Fix: unprivileged user can add item to a price-history

bigprof-software · Jul 3, 2021 · 217a7b2 · 217a7b2
1 parent 4464095
commit 217a7b2
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/app/hooks/item_prices.php b/app/hooks/item_prices.php
@@ -25,10 +25,10 @@
 	 * an error message to the user and stop displaying any data).
 	*/
 
-	function item_prices_init(&$options, $memberInfo, &$args) {
-		/* Inserted by Search Page Maker for AppGini on 2020-11-25 06:38:04 */
-		$options->FilterPage = 'hooks/item_prices_filter.php';
-		/* End of Search Page Maker for AppGini code */
+	function item_prices_init(&$options, $memberInfo, &$args) {
+		/* Inserted by Search Page Maker for AppGini on 2020-11-25 06:38:04 */
+		$options->FilterPage = 'hooks/item_prices_filter.php';
+		/* End of Search Page Maker for AppGini code */
 
 
 		return TRUE;
@@ -158,6 +158,8 @@ function item_prices_footer($contentType, $memberInfo, &$args) {
 	*/
 
 	function item_prices_before_insert(&$data, $memberInfo, &$args) {
+		// can current user view the item to which this item_price is assigned?
+		if(!check_record_permission('items', $data['item'])) return false;
 
 		return TRUE;
 	}
@@ -211,6 +213,8 @@ function item_prices_after_insert($data, $memberInfo, &$args) {
 	*/
 
 	function item_prices_before_update(&$data, $memberInfo, &$args) {
+		// can current user view the item to which this item_price is assigned?
+		if(!check_record_permission('items', $data['item'])) return false;
 
 		return TRUE;
 	}