From 6e5cbdb3e5a47ccc592db3616713d211e220f17c Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Thu, 22 Aug 2019 16:05:34 +0530
Subject: [PATCH] Checkpermission on Calendar and Customview is addressed
---
modules/Calendar/actions/ActivityReminder.php | 4 -
modules/Calendar/actions/CalendarActions.php | 6 +-
.../Calendar/actions/CalendarUserActions.php | 24 +-----
modules/Calendar/actions/SaveFollowupAjax.php | 19 +++--
modules/CustomView/actions/Save.php | 4 -
modules/CustomView/models/Record.php | 2 +-
modules/CustomView/views/EditAjax.php | 3 -
modules/Vtiger/actions/BasicAjax.php | 73 ++++++++++---------
modules/Vtiger/actions/ExportData.php | 4 +-
modules/Vtiger/actions/Save.php | 1 +
.../RecycleBin/actions/RecycleBinAjax.php | 2 +-
11 files changed, 57 insertions(+), 85 deletions(-)
diff --git a/modules/Calendar/actions/ActivityReminder.php b/modules/Calendar/actions/ActivityReminder.php
index 073aaa0ef..3d51ed4dc 100644
--- a/modules/Calendar/actions/ActivityReminder.php
+++ b/modules/Calendar/actions/ActivityReminder.php
@@ -34,10 +34,6 @@ class Calendar_ActivityReminder_Action extends Vtiger_Action_Controller{
}
return $permissions;
}
-
- public function checkPermission(Vtiger_Request $request) {
- return parent::checkPermission($request);
- }
public function process(Vtiger_Request $request) {
$mode = $request->getMode();
diff --git a/modules/Calendar/actions/CalendarActions.php b/modules/Calendar/actions/CalendarActions.php
index 71a0bc953..243759ce5 100644
--- a/modules/Calendar/actions/CalendarActions.php
+++ b/modules/Calendar/actions/CalendarActions.php
@@ -28,11 +28,7 @@ class Calendar_CalendarActions_Action extends Vtiger_BasicAjax_Action {
}
return $permissions;
}
-
- public function checkPermission(Vtiger_Request $request) {
- return parent::checkPermission($request);
- }
-
+
public function process(Vtiger_Request $request) {
$mode = $request->getMode();
if (!empty($mode) && $this->isMethodExposed($mode)) {
diff --git a/modules/Calendar/actions/CalendarUserActions.php b/modules/Calendar/actions/CalendarUserActions.php
index 274692da7..b4b377bc8 100755
--- a/modules/Calendar/actions/CalendarUserActions.php
+++ b/modules/Calendar/actions/CalendarUserActions.php
@@ -20,32 +20,10 @@ class Calendar_CalendarUserActions_Action extends Vtiger_Action_Controller{
public function requiresPermission(Vtiger_Request $request){
$permissions = parent::requiresPermission($request);
- $mode = $request->getMode();
- if(!empty($mode)) {
- switch ($mode) {
- case 'deleteUserCalendar':
- $permissions[] = array('module_parameter' => 'module', 'action' => 'EditView');
- break;
- case 'deleteCalendarView':
- $permissions[] = array('module_parameter' => 'module', 'action' => 'EditView');
- $permissions[] = array('module_parameter' => 'module', 'action' => 'Delete');
- break;
- case 'addUserCalendar':
- case 'addCalendarView':
- $permissions[] = array('module_parameter' => 'module', 'action' => 'EditView');
- $permissions[] = array('module_parameter' => 'module', 'action' => 'CreateView');
- break;
- default:
- break;
- }
- }
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
return $permissions;
}
- public function checkPermission(Vtiger_Request $request) {
- return parent::checkPermission($request);
- }
-
public function process(Vtiger_Request $request) {
$mode = $request->getMode();
if(!empty($mode) && $this->isMethodExposed($mode)) {
diff --git a/modules/Calendar/actions/SaveFollowupAjax.php b/modules/Calendar/actions/SaveFollowupAjax.php
index 59d321a79..0f0e470ba 100755
--- a/modules/Calendar/actions/SaveFollowupAjax.php
+++ b/modules/Calendar/actions/SaveFollowupAjax.php
@@ -10,18 +10,21 @@
class Calendar_SaveFollowupAjax_Action extends Calendar_SaveAjax_Action {
+// public function requiresPermission(Vtiger_Request $request){
+// $permissions = parent::requiresPermission($request);
+// $record = $request->get('record');
+// $actionName = ($record) ? 'EditView' : 'CreateView';
+//
