SuiteCRM 7.12.5 Release

salesagility · Mar 1, 2022 · e93b269 · e93b269
1 parent e9414a1
commit e93b269
Show file tree

Hide file tree

Showing 12 changed files with 127 additions and 55 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
   <img width="180px" height="41px" src="https://suitecrm.com/wp-content/uploads/2017/12/logo.png" align="right" />
 </a>
 
-# SuiteCRM 7.12.4
+# SuiteCRM 7.12.5
 
 [![Build Status](https://travis-ci.org/salesagility/SuiteCRM.svg?branch=hotfix)](https://travis-ci.org/salesagility/SuiteCRM)
 [![codecov](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix/graph/badge.svg)](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix)

diff --git a/files.md5 b/files.md5
diff --git a/modules/AOR_Scheduled_Reports/AOR_Scheduled_Reports.php b/modules/AOR_Scheduled_Reports/AOR_Scheduled_Reports.php
@@ -83,9 +83,7 @@ public function bean_implements($interface)
 
     public function save($check_notify = false)
     {
-        if (isset($_POST['email_recipients']) && is_array($_POST['email_recipients'])) {
-            $this->email_recipients = base64_encode(serialize($_POST['email_recipients']));
-        }
+        $this->parseRecipients();
 
         return parent::save($check_notify);
     }
@@ -180,7 +178,7 @@ public function shouldRun(DateTime $date)
         }
 
         $lastRun = $this->last_run ? $timedate->fromDb($this->last_run) : $timedate->fromDb($this->date_entered);
-        
+
         $this->handleTimeZone($lastRun);
         $next = $cron->getNextRunDate($lastRun);
 
@@ -200,4 +198,26 @@ protected function handleTimeZone(DateTime $date)
         $date->modify($offset . 'second');
     }
 
+    /**
+     * Parse and set recipients
+     * @return void
+     */
+    protected function parseRecipients(): void
+    {
+        $recipients = $_POST['email_recipients'] ?? null;
+        unset($_POST['email_recipients'], $_REQUEST['email_recipients'], $_GET['email_recipients']);
+        $this->email_recipients = null;
+
+        if (is_array($recipients)) {
+            $types = $recipients['email_target_type'] ?? [];
+            $emailInfo = $recipients['email'] ?? [];
+            $recipients = [
+                'email_target_type' => $types,
+                'email' => $emailInfo,
+            ];
+
+            $this->email_recipients = base64_encode(serialize($recipients));
+        }
+    }
+
 }
diff --git a/modules/Calendar/CalendarActivity.php b/modules/Calendar/CalendarActivity.php
@@ -266,11 +266,12 @@ public static function get_activities(
                 }
 
                 $focus_list = build_related_list_by_user_id($bean, $user_id, $where);
-                require_once 'modules/SecurityGroups/SecurityGroup.php';
+                //require_once 'modules/SecurityGroups/SecurityGroup.php';
                 foreach ($focus_list as $focusBean) {
                     if (isset($seen_ids[$focusBean->id])) {
                         continue;
                     }
+                    /* TODO update currently unused functionality, disabled as expensive
                     $in_group = SecurityGroup::groupHasAccess($key, $focusBean->id, 'list');
                     $show_as_busy = !ACLController::checkAccess(
                         $key,
@@ -279,7 +280,7 @@ public static function get_activities(
                         'module',
                         $in_group
                     );
-                    $focusBean->show_as_busy = $show_as_busy;
+                    $focusBean->show_as_busy = $show_as_busy;*/
 
                     $seen_ids[$focusBean->id] = 1;
                     $act = new CalendarActivity($focusBean);

diff --git a/modules/Employees/Employee.php b/modules/Employees/Employee.php
@@ -186,6 +186,11 @@ public function list_view_parse_additional_sections(&$list_form/*, $xTemplateSec
 
     public function create_export_query($order_by, $where, $relate_link_join = '')
     {
+        global $current_user;
+        if (!is_admin($current_user)) {
+            throw new RuntimeException('Not authorized');
+        }
+
         include('modules/Employees/field_arrays.php');
 
