++++
 modules/Products/actions/SubProducts.php      | 12 +++------
 modules/Products/views/Detail.php             | 14 +++++++++++
 modules/Products/views/MoreCurrenciesList.php |  9 +++----
 .../views/SubProductQuantityUpdate.php        | 12 +++------
 modules/Vtiger/actions/Save.php               |  2 +-
 modules/Vtiger/actions/TagCloud.php           |  4 ---
 modules/Vtiger/views/Detail.php               |  2 +-
 20 files changed, 137 insertions(+), 86 deletions(-)

diff --git a/modules/Portal/actions/DeleteAjax.php b/modules/Portal/actions/DeleteAjax.php
index cc72a3fd0..73ce6af6f 100644
--- a/modules/Portal/actions/DeleteAjax.php
+++ b/modules/Portal/actions/DeleteAjax.php
@@ -10,14 +10,9 @@
 
 class Portal_DeleteAjax_Action extends Vtiger_DeleteAjax_Action {
 
-	public function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$record = $request->get('record');
-
-		$currentUserPrivilegesModel = Users_Privileges_Model::getCurrentUserPrivilegesModel();
-		if(!$currentUserPrivilegesModel->isPermitted($moduleName, 'Delete', $record)) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+		return $permissions;
 	}
 	
     public function process(Vtiger_Request $request) {
diff --git a/modules/Portal/actions/MassDelete.php b/modules/Portal/actions/MassDelete.php
index a8269a503..f782678a1 100644
--- a/modules/Portal/actions/MassDelete.php
+++ b/modules/Portal/actions/MassDelete.php
@@ -10,16 +10,11 @@
 
 class Portal_MassDelete_Action extends Vtiger_MassDelete_Action {
 
-    function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$moduleModel = Vtiger_Module_Model::getInstance($moduleName);
-
-		$currentUserPriviligesModel = Users_Privileges_Model::getCurrentUserPrivilegesModel();
-		if(!$currentUserPriviligesModel->hasModulePermission($moduleModel->getId())) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+		return $permissions;
 	}
-
+	
     public function process(Vtiger_Request $request) {
         $module = $request->getModule();
         
diff --git a/modules/Portal/actions/SaveAjax.php b/modules/Portal/actions/SaveAjax.php
index 45ac1603d..0f5466018 100644
--- a/modules/Portal/actions/SaveAjax.php
+++ b/modules/Portal/actions/SaveAjax.php
@@ -10,14 +10,19 @@
 
 class Portal_SaveAjax_Action extends Vtiger_SaveAjax_Action {
     
-    public function process(Vtiger_Request $request) {
+    public function requiresPermission(\Vtiger_Request $request) {
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+		return $permissions;
+	}
+	
+	public function process(Vtiger_Request $request) {
         $module = $request->getModule();
         $recordId = $request->get('record');
         $bookmarkName = $request->get('bookmarkName');
         $bookmarkUrl = $request->get('bookmarkUrl');
         
         Portal_Module_Model::saveRecord($recordId, $bookmarkName, $bookmarkUrl);
-        
+		
         $response = new Vtiger_Response();
         $result = array('message' => vtranslate('LBL_BOOKMARK_SAVED_SUCCESSFULLY', $module));
         $response->setResult($result);
diff --git a/modules/Portal/views/Detail.php b/modules/Portal/views/Detail.php
index d13721063..32bb2f77d 100644
--- a/modules/Portal/views/Detail.php
+++ b/modules/Portal/views/Detail.php
@@ -10,6 +10,13 @@
 
 class Portal_Detail_View extends Vtiger_Index_View {
 
+	public function requiresPermission(Vtiger_Request $request){
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+		
+		return $permissions;
+	}
+	
 	function preProcess(Vtiger_Request $request, $display=true) {
 		parent::preProcess($request);
 	}
diff --git a/modules/Portal/views/EditAjax.php b/modules/Portal/views/EditAjax.php
index 16b365288..826211503 100644
--- a/modules/Portal/views/EditAjax.php
+++ b/modules/Portal/views/EditAjax.php
@@ -10,6 +10,13 @@
 
