CRM - Lead: prevent access denied for upadtes on related records
authorPaul Mehrer <p.mehrer@metaways.de>
Thu, 14 Jan 2016 12:58:15 +0000 (13:58 +0100)
committerPhilipp Schüle <p.schuele@metaways.de>
Mon, 18 Jan 2016 11:36:16 +0000 (12:36 +0100)
checking access rights now before doing the update
if no rights present, update is skipped to prevent total failure
also fixed php notice undefinded index on summing product prices

Change-Id: I43be3b15f2d4c78fd32b04224c5dee8a92b0cc05
Reviewed-on: http://gerrit.tine20.com/customers/2582
Reviewed-by: Philipp Schüle <p.schuele@metaways.de>
Tested-by: Jenkins CI (http://ci.tine20.com/)
tine20/Crm/Controller/Lead.php
tine20/Tinebase/Relations.php

index 06277de..830f5b1 100644 (file)
@@ -325,7 +325,7 @@ class Crm_Controller_Lead extends Tinebase_Controller_Record_Abstract
                 }
                 
                 // check if relation is product and has price
-                if ($relation['type'] == 'PRODUCT') {
+                if ($relation['type'] == 'PRODUCT' && isset($relation['remark']['price'])) {
                     $quantity = (isset($relation['remark']['quantity'])) ? $relation['remark']['quantity'] : 1;
                     $sum += $relation['remark']['price'] * (integer) $quantity;
                 }
index f88604d..43184ab 100644 (file)
@@ -138,8 +138,12 @@ class Tinebase_Relations
                 )) {
                     if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__
                         . ' Related record diff: ' . print_r($current->related_record->diff($update->related_record)->toArray(), true));
-                    
-                    $this->_setAppRecord($update);
+
+                    if ( !$update->related_record->has('container_id') ||
+                        Tinebase_Container::getInstance()->hasGrant(Tinebase_Core::getUser()->getId(), $update->related_record->container_id,
+                            array(Tinebase_Model_Grants::GRANT_EDIT, Tinebase_Model_Grants::GRANT_ADMIN)) ) {
+                        $this->_setAppRecord($update);
+                    }
                 }
             }