         $cols = '';

diff --git a/modules/ModuleBuilder/Module/IconRepository.php b/modules/ModuleBuilder/Module/IconRepository.php
@@ -14,14 +14,13 @@ class IconRepository
      */
     private static $iconNames = [
         AOS_Contracts::class => 'aos-contracts-signature',
+        AOR_Scheduled_Reports::class => 'aor-reports',
         'EmailTemplates' => 'emails',
         'Employees' => 'users',
         jjwg_Address_Cache::class => 'jjwg-markers',
         'ProjectTask' => 'am-tasktemplates',
         AM_ProjectTemplates::class => 'am-tasktemplates',
-        'SurveyQuestionOptions' => self::DEFAULT_ICON,
-        'SurveyQuestionResponses' =>  self::DEFAULT_ICON,
-        'SurveyQuestions' => self::DEFAULT_ICON,
+        'SurveyQuestionResponses' =>  'survey-responses',
         'SurveyResponses' => 'survey-responses',
         'Prospects' => 'targets'
     ];
@@ -33,8 +32,6 @@ class IconRepository
      */
     public static function getIconName($module)
     {
-        return isset(static::$iconNames[$module])
-            ? static::$iconNames[$module]
-            : strtolower(str_replace('_', '-', $module));
+        return static::$iconNames[$module] ?? strtolower(str_replace('_', '-', $module));
     }
 }
diff --git a/modules/ProspectLists/Duplicate.php b/modules/ProspectLists/Duplicate.php
@@ -55,11 +55,11 @@
 if (isset($_POST['isDuplicate']) && $_POST['isDuplicate'] == true) {
     $focus->id='';
     $focus->name=$mod_strings['LBL_COPY_PREFIX'].' '.$focus->name;
-    
+
     $focus->save();
     $return_id=$focus->id;
     //duplicate the linked items.
-    $query  = "select * from prospect_lists_prospects where prospect_list_id = '".$_POST['record']."'";
+    $query  = "select * from prospect_lists_prospects where prospect_list_id = '". $focus->db->quote($_POST['record']) ."'";
     $result = $focus->db->query($query);
     if ($result != null) {
         while (($row = $focus->db->fetchByAssoc($result)) != null) {

diff --git a/modules/Users/User.php b/modules/Users/User.php
@@ -606,6 +606,10 @@ public function save($check_notify = false)
     {
         global $current_user, $mod_strings;
 
+        if (!$this->hasSaveAccess()) {
+           throw new RuntimeException('Not authorized');
+        }
+
         $msg = '';
 
         $isUpdate = !empty($this->id) && !$this->new_with_id;
@@ -1591,6 +1595,11 @@ public static function getActiveUsers()
 
     public function create_export_query($order_by, $where, $relate_link_join = '')
     {
+        global $current_user;
+        if (!is_admin($current_user)) {
+            throw new RuntimeException('Not authorized');
+        }
+
         include('modules/Users/field_arrays.php');
 
         $cols = '';
@@ -2437,4 +2446,25 @@ public function getSubTheme()
         }
         return $subTheme;
     }
+
+    /**
+     * Check if current user can save the current user record
+     * @return bool
+     */
+    protected function hasSaveAccess(): bool
+    {
+        global $current_user;
+
+        if (empty($this->id)) {
+            return true;
+        }
+
+        if (empty($current_user->id)) {
+            return true;
+        }
+
+        $sameUser = $current_user->id === $this->id;
+
+        return $sameUser || is_admin($current_user);
+    }
 }
diff --git a/modules/vCals/vCal.php b/modules/vCals/vCal.php
@@ -123,7 +123,7 @@ public function get_freebusy_lines_cache(&$user_bean)
         public function create_sugar_freebusy($user_bean, $start_date_time, $end_date_time)
         {
             $ical_array = array();
-            global $DO_USER_TIME_OFFSET, $timedate, $current_user;
+            global $DO_USER_TIME_OFFSET, $timedate;
 
             $DO_USER_TIME_OFFSET = true;
             if (empty($GLOBALS['current_user']) || empty($GLOBALS['current_user']->id)) {
@@ -138,11 +138,11 @@ public function create_sugar_freebusy($user_bean, $start_date_time, $end_date_ti
             // loop thru each activity, get start/end time in UTC, and return FREEBUSY strings
             foreach ($acts_arr as $act) {
                 if (empty($act->start_time)) {
-                    $startTime = $timedate->fromUser($act->sugar_bean->date_start, $user_bean);
+                    $act->start_time = $timedate->fromUser($act->sugar_bean->date_start, $user_bean);
                 }
 
                 if (empty($act->end_time)) {
-                    $endTime = $timedate->fromUser($act->sugar_bean->date_finish, $user_bean);
+                    $act->end_time = $timedate->fromUser($act->sugar_bean->date_finish, $user_bean);
                 }
 
                 $ID = $act->sugar_bean->id;

diff --git a/suitecrm_version.php b/suitecrm_version.php
@@ -3,5 +3,5 @@
     die('Not A Valid Entry Point');
 }
 
