From addf63d38ce6497a50ab540d654dd49e4584e6a7 Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Fri, 20 Sep 2019 15:43:13 +0530
Subject: [PATCH] All report actions should check for module level profile
 permissions

---
 modules/Reports/views/Detail.php       | 26 ++++++++++++++--------
 modules/Reports/views/ExportReport.php | 30 ++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/modules/Reports/views/Detail.php b/modules/Reports/views/Detail.php
index 325c3fb4b..08b8fabdf 100644
--- a/modules/Reports/views/Detail.php
+++ b/modules/Reports/views/Detail.php
@@ -65,17 +65,25 @@ class Reports_Detail_View extends Vtiger_Index_View {
 
 		$primaryModule = $reportModel->getPrimaryModule();
 		$secondaryModules = $reportModel->getSecondaryModules();
-		$primaryModuleModel = Vtiger_Module_Model::getInstance($primaryModule);
-
+        $modulesList = array($primaryModule);
+        if(stripos($secondaryModules, ':') >= 0){
+            $secmodules = split(':', $secondaryModules);
+            $modulesList = array_merge($modulesList, $secmodules);
+        }else{
+            array_push($modulesList, $secondaryModules);
+        }
 		$currentUser = Users_Record_Model::getCurrentUserModel();
 		$userPrivilegesModel = Users_Privileges_Model::getInstanceById($currentUser->getId());
-		$permission = $userPrivilegesModel->hasModulePermission($primaryModuleModel->getId());
-		if(!$permission) {
-			$viewer->assign('MODULE', $primaryModule);
-			$viewer->assign('MESSAGE', vtranslate('LBL_PERMISSION_DENIED'));
-			$viewer->view('OperationNotPermitted.tpl', $primaryModule);
-			exit;
-		}
+        foreach ($modulesList as $checkModule) {
+            $moduleInstance = Vtiger_Module_Model::getInstance($checkModule);
+            $permission = $userPrivilegesModel->hasModulePermission($moduleInstance->getId());
+            if(!$permission) {
+                $viewer->assign('MODULE', $primaryModule);
+                $viewer->assign('MESSAGE', vtranslate('LBL_PERMISSION_DENIED'));
+                $viewer->view('OperationNotPermitted.tpl', $primaryModule);
+                exit;
+            }
+        }
 
 		$detailViewLinks = $detailViewModel->getDetailViewLinks();
 
diff --git a/modules/Reports/views/ExportReport.php b/modules/Reports/views/ExportReport.php
index f9e1431ce..997427fe1 100644
--- a/modules/Reports/views/ExportReport.php
+++ b/modules/Reports/views/ExportReport.php
@@ -45,6 +45,7 @@ class Reports_ExportReport_View extends Vtiger_View_Controller {
 	function GetXLS(Vtiger_Request $request) {
 		$recordId = $request->get('record');
 		$reportModel = Reports_Record_Model::getInstanceById($recordId);
+        $this->checkReportModulePermission($request);
         $reportModel->set('advancedFilter', $request->get('advanced_filter'));
 		$reportModel->getReportXLS($request->get('source'));
 	}
@@ -56,6 +57,7 @@ class Reports_ExportReport_View extends Vtiger_View_Controller {
 	function GetCSV(Vtiger_Request $request) {
 		$recordId = $request->get('record');
 		$reportModel = Reports_Record_Model::getInstanceById($recordId);
+        $this->checkReportModulePermission($request);
         $reportModel->set('advancedFilter', $request->get('advanced_filter'));
 		$reportModel->getReportCSV($request->get('source'));
 	}
@@ -70,6 +72,7 @@ class Reports_ExportReport_View extends Vtiger_View_Controller {
 
 		$recordId = $request->get('record');
 		$reportModel = Reports_Record_Model::getInstanceById($recordId);
+        $this->checkReportModulePermission($request);
         $reportModel->set('advancedFilter', $request->get('advanced_filter'));
 		$printData = $reportModel->getReportPrint();
 
@@ -81,4 +84,31 @@ class Reports_ExportReport_View extends Vtiger_View_Controller {
 
 		$viewer->view('PrintReport.tpl', $moduleName);
 	}
+    
+    function checkReportModulePermission(Vtiger_Request $request){
+        $viewer = $this->getViewer($request);
+        $recordId = $request->get('record');
+		$reportModel = Reports_Record_Model::getInstanceById($recordId);
+        $primaryModule = $reportModel->getPrimaryModule();
+		$secondaryModules = $reportModel->getSecondaryModules();
+        $modulesList = array($primaryModule);
+        if(stripos($secondaryModules, ':') >= 0){
+            $secmodules = split(':', $secondaryModules);
+            $modulesList = array_merge($modulesList, $secmodules);
+        }else{
+            array_push($modulesList, $secondaryModules);
+        }
+		$currentUser = Users_Record_Model::getCurrentUserModel();
+		$userPrivilegesModel = Users_Privileges_Model::getInstanceById($currentUser->getId());
+        foreach ($modulesList as $checkModule) {
+            $moduleInstance = Vtiger_Module_Model::getInstance($checkModule);
+            $permission = $userPrivilegesModel->hasModulePermission($moduleInstance->getId());
+            if(!$permission) {
+                $viewer->assign('MODULE', $primaryModule);
+                $viewer->assign('MESSAGE', vtranslate('LBL_PERMISSION_DENIED'));
+                $viewer->view('OperationNotPermitted.tpl', $primaryModule);
+                exit;
+            }
+        }
+    }
 }
\ No newline at end of file
-- 
GitLab