From c242b3db91a4146556e696d4b2621a9c48047ddf Mon Sep 17 00:00:00 2001
From: Uma S <uma.s@vtiger.com>
Date: Mon, 22 Jul 2019 15:46:44 +0530
Subject: [PATCH] related module permission will be checked before process
 trigger

---
 modules/Vtiger/views/Detail.php      |  8 +++++++-
 modules/Vtiger/views/RelatedList.php | 11 +++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/modules/Vtiger/views/Detail.php b/modules/Vtiger/views/Detail.php
index 4955ececa..f61c7b809 100644
--- a/modules/Vtiger/views/Detail.php
+++ b/modules/Vtiger/views/Detail.php
@@ -514,9 +514,15 @@ class Vtiger_Detail_View extends Vtiger_Index_View {
 				$targetControllerClass = Vtiger_Loader::getComponentClassName('View', 'RelatedList', $moduleName);
 			}
 		}
+		global $log;
+		$log->fatal('Related list target class => ');
+		$log->fatal($targetControllerClass);
 		if($targetControllerClass) {
 			$targetController = new $targetControllerClass();
-			return $targetController->process($request);
+			if($targetController->checkPermission($request)){
+				$log->fatal('Entered check permission loop');
+				return $targetController->process($request);
+			}
 		}
 	}
 
diff --git a/modules/Vtiger/views/RelatedList.php b/modules/Vtiger/views/RelatedList.php
index e24dd5082..0e62c383f 100644
--- a/modules/Vtiger/views/RelatedList.php
+++ b/modules/Vtiger/views/RelatedList.php
@@ -9,6 +9,17 @@
  *************************************************************************************/
 
 class Vtiger_RelatedList_View extends Vtiger_Index_View {
+	
+	function checkPermission(Vtiger_Request $request) {
+		$relatedModuleName = $request->get('relatedModule');
+
+		$relatedModulePermission = Users_Privileges_Model::isPermitted($relatedModuleName, 'DetailView');
+		if(!$relatedModulePermission) {
+			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+		}
+		return true;
+	}
+	
 	function process(Vtiger_Request $request) {
 		$moduleName = $request->getModule();
 		$relatedModuleName = $request->get('relatedModule');
-- 
GitLab