+// $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+// $permissions[] = array('module_parameter' => 'module', 'action' => $actionName, 'record_parameter' => 'record');
+// return $permissions;
+// }
+
public function checkPermission(Vtiger_Request $request) {
$moduleName = $request->getModule();
$record = $request->get('record');
- $actionName = ($record && $request->getMode() != 'createFollowupEvent') ? 'EditView' : 'CreateView';
- if(!Users_Privileges_Model::isPermitted($moduleName, $actionName, $record)) {
- throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
- }
-
- if(!Users_Privileges_Model::isPermitted($moduleName, 'Save', $record)) {
- throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
- }
+ parent::checkPermission($request);
if ($record) {
$activityModulesList = array('Calendar', 'Events');
diff --git a/modules/CustomView/actions/Save.php b/modules/CustomView/actions/Save.php
index a28abced8..6900d392f 100644
--- a/modules/CustomView/actions/Save.php
+++ b/modules/CustomView/actions/Save.php
@@ -14,10 +14,6 @@ class CustomView_Save_Action extends Vtiger_Action_Controller {
$permissions[] = array('module_parameter' => 'source_module', 'action' => 'DetailView');
return $permissions;
}
-
- public function checkPermission(Vtiger_Request $request) {
- return parent::checkPermission($request);
- }
public function process(Vtiger_Request $request) {
$sourceModuleName = $request->get('source_module');
diff --git a/modules/CustomView/models/Record.php b/modules/CustomView/models/Record.php
index c2964abdd..2c2cf5b13 100644
--- a/modules/CustomView/models/Record.php
+++ b/modules/CustomView/models/Record.php
@@ -747,7 +747,7 @@ class CustomView_Record_Model extends Vtiger_Base_Model {
}
public function getToggleDefaultUrl() {
- return 'index.php?module=CustomView&action=SaveAjax&record='.$this->getId();
+ return 'index.php?module=CustomView&source_module='.$this->getModule()->get('name').'&action=SaveAjax&record='.$this->getId();
}
/**
diff --git a/modules/CustomView/views/EditAjax.php b/modules/CustomView/views/EditAjax.php
index 0fb95813e..aac78c7be 100644
--- a/modules/CustomView/views/EditAjax.php
+++ b/modules/CustomView/views/EditAjax.php
@@ -15,9 +15,6 @@ Class CustomView_EditAjax_View extends Vtiger_IndexAjax_View {
$permissions[] = array('module_parameter' => 'source_module', 'action' => 'DetailView');
return $permissions;
}
- public function checkPermission(Vtiger_Request $request) {
- return parent::checkPermission($request);
- }
public function process(Vtiger_Request $request) {
$viewer = $this->getViewer ($request);
diff --git a/modules/Vtiger/actions/BasicAjax.php b/modules/Vtiger/actions/BasicAjax.php
index cdb63b727..7abf09a14 100644
--- a/modules/Vtiger/actions/BasicAjax.php
+++ b/modules/Vtiger/actions/BasicAjax.php
@@ -10,39 +10,42 @@
class Vtiger_BasicAjax_Action extends Vtiger_Action_Controller {
- public function requiresPermission(\Vtiger_Request $request) {
- $permissions = parent::requiresPermission($request);
- $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
- $permissions[] = array('module_parameter' => 'search_module', 'action' => 'DetailView');
- if(!empty($request->get('parent_module'))){
- $permissions[] = array('module_parameter' => 'parent_module', 'action' => 'DetailView');
- }
- return $permissions;
- }
-
- public function process(Vtiger_Request $request) {
- $searchValue = $request->get('search_value');
- $searchModule = $request->get('search_module');
-
- $parentRecordId = $request->get('parent_id');
- $parentModuleName = $request->get('parent_module');
- $relatedModule = $request->get('module');
-
- $searchModuleModel = Vtiger_Module_Model::getInstance($searchModule);
- $records = $searchModuleModel->searchRecord($searchValue, $parentRecordId, $parentModuleName, $relatedModule);
-
- $baseRecordId = $request->get('base_record');
- $result = array();
- foreach($records as $moduleName=>$recordModels) {
- foreach($recordModels as $recordModel) {
- if ($recordModel->getId() != $baseRecordId) {
