Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
sec(Workflow) restrict access to system workflows: only admin can access
  • Loading branch information
joebordes committed Oct 31, 2021
1 parent 4ddab26 commit 971ad65
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 0 deletions.
5 changes: 5 additions & 0 deletions modules/com_vtiger_workflow/VTWorkflow.php
Expand Up @@ -194,6 +194,11 @@ public function setup($row) {
}
}

public function checkNonAdminAccess() {
global $current_user;
return (is_admin($current_user) || $this->defaultworkflow != 1);
}

public function evaluate($entityCache, $id) {
if ($this->test=='') {
return true;
Expand Down
5 changes: 5 additions & 0 deletions modules/com_vtiger_workflow/edittask.php
Expand Up @@ -62,6 +62,11 @@ function vtTaskEdit($adb, $request, $current_language, $app_strings) {
$util->redirectTo($errorUrl, $mod['LBL_ERROR_NO_WORKFLOW']);
return;
}
if (!$workflow->checkNonAdminAccess()) {
$errorUrl = $module->errorPageUrl(getTranslatedString('LBL_PERMISSION'));
$util->redirectTo($errorUrl, getTranslatedString('LBL_PERMISSION'));
return;
}

$module->setReturnUrl('');
$returnUrl = $module->editWorkflowUrl($task->workflowId);
Expand Down
5 changes: 5 additions & 0 deletions modules/com_vtiger_workflow/editworkflow.php
Expand Up @@ -45,6 +45,11 @@ function vtWorkflowEdit($adb, $request, $requestUrl, $current_language, $app_str
} else {
if (isset($request['workflow_id'])) {
$workflow = $wfs->retrieve($request['workflow_id']);
if (!$workflow->checkNonAdminAccess()) {
$errorUrl = $module->errorPageUrl(getTranslatedString('LBL_PERMISSION'));
$util->redirectTo($errorUrl, getTranslatedString('LBL_PERMISSION'));
return;
}
if ($workflow->executionCondition!=VTWorkflowManager::$ON_SCHEDULE) {
$smarty->assign('MaxAllowedScheduledWorkflows', $wfs->getMaxAllowedScheduledWorkflows());
} else {
Expand Down

0 comments on commit 971ad65

Please sign in to comment.