 class Portal_EditAjax_View extends Vtiger_IndexAjax_View {
 
+	public function requiresPermission(Vtiger_Request $request){
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+		
+		return $permissions;
+	}
+	
 	public function process(Vtiger_Request $request) {
 		$moduleName = $request->getModule();
 		$recordId = $request->get('record');
diff --git a/modules/Portal/views/List.php b/modules/Portal/views/List.php
index fbfb16c90..c7d52f07a 100644
--- a/modules/Portal/views/List.php
+++ b/modules/Portal/views/List.php
@@ -10,6 +10,13 @@
 
 class Portal_List_View extends Vtiger_Index_View {
 
+	public function requiresPermission(Vtiger_Request $request){
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+		
+		return $permissions;
+	}
+	
 	function preProcess(Vtiger_Request $request, $display=true) {
 		parent::preProcess($request);
 
diff --git a/modules/Potentials/views/ConvertPotential.php b/modules/Potentials/views/ConvertPotential.php
index b84e271ad..1b670b191 100644
--- a/modules/Potentials/views/ConvertPotential.php
+++ b/modules/Potentials/views/ConvertPotential.php
@@ -10,15 +10,13 @@
 
 class Potentials_ConvertPotential_View extends Vtiger_Index_View {
 
-	function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$moduleModel = Vtiger_Module_Model::getInstance($moduleName);
-		$projectModuleModel = Vtiger_Module_Model::getInstance('Project');
-
-		$currentUserModel = Users_Privileges_Model::getCurrentUserPrivilegesModel();
-		if(!$currentUserModel->hasModuleActionPermission($projectModuleModel->getId(), 'CreateView')) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', $moduleName));
-		}
+	public function requiresPermission(Vtiger_Request $request){
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+		$permissions[] = array('module_parameter' => 'custom_module', 'action' => 'CreateView');
+		$request->set('custom_module', 'Project');
+		
+		return $permissions;
 	}
 
 	function process(Vtiger_Request $request) {
diff --git a/modules/Potentials/views/SaveConvertPotential.php b/modules/Potentials/views/SaveConvertPotential.php
index 1df540874..096a66e0d 100644
--- a/modules/Potentials/views/SaveConvertPotential.php
+++ b/modules/Potentials/views/SaveConvertPotential.php
@@ -11,17 +11,15 @@ vimport('~~/include/Webservices/ConvertPotential.php');
 
 class Potentials_SaveConvertPotential_View extends Vtiger_View_Controller {
 
-	function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$moduleModel = Vtiger_Module_Model::getInstance($moduleName);
-		$projectModuleModel = Vtiger_Module_Model::getInstance('Project');
-
-		$currentUserModel = Users_Privileges_Model::getCurrentUserPrivilegesModel();
-		if(!$currentUserModel->hasModuleActionPermission($projectModuleModel->getId(), 'CreateView')) {
-			throw new AppException(vtranslate('LBL_CREATE_PROJECT_PERMISSION_DENIED', $moduleName));
-		}
+	public function requiresPermission(Vtiger_Request $request){
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+		$permissions[] = array('module_parameter' => 'custom_module', 'action' => 'CreateView');
+		$request->set('custom_module', 'Project');
+		
+		return $permissions;
 	}
-
+	
 	public function process(Vtiger_Request $request) {
 		$recordId = $request->get('record');
 		$modules = $request->get('modules');
diff --git a/modules/PriceBooks/actions/ProductListPrice.php b/modules/PriceBooks/actions/ProductListPrice.php
index 978a227cc..d3267bdb1 100644
--- a/modules/PriceBooks/actions/ProductListPrice.php
+++ b/modules/PriceBooks/actions/ProductListPrice.php
@@ -10,14 +10,11 @@
 
