From 5a748f52c9e6c1ad4aa5e7715b46024d4d678acf Mon Sep 17 00:00:00 2001
From: Ahmad Gneady <support@bigprof.com>
Date: Sun, 4 Jul 2021 00:54:22 +0200
Subject: [PATCH] Fix: unprivileged user can add references to a applicant

---
 app/hooks/references.php | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/app/hooks/references.php b/app/hooks/references.php
index 125c81d..3035241 100644
--- a/app/hooks/references.php
+++ b/app/hooks/references.php
@@ -1,10 +1,10 @@
 <?php
 	// For help on using hooks, please refer to http://bigprof.com/appgini/help/working-with-generated-web-database-application/hooks
 
-	function references_init(&$options, $memberInfo, &$args){
-		/* Inserted by Search Page Maker for AppGini on 2020-11-18 12:19:27 */
-		$options->FilterPage = 'hooks/references_filter.php';
-		/* End of Search Page Maker for AppGini code */
+	function references_init(&$options, $memberInfo, &$args){
+		/* Inserted by Search Page Maker for AppGini on 2020-11-18 12:19:27 */
+		$options->FilterPage = 'hooks/references_filter.php';
+		/* End of Search Page Maker for AppGini code */
 
 
 		return TRUE;
@@ -75,6 +75,8 @@ function references_footer($contentType, $memberInfo, &$args){
 	}
 
 	function references_before_insert(&$data, $memberInfo, &$args){
+		// can current user view this parent?
+		if(!check_record_permission('applicants_and_tenants', $data['tenant'])) return false;
 
 		return TRUE;
 	}
@@ -85,6 +87,8 @@ function references_after_insert($data, $memberInfo, &$args){
 	}
 
 	function references_before_update(&$data, $memberInfo, &$args){
+		// can current user view this parent?
+		if(!check_record_permission('applicants_and_tenants', $data['tenant'])) return false;
 
 		return TRUE;
 	}