- $result[] = array('label'=>decode_html($recordModel->getName()), 'value'=>decode_html($recordModel->getName()), 'id'=>$recordModel->getId());
- }
- }
- }
-
- $response = new Vtiger_Response();
- $response->setResult($result);
- $response->emit();
- }
+ public function requiresPermission(\Vtiger_Request $request) {
+ $permissions = parent::requiresPermission($request);
+ $permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView');
+ if (!empty($request->get('search_module'))) {
+ $permissions[] = array('module_parameter' => 'search_module', 'action' => 'DetailView');
+ }
+ if (!empty($request->get('parent_module'))) {
+ $permissions[] = array('module_parameter' => 'parent_module', 'action' => 'DetailView');
+ }
+ return $permissions;
+ }
+
+ public function process(Vtiger_Request $request) {
+ $searchValue = $request->get('search_value');
+ $searchModule = $request->get('search_module');
+
+ $parentRecordId = $request->get('parent_id');
+ $parentModuleName = $request->get('parent_module');
+ $relatedModule = $request->get('module');
+
+ $searchModuleModel = Vtiger_Module_Model::getInstance($searchModule);
+ $records = $searchModuleModel->searchRecord($searchValue, $parentRecordId, $parentModuleName, $relatedModule);
+
+ $baseRecordId = $request->get('base_record');
+ $result = array();
+ foreach ($records as $moduleName => $recordModels) {
+ foreach ($recordModels as $recordModel) {
+ if ($recordModel->getId() != $baseRecordId) {
+ $result[] = array('label' => decode_html($recordModel->getName()), 'value' => decode_html($recordModel->getName()), 'id' => $recordModel->getId());
+ }
+ }
+ }
+
+ $response = new Vtiger_Response();
+ $response->setResult($result);
+ $response->emit();
+ }
+
}
diff --git a/modules/Vtiger/actions/ExportData.php b/modules/Vtiger/actions/ExportData.php
index 8bbea58fe..2a8b3d651 100644
--- a/modules/Vtiger/actions/ExportData.php
+++ b/modules/Vtiger/actions/ExportData.php
@@ -14,7 +14,9 @@ class Vtiger_ExportData_Action extends Vtiger_Mass_Action {
public function requiresPermission(\Vtiger_Request $request) {
$permissions = parent::requiresPermission($request);
$permissions[] = array('module_parameter' => 'module', 'action' => 'Export');
- $permissions[] = array('module_parameter' => 'source_module', 'action' => 'Export');
+ if (!empty($request->get('source_module'))) {
+ $permissions[] = array('module_parameter' => 'source_module', 'action' => 'Export');
+ }
return $permissions;
}
diff --git a/modules/Vtiger/actions/Save.php b/modules/Vtiger/actions/Save.php
index 36cf4c2fd..e848585c3 100644
--- a/modules/Vtiger/actions/Save.php
+++ b/modules/Vtiger/actions/Save.php
@@ -27,6 +27,7 @@ class Vtiger_Save_Action extends Vtiger_Action_Controller {
$recordParameter = 'record';
}
$actionName = ($record || $recordId) ? 'EditView' : 'CreateView';
+ $permissions[] = array('module_parameter' => $moduleParameter, 'action' => 'DetailView', 'record_parameter' => $recordParameter);
$permissions[] = array('module_parameter' => $moduleParameter, 'action' => $actionName, 'record_parameter' => $recordParameter);
return $permissions;
}
diff --git a/pkg/vtiger/modules/RecycleBin/modules/RecycleBin/actions/RecycleBinAjax.php b/pkg/vtiger/modules/RecycleBin/modules/RecycleBin/actions/RecycleBinAjax.php
index 3d5a429a4..f6d9f63a4 100644
--- a/pkg/vtiger/modules/RecycleBin/modules/RecycleBin/actions/RecycleBinAjax.php
+++ b/pkg/vtiger/modules/RecycleBin/modules/RecycleBin/actions/RecycleBinAjax.php
@@ -19,7 +19,7 @@ class RecycleBin_RecycleBinAjax_Action extends Vtiger_Mass_Action {
function checkPermission(Vtiger_Request $request) {
if($request->get('mode') == 'emptyRecycleBin') {
- //Only admin user can empty the recycle bin, so this check is mabdatory
+ //Only admin user can empty the recycle bin, so this check is mandatory
$currentUserModel = Users_Record_Model::getCurrentUserModel();
if(!$currentUserModel->isAdminUser()) {
throw new AppException(vtranslate('LBL_PERMISSION_DENIED', 'Vtiger'));
--
GitLab