 class PriceBooks_ProductListPrice_Action extends Vtiger_Action_Controller {
 
-	function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$moduleModel = Vtiger_Module_Model::getInstance($moduleName);
-
-		$currentUserPriviligesModel = Users_Privileges_Model::getCurrentUserPrivilegesModel();
-		if(!$currentUserPriviligesModel->hasModulePermission($moduleModel->getId())) {
-			throw new AppException(vtranslate($moduleName, $moduleName).' '.vtranslate('LBL_NOT_ACCESSIBLE'));
-		}
+	public function requiresPermission(Vtiger_Request $request){
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+		
+		return $permissions;
 	}
 
 	function process(Vtiger_Request $request) {
diff --git a/modules/PriceBooks/actions/RelationAjax.php b/modules/PriceBooks/actions/RelationAjax.php
index 052b72ed5..d3f9add37 100644
--- a/modules/PriceBooks/actions/RelationAjax.php
+++ b/modules/PriceBooks/actions/RelationAjax.php
@@ -17,6 +17,22 @@ class PriceBooks_RelationAjax_Action extends Vtiger_RelationAjax_Action {
 			return;
 		}
 	}
+	
+	public function requiresPermission(Vtiger_Request $request){
+		$permissions = parent::requiresPermission($request);
+		$mode = $request->getMode();
+		if(!empty($mode)) {
+			switch ($mode) {
+				case 'addListPrice':
+					$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'src_record');
+					$permissions[] = array('module_parameter' => 'related_module', 'action' => 'DetailView');
+					break;
+				default:
+					break;
+			}
+		}
+		return $permissions;
+	}
 
 	/**
 	 * Function adds PriceBooks-Products Relation
@@ -27,7 +43,6 @@ class PriceBooks_RelationAjax_Action extends Vtiger_RelationAjax_Action {
 		$sourceRecordId = $request->get('src_record');
 		$relatedModule =  $request->get('related_module');
 		$relInfos = $request->get('relinfo');
-		$relatedModule = $request->get('related_module');
 
 		$sourceModuleModel = Vtiger_Module_Model::getInstance($sourceModule);
 		$relatedModuleModel = Vtiger_Module_Model::getInstance($relatedModule);
diff --git a/modules/PriceBooks/views/ListPriceUpdate.php b/modules/PriceBooks/views/ListPriceUpdate.php
index c52d16e00..f0cd37845 100644
--- a/modules/PriceBooks/views/ListPriceUpdate.php
+++ b/modules/PriceBooks/views/ListPriceUpdate.php
@@ -10,16 +10,15 @@
 
 class PriceBooks_ListPriceUpdate_View extends Vtiger_View_Controller {
 
-	function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$moduleModel = Vtiger_Module_Model::getInstance($moduleName);
-
-		$currentUserPriviligesModel = Users_Privileges_Model::getCurrentUserPrivilegesModel();
-		if(!$currentUserPriviligesModel->hasModulePermission($moduleModel->getId())) {
-			throw new AppException(vtranslate($moduleName, $moduleName).' '.vtranslate('LBL_NOT_ACCESSIBLE'));
-		}
+	
+	public function requiresPermission(Vtiger_Request $request){
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'EditView', 'record_parameter' => 'record');
+		
+		return $permissions;
 	}
-
+	
 	function preProcess(Vtiger_Request $request, $display = true) {
 	}
 
diff --git a/modules/Products/actions/Mass.php b/modules/Products/actions/Mass.php
index 0ad55912c..a719c0498 100644
--- a/modules/Products/actions/Mass.php
+++ b/modules/Products/actions/Mass.php
@@ -15,10 +15,12 @@ class Products_Mass_Action extends Vtiger_Mass_Action {
 		$this->exposeMethod('isChildProduct');
 	}
 
