From 7cdf9941197b4aa58114eafce3ce88fb418eb68c Mon Sep 17 00:00:00 2001
From: prasad <prasad@vtiger.com>
Date: Wed, 1 Jun 2016 14:33:42 +0530
Subject: [PATCH] Refactored access control on user-save operation.

---
 modules/Users/actions/Save.php | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/modules/Users/actions/Save.php b/modules/Users/actions/Save.php
index 0efcd153b..404a530b5 100644
--- a/modules/Users/actions/Save.php
+++ b/modules/Users/actions/Save.php
@@ -15,8 +15,22 @@ class Users_Save_Action extends Vtiger_Save_Action {
 		$record = $request->get('record');
 		$recordModel = Vtiger_Record_Model::getInstanceById($record, $moduleName);
 		$currentUserModel = Users_Record_Model::getCurrentUserModel();
-		if(!Users_Privileges_Model::isPermitted($moduleName, 'Save', $record) || ($recordModel->isAccountOwner() && 
-							$currentUserModel->get('id') != $recordModel->getId() && !$currentUserModel->isAdminUser())) {
+
+		// Check for operation access.
+		$allowed = Users_Privileges_Model::isPermitted($moduleName, 'Save', $record);
+		
+		if ($allowed) {
+			// Deny access if not administrator or account-owner or self
+			if(!$currentUserModel->isAdminUser()) {
+				if (empty($record)) {
+					$allowed = false;
+				} else if (!$recordModel->isAccountOwner() || ($currentUserModel->get('id') != $recordModel->getId())) {
+					$allowed = false;
+				}
+			}
+		}
+
+		if(!$allowed) {
 			throw new AppException('LBL_PERMISSION_DENIED');
 		}
 	}
-- 
GitLab