From 5463f68dd47bc4f0e5ee6f37b7978fc2b611c361 Mon Sep 17 00:00:00 2001
From: Uma S <uma.s@vtiger.com>
Date: Wed, 7 Aug 2019 18:41:37 +0530
Subject: [PATCH] checkpermission added on Inventoty actions and Basic vtiger
 operations

---
 modules/Inventory/actions/ExportPDF.php | 13 +++++--------
 modules/Inventory/actions/GetTaxes.php  |  6 ++++++
 modules/Vtiger/actions/BasicAjax.php    | 10 ++++++++++
 modules/Vtiger/actions/MassSave.php     | 14 +++++---------
 4 files changed, 26 insertions(+), 17 deletions(-)

diff --git a/modules/Inventory/actions/ExportPDF.php b/modules/Inventory/actions/ExportPDF.php
index 313a583c5..ccccab736 100644
--- a/modules/Inventory/actions/ExportPDF.php
+++ b/modules/Inventory/actions/ExportPDF.php
@@ -10,15 +10,12 @@
 
 class Inventory_ExportPDF_Action extends Vtiger_Action_Controller {
 
-	public function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$recordId = $request->get('record');
-
-		if(!Users_Privileges_Model::isPermitted($moduleName, 'DetailView', $recordId)) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED', $moduleName));
-		}
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+		return $permissions;
 	}
-
+	
 	public function process(Vtiger_Request $request) {
 		$moduleName = $request->getModule();
 		$recordId = $request->get('record');
diff --git a/modules/Inventory/actions/GetTaxes.php b/modules/Inventory/actions/GetTaxes.php
index 309ab2804..4c861866c 100644
--- a/modules/Inventory/actions/GetTaxes.php
+++ b/modules/Inventory/actions/GetTaxes.php
@@ -10,6 +10,12 @@
 
 class Inventory_GetTaxes_Action extends Vtiger_Action_Controller {
 
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'sourceModule', 'action' => 'DetailView');
+		return $permissions;
+	}
+	
 	function process(Vtiger_Request $request) {
 		$decimalPlace = getCurrencyDecimalPlaces();
 		$currencyId = $request->get('currency_id');
diff --git a/modules/Vtiger/actions/BasicAjax.php b/modules/Vtiger/actions/BasicAjax.php
index f2de60fc3..cdb63b727 100644
--- a/modules/Vtiger/actions/BasicAjax.php
+++ b/modules/Vtiger/actions/BasicAjax.php
@@ -10,6 +10,16 @@
 
 class Vtiger_BasicAjax_Action extends Vtiger_Action_Controller {
 
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+		$permissions[] = array('module_parameter' => 'search_module', 'action' => 'DetailView');
+		if(!empty($request->get('parent_module'))){
+			$permissions[] = array('module_parameter' => 'parent_module', 'action' => 'DetailView');
+		}
+		return $permissions;
+	}
+	
 	public function process(Vtiger_Request $request) {
 		$searchValue = $request->get('search_value');
 		$searchModule = $request->get('search_module');
diff --git a/modules/Vtiger/actions/MassSave.php b/modules/Vtiger/actions/MassSave.php
index 6ce207570..c6ecc8dfe 100644
--- a/modules/Vtiger/actions/MassSave.php
+++ b/modules/Vtiger/actions/MassSave.php
@@ -10,16 +10,12 @@
 
 class Vtiger_MassSave_Action extends Vtiger_Mass_Action {
 
-	function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$moduleModel = Vtiger_Module_Model::getInstance($moduleName);
-		$currentUserPriviligesModel = Users_Privileges_Model::getCurrentUserPrivilegesModel();
-
-		if(!$currentUserPriviligesModel->hasModuleActionPermission($moduleModel->getId(), 'Save')) {
-			throw new AppException(vtranslate($moduleName, $moduleName).' '.vtranslate('LBL_NOT_ACCESSIBLE'));
-		}
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions = parent::requiresPermission($request);
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'EditView');
+		return $permissions;
 	}
-
+	
 	public function process(Vtiger_Request $request) {
 		$response = new Vtiger_Response();
 		try {
-- 
GitLab