From 217a7b2b6a2ab1a2a016229b2a7840d9ab0b0e98 Mon Sep 17 00:00:00 2001
From: Ahmad Gneady <support@bigprof.com>
Date: Sat, 3 Jul 2021 02:46:08 +0200
Subject: [PATCH] Fix: unprivileged user can add item to a price-history

---
 app/hooks/item_prices.php | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/app/hooks/item_prices.php b/app/hooks/item_prices.php
index e622ed5..0e780ec 100644
--- a/app/hooks/item_prices.php
+++ b/app/hooks/item_prices.php
@@ -25,10 +25,10 @@
 	 * an error message to the user and stop displaying any data).
 	*/
 
-	function item_prices_init(&$options, $memberInfo, &$args) {
-		/* Inserted by Search Page Maker for AppGini on 2020-11-25 06:38:04 */
-		$options->FilterPage = 'hooks/item_prices_filter.php';
-		/* End of Search Page Maker for AppGini code */
+	function item_prices_init(&$options, $memberInfo, &$args) {
+		/* Inserted by Search Page Maker for AppGini on 2020-11-25 06:38:04 */
+		$options->FilterPage = 'hooks/item_prices_filter.php';
+		/* End of Search Page Maker for AppGini code */
 
 
 		return TRUE;
@@ -158,6 +158,8 @@ function item_prices_footer($contentType, $memberInfo, &$args) {
 	*/
 
 	function item_prices_before_insert(&$data, $memberInfo, &$args) {
+		// can current user view the item to which this item_price is assigned?
+		if(!check_record_permission('items', $data['item'])) return false;
 
 		return TRUE;
 	}
@@ -211,6 +213,8 @@ function item_prices_after_insert($data, $memberInfo, &$args) {
 	*/
 
 	function item_prices_before_update(&$data, $memberInfo, &$args) {
+		// can current user view the item to which this item_price is assigned?
+		if(!check_record_permission('items', $data['item'])) return false;
 
 		return TRUE;
 	}