-	public function checkPermission(Vtiger_Request $request) {
-		return true;
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+		return $permissions;
 	}
-
+	
 	public function process(Vtiger_Request $request) {
 		$mode = $request->getMode();
 		if(!empty($mode)) {
diff --git a/modules/Products/actions/RelationAjax.php b/modules/Products/actions/RelationAjax.php
index a934c7334..12ef06feb 100644
--- a/modules/Products/actions/RelationAjax.php
+++ b/modules/Products/actions/RelationAjax.php
@@ -18,6 +18,31 @@ class Products_RelationAjax_Action extends Vtiger_RelationAjax_Action {
 		$this->exposeMethod('changeBundleCost');
 	}
 	
+	public function requiresPermission(Vtiger_Request $request){
+		$permissions = parent::requiresPermission($request);
+		$mode = $request->getMode();
+		if(!empty($mode)) {
+			switch ($mode) {
+				case 'addListPrice':
+					$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'src_record');
+					$permissions[] = array('module_parameter' => 'related_module', 'action' => 'DetailView');
+					break;
+				case 'updateShowBundles':
+					$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+					$permissions[] = array('module_parameter' => 'relatedModule', 'action' => 'DetailView');
+				case 'updateQuantity':
+					$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'src_record');
+					$permissions[] = array('module_parameter' => 'related_module', 'action' => 'DetailView');
+				case 'changeBundleCost':
+					$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+					$permissions[] = array('module_parameter' => 'relatedModule', 'action' => 'DetailView');
+				default:
+					break;
+			}
+		}
+		return $permissions;
+	}
+	
 	/*
 	 * Function to add relation for specified source record id and related record id list
 	 * @param <array> $request
diff --git a/modules/Products/actions/SubProducts.php b/modules/Products/actions/SubProducts.php
index b62c686c5..ed3915b0b 100644
--- a/modules/Products/actions/SubProducts.php
+++ b/modules/Products/actions/SubProducts.php
@@ -10,14 +10,10 @@
 
 class Products_SubProducts_Action extends Vtiger_Action_Controller {
 
-	function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$moduleModel = Vtiger_Module_Model::getInstance($moduleName);
-
-		$currentUserPriviligesModel = Users_Privileges_Model::getCurrentUserPrivilegesModel();
-		if(!$currentUserPriviligesModel->hasModulePermission($moduleModel->getId())) {
-			throw new AppException(vtranslate($moduleName, $moduleName).' '.vtranslate('LBL_NOT_ACCESSIBLE'));
-		}
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+		return $permissions;
 	}
 
 	function process(Vtiger_Request $request) {
diff --git a/modules/Products/views/Detail.php b/modules/Products/views/Detail.php
index 92a44a6fb..56cfc130b 100644
--- a/modules/Products/views/Detail.php
+++ b/modules/Products/views/Detail.php
@@ -15,6 +15,20 @@ class Products_Detail_View extends Vtiger_Detail_View {
 		$this->exposeMethod('showBundleTotalCostView');
 	}
 	
+	public function requiresPermission(Vtiger_Request $request){
+		$permissions = parent::requiresPermission($request);
+		$mode = $request->getMode();
+		if(!empty($mode)) {
+			switch ($mode) {
+				case 'showBundleTotalCostView':
+					$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+					$permissions[] = array('module_parameter' => 'relatedModule', 'action' => 'DetailView');
+					break;
+			}
+		}
+		return $permissions;
+	}
+	
 	function preProcess(Vtiger_Request $request, $display = true) {
 		$recordId = $request->get('record');
 		$moduleName = $request->getModule();
diff --git a/modules/Products/views/MoreCurrenciesList.php b/modules/Products/views/MoreCurrenciesList.php
index 2720352cc..f4716b0d4 100644
--- a/modules/Products/views/MoreCurrenciesList.php
+++ b/modules/Products/views/MoreCurrenciesList.php
@@ -11,14 +11,13 @@
 
 class Products_MoreCurrenciesList_View extends Vtiger_IndexAjax_View {
 
-	public function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
+	public function requiresPermission(Vtiger_Request $request){
+		$permissions = parent::requiresPermission($request);
 		$record = $request->get('record');
 
