Merge branch '38276053_checkPermission_Overall' into 'master'

Checkpermission genralized on security issue (1147)

See merge request !384

modules/Accounts/actions/TransferOwnership.php

@@ -20,14 +20,16 @@ class Accounts_TransferOwnership_Action extends Vtiger_Action_Controller {
 	
 	public function checkPermission(Vtiger_Request $request) {
 		parent::checkPermission($request);
-		$permissions = $this->requiresPermission($request);
 		$recordIds = $this->getRecordIds($request);
 		foreach ($recordIds as $key => $recordId) {
 			$moduleName = getSalesEntityType($recordId);
-			$permissionStatus  = Users_Privileges_Model::isPermitted($moduleName,  $permissions['action']);
+			$permissionStatus  = Users_Privileges_Model::isPermitted($moduleName,  'EditView', $recordId);
 			if($permissionStatus){
 				$this->transferRecordIds[] = $recordId;
 			}
+			if(empty($this->transferRecordIds)){
+				throw new AppException(vtranslate('LBL_RECORD_PERMISSION_DENIED'));
+			}
 		}
 		return true;
 	}

modules/Vtiger/views/ListViewQuickPreview.php

@@ -16,14 +16,17 @@ class Vtiger_ListViewQuickPreview_View extends Vtiger_Index_View {
 		parent::__construct();
 	}
 	
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+		return $permissions;
+	}
+	
 	function checkPermission(Vtiger_Request $request) {
 		$moduleName = $request->getModule();
 		$recordId = $request->get('record');
 
-		$recordPermission = Users_Privileges_Model::isPermitted($moduleName, 'DetailView', $recordId);
-		if(!$recordPermission) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
+		parent::checkPermission($request);
 
 		if ($recordId) {
 			$recordEntityName = getSalesEntityType($recordId);

modules/Vtiger/views/MergeRecord.php

@@ -9,29 +9,39 @@
  **************************************************************************************/
 
 class Vtiger_MergeRecord_View extends Vtiger_Popup_View {
+	var $mergeRecordIds = Array();
+	
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'EditView');
+		return $permissions;
+	}
 	
 	public function checkPermission(Vtiger_Request $request) {
 		parent::checkPermission($request);
-		
-		$moduleName = $request->getModule();
-		$actionName = 'EditView';
-		
 		$records = $request->get('records');
 		$records = explode(',', $records);
 		
 		foreach ($records as $record) {
-			if(!Users_Privileges_Model::isPermitted($moduleName, $actionName, $record)) {
-				throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+			$moduleName = getSalesEntityType($record);
+			$permissionStatus  = Users_Privileges_Model::isPermitted($moduleName,  'EditView', $record);
+			if($permissionStatus){
+				$this->mergeRecordIds[] = $record;
+			}
+			if(empty($this->mergeRecordIds)){
+				throw new AppException(vtranslate('LBL_RECORD_PERMISSION_DENIED'));
 			}
 		}
+		return true;
 	}
 	
 	function process(Vtiger_Request $request) {
-		$records = $request->get('records');
-		$records = explode(',', $records);
 		$module = $request->getModule();
 		$moduleModel = Vtiger_Module_Model::getInstance($module);
 		$fieldModels =  $moduleModel->getFields();
+		if(!empty($this->mergeRecordIds)){
+			$records = $this->mergeRecordIds;
+		}
 
 		foreach($records as $record) {
 			$recordModels[] = Vtiger_Record_Model::getInstanceById($record);