From 45f89cbd12e7934513b5f6510b0c06ae2443074f Mon Sep 17 00:00:00 2001
From: Uma S <uma.s@vtiger.com>
Date: Tue, 23 Jul 2019 12:39:30 +0530
Subject: [PATCH] Widgets security access has been generalized

---
 modules/Vtiger/dashboards/CalendarActivities.php | 10 ----------
 modules/Vtiger/views/ShowWidget.php              | 10 ++++++++--
 2 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/modules/Vtiger/dashboards/CalendarActivities.php b/modules/Vtiger/dashboards/CalendarActivities.php
index 1436af886..6ace2ed21 100644
--- a/modules/Vtiger/dashboards/CalendarActivities.php
+++ b/modules/Vtiger/dashboards/CalendarActivities.php
@@ -9,16 +9,6 @@
  *************************************************************************************/
 
 class Vtiger_CalendarActivities_Dashboard extends Vtiger_IndexAjax_View {
-	
-	function checkPermission(Vtiger_Request $request) {
-		$moduleName = 'Calendar';
-
-		$modulePermission = Users_Privileges_Model::isPermitted($moduleName, 'DetailView');
-		if(!$modulePermission) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
-		return true;
-	}
 
 	public function process(Vtiger_Request $request) {
 		$currentUser = Users_Record_Model::getCurrentUserModel();
diff --git a/modules/Vtiger/views/ShowWidget.php b/modules/Vtiger/views/ShowWidget.php
index 92482a892..79f0a0bfe 100644
--- a/modules/Vtiger/views/ShowWidget.php
+++ b/modules/Vtiger/views/ShowWidget.php
@@ -53,9 +53,15 @@ class Vtiger_ShowWidget_View extends Vtiger_IndexAjax_View {
 				}
 				$request->set('createdtime', $dates);
 				
-				$classInstance = new $className();
-				if($classInstance->checkPermission($request)){
+				if($componentName == 'CalendarActivities' || $componentName == 'OverdueActivities') {
+					$moduleName = 'Calendar';
+				}
+				$currentUserPrivilegeModel = Users_Privileges_Model::getCurrentUserPrivilegesModel();
+				if($currentUserPrivilegeModel->hasModulePermission(getTabid($moduleName)) && !Vtiger_Runtime::isRestricted('modules', $moduleName)){
+					$classInstance = new $className();
 					$classInstance->process($request, $widget);
+				}else{
+					throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
 				}
 				return;
 			}
-- 
GitLab