 		$actionName = ($record) ? 'EditView' : 'CreateView';
-		if(!Users_Privileges_Model::isPermitted($moduleName, $actionName, $record)) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
+		$permissions[] = array('module_parameter' => 'module', 'action' => $actionName, 'record_parameter' => 'record');
+		return $permissions;
 	}
 
 	public function process(Vtiger_Request $request) {
diff --git a/modules/Products/views/SubProductQuantityUpdate.php b/modules/Products/views/SubProductQuantityUpdate.php
index 4f3b36b2f..740a4f97e 100644
--- a/modules/Products/views/SubProductQuantityUpdate.php
+++ b/modules/Products/views/SubProductQuantityUpdate.php
@@ -10,14 +10,10 @@
 
 class Products_SubProductQuantityUpdate_View extends Vtiger_View_Controller {
 
-	public function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$moduleModel = Vtiger_Module_Model::getInstance($moduleName);
-
-		$currentUserPriviligesModel = Users_Privileges_Model::getCurrentUserPrivilegesModel();
-		if (!$currentUserPriviligesModel->hasModulePermission($moduleModel->getId())) {
-			throw new AppException(vtranslate($moduleName, $moduleName) . ' ' . vtranslate('LBL_NOT_ACCESSIBLE'));
-		}
+	public function requiresPermission(Vtiger_Request $request){
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+		return $permissions;
 	}
 
 	public function preProcess(Vtiger_Request $request, $display = true) {
diff --git a/modules/Vtiger/actions/Save.php b/modules/Vtiger/actions/Save.php
index d20694758..583bb1561 100644
--- a/modules/Vtiger/actions/Save.php
+++ b/modules/Vtiger/actions/Save.php
@@ -35,7 +35,7 @@ class Vtiger_Save_Action extends Vtiger_Action_Controller {
 		$moduleName = $request->getModule();
 		$record = $request->get('record');
 
-		$nonEntityModules = array('Users', 'Events', 'Calendar');
+		$nonEntityModules = array('Users', 'Events', 'Calendar', 'Portal');
 		if ($record && !in_array($moduleName, $nonEntityModules)) {
 			$recordEntityName = getSalesEntityType($record);
 			if ($recordEntityName !== $moduleName) {
diff --git a/modules/Vtiger/actions/TagCloud.php b/modules/Vtiger/actions/TagCloud.php
index 860998bb6..e1b7e1220 100644
--- a/modules/Vtiger/actions/TagCloud.php
+++ b/modules/Vtiger/actions/TagCloud.php
@@ -24,10 +24,6 @@ class Vtiger_TagCloud_Action extends Vtiger_Mass_Action {
 		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
 		return $permissions;
 	}
-	
-	function checkPermission(Vtiger_Request $request) {
-		parent::checkPermission($request);
-	}
 
 	public function process(Vtiger_Request $request) {
 		$mode = $request->getMode();
diff --git a/modules/Vtiger/views/Detail.php b/modules/Vtiger/views/Detail.php
index 1e120664a..dfcdbef25 100644
--- a/modules/Vtiger/views/Detail.php
+++ b/modules/Vtiger/views/Detail.php
@@ -44,7 +44,7 @@ class Vtiger_Detail_View extends Vtiger_Index_View {
 					break;
 				case 'showRelatedList':
 				case 'showRelatedRecords':
-					$permissions[] = array('module_parameter' => 'relatedModule', 'action' => 'DetailView');
+					$permissions[] = array('module_parameter' => 'relatedModule', 'action' => 'DetailView', 'record_parameter' => 'record');
 					break;
 				case 'getActivities':
 					$permissions[] = array('module_parameter' => 'custom_module', 'action' => 'DetailView');
-- 
GitLab