-$suitecrm_version = '7.12.4';
-$suitecrm_timestamp = '2022-02-10 12:00:00';
+$suitecrm_version = '7.12.5';
+$suitecrm_timestamp = '2022-03-01 12:00:00';
diff --git a/tests/unit/phpunit/modules/Employees/EmployeeTest.php b/tests/unit/phpunit/modules/Employees/EmployeeTest.php
@@ -128,6 +128,8 @@ public function testcreate_export_query(): void
     {
         $employee = BeanFactory::newBean('Employees');
 
+        global $current_user;
+        $current_user->is_admin = '1';
         //test with empty string params
         $expected = "SELECT id, user_name, first_name, last_name, description, date_entered, date_modified, modified_user_id, created_by, title, department, is_admin, phone_home, phone_mobile, phone_work, phone_other, phone_fax, address_street, address_city, address_state, address_postalcode, address_country, reports_to_id, portal_only, status, receive_notifications, employee_status, messenger_id, messenger_type, is_group FROM users  WHERE  users.deleted = 0 ORDER BY users.user_name";
         $actual = $employee->create_export_query('', '');
@@ -137,6 +139,11 @@ public function testcreate_export_query(): void
         $expected = "SELECT id, user_name, first_name, last_name, description, date_entered, date_modified, modified_user_id, created_by, title, department, is_admin, phone_home, phone_mobile, phone_work, phone_other, phone_fax, address_street, address_city, address_state, address_postalcode, address_country, reports_to_id, portal_only, status, receive_notifications, employee_status, messenger_id, messenger_type, is_group FROM users  WHERE users.user_name=\"\" AND  users.deleted = 0 ORDER BY users.id";
         $actual = $employee->create_export_query('users.id', 'users.user_name=""');
         self::assertSame($expected, $actual);
+
+        $current_user->is_admin = '0';
+        $this->expectException(RuntimeException::class);
+        $employee->create_export_query('', '');
+
     }
 
     public function testpreprocess_fields_on_save(): void

diff --git a/tests/unit/phpunit/modules/Users/UserTest.php b/tests/unit/phpunit/modules/Users/UserTest.php
@@ -683,16 +683,22 @@ public function testcreate_export_query(): void
     {
         $user = BeanFactory::newBean('Users');
 
+        global $current_user;
+        $current_user->is_admin = '1';
         //test with empty string params
-        $expected = "SELECT id, user_name, first_name, last_name, description, date_entered, date_modified, modified_user_id, created_by, title, department, is_admin, phone_home, phone_mobile, phone_work, phone_other, phone_fax, address_street, address_city, address_state, address_postalcode, address_country, reports_to_id, portal_only, status, receive_notifications, employee_status, messenger_id, messenger_type, is_group FROM users  WHERE  users.deleted = 0 AND users.is_admin=0 ORDER BY users.user_name";
+        $expected = "SELECT id, user_name, first_name, last_name, description, date_entered, date_modified, modified_user_id, created_by, title, department, is_admin, phone_home, phone_mobile, phone_work, phone_other, phone_fax, address_street, address_city, address_state, address_postalcode, address_country, reports_to_id, portal_only, status, receive_notifications, employee_status, messenger_id, messenger_type, is_group FROM users  WHERE  users.deleted = 0 ORDER BY users.user_name";
         $actual = $user->create_export_query('', '');
         self::assertSame($expected, $actual);
 
 
         //test with valid string params
-        $expected = "SELECT id, user_name, first_name, last_name, description, date_entered, date_modified, modified_user_id, created_by, title, department, is_admin, phone_home, phone_mobile, phone_work, phone_other, phone_fax, address_street, address_city, address_state, address_postalcode, address_country, reports_to_id, portal_only, status, receive_notifications, employee_status, messenger_id, messenger_type, is_group FROM users  WHERE user_name=\"\" AND  users.deleted = 0 AND users.is_admin=0 ORDER BY id";
+        $expected = "SELECT id, user_name, first_name, last_name, description, date_entered, date_modified, modified_user_id, created_by, title, department, is_admin, phone_home, phone_mobile, phone_work, phone_other, phone_fax, address_street, address_city, address_state, address_postalcode, address_country, reports_to_id, portal_only, status, receive_notifications, employee_status, messenger_id, messenger_type, is_group FROM users  WHERE user_name=\"\" AND  users.deleted = 0 ORDER BY id";
         $actual = $user->create_export_query('id', 'user_name=""');
         self::assertSame($expected, $actual);
+
+        $current_user->is_admin = '0';
+        $this->expectException(RuntimeException::class);
+        $user->create_export_query('', '');
     }