Merge branch '38276053_checkPermission_Overall' into 'master'

Check permission addressed on Accounts module and parent heirarchy

See merge request !368

modules/Accounts/views/AccountHierarchy.php

@@ -10,14 +10,13 @@
 
 class Accounts_AccountHierarchy_View extends Vtiger_View_Controller {
 
+	public function requiresPermission(\Vtiger_Request $request) {
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+		return $permissions;
+	}
+	
 	public function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
-		$moduleModel = Vtiger_Module_Model::getInstance($moduleName);
-
-		$currentUserPriviligesModel = Users_Privileges_Model::getCurrentUserPrivilegesModel();
-		if(!$currentUserPriviligesModel->hasModulePermission($moduleModel->getId())) {
-			throw new AppException(vtranslate($moduleName, $moduleName).' '.vtranslate('LBL_NOT_ACCESSIBLE'));
-		}
+		parent::checkPermission($request);
 	}
 	
 	function preProcess(Vtiger_Request $request, $display = true) {

modules/Vtiger/actions/Save.php

@@ -10,25 +10,25 @@
 
 class Vtiger_Save_Action extends Vtiger_Action_Controller {
 
+	public function requiresPermission(\Vtiger_Request $request) {
+		$record = $request->get('record');
+		$actionName = ($record) ? 'EditView' : 'CreateView';
+		$permissions[] = array('module_parameter' => 'module', 'action' => $actionName, 'record_parameter' => 'record');
+		$permissions[] = array('module_parameter' => 'module', 'action' => 'Save', 'record_parameter' => 'record');
+		return $permissions;
+	}
+	
 	public function checkPermission(Vtiger_Request $request) {
 		$moduleName = $request->getModule();
 		$record = $request->get('record');
 
-		$actionName = ($record) ? 'EditView' : 'CreateView';
-		if(!Users_Privileges_Model::isPermitted($moduleName, $actionName, $record)) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
-
-		if(!Users_Privileges_Model::isPermitted($moduleName, 'Save', $record)) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
-
 		if ($record) {
 			$recordEntityName = getSalesEntityType($record);
 			if ($recordEntityName !== $moduleName) {
 				throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
 			}
 		}
+		parent::checkPermission($request);
 	}
 	
 	public function validateRequest(Vtiger_Request $request) {

modules/Vtiger/views/Detail.php

@@ -26,22 +26,46 @@ class Vtiger_Detail_View extends Vtiger_Index_View {
 		$this->exposeMethod('showRelatedRecords');
 	}
 
+	public function requiresPermission(Vtiger_Request $request){
+		$mode = $request->getMode();
+		if(!empty($mode)) {
+			switch ($mode) {
+				case 'showModuleDetailView':
+				case 'showModuleSummaryView':
+				case 'showModuleBasicView':
+					$permission[] = array('module_parameter' => 'module', 'action' => 'DetailView', 'record_parameter' => 'record');
+					break;
+				case 'showRecentComments':
+				case 'showChildComments':
+					$permission[] = array('module_parameter' => 'custom_module', 'action' => 'DetailView');
+					$request->set('custom_module', 'ModComments');
+					break;
+				case 'showRelatedList':
+				case 'showRelatedRecords':
+					$permission[] = array('module_parameter' => 'relatedModule', 'action' => 'DetailView');
+					break;
+				case 'getActivities':
+					$permission[] = array('module_parameter' => 'custom_module', 'action' => 'DetailView');
+					$request->set('custom_module', 'Calendar');
+					break;
+				default:
+					break;
+			}
+		}
+		return $permission;
+	}
+	
 	function checkPermission(Vtiger_Request $request) {
 		$moduleName = $request->getModule();
 		$recordId = $request->get('record');
 
-		$recordPermission = Users_Privileges_Model::isPermitted($moduleName, 'DetailView', $recordId);
-		if(!$recordPermission) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
-
 		if ($recordId) {
 			$recordEntityName = getSalesEntityType($recordId);
 			if ($recordEntityName !== $moduleName) {
 				throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
 			}
 		}
-		return true;
+		parent::checkPermission($request);
 	}
 
 	function preProcess(Vtiger_Request $request, $display=true) {

modules/Vtiger/views/Edit.php

@@ -14,18 +14,19 @@ Class Vtiger_Edit_View extends Vtiger_Index_View {
 		parent::__construct();
 	}
 
-	public function checkPermission(Vtiger_Request $request) {
-		$moduleName = $request->getModule();
+	public function requiresPermission(\Vtiger_Request $request) {
 		$record = $request->get('record');
-
 		$actionName = 'CreateView';
 		if ($record && !$request->get('isDuplicate')) {
 			$actionName = 'EditView';
 		}
-
-		if(!Users_Privileges_Model::isPermitted($moduleName, $actionName, $record)) {
-			throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
-		}
+		$permissions[] = array('module_parameter' => 'module', 'action' => $actionName, 'record_parameter' => 'record');
+		return $permissions;
+	}
+	
+	public function checkPermission(Vtiger_Request $request) {
+		$moduleName = $request->getModule();
+		$record = $request->get('record');
 
 		if ($record) {
 			$recordEntityName = getSalesEntityType($record);
@@ -33,6 +34,7 @@ Class Vtiger_Edit_View extends Vtiger_Index_View {
 				throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
 			}
 		}
+		parent::checkPermission($request);
 	}
 
 	public function setModuleInfo($request, $moduleModel) {

modules/Vtiger/views/Index.php

@@ -14,11 +14,6 @@ class Vtiger_Index_View extends Vtiger_Basic_View {
 		parent::__construct();
 	}
 
-	function checkPermission(Vtiger_Request $request) {
-		//Return true as WebUI.php is already checking for module permission
-		return true;
-	}
-
 	public function preProcess (Vtiger_Request $request, $display=true) {
 		parent::preProcess($request, false);