From 971ad65641e211ec8cf8e56517257d527051264b Mon Sep 17 00:00:00 2001
From: joebordes <joe@tsolucio.com>
Date: Sun, 31 Oct 2021 13:39:31 +0100
Subject: [PATCH] sec(Workflow) restrict access to system workflows: only admin
 can access

---
 modules/com_vtiger_workflow/VTWorkflow.php   | 5 +++++
 modules/com_vtiger_workflow/edittask.php     | 5 +++++
 modules/com_vtiger_workflow/editworkflow.php | 5 +++++
 3 files changed, 15 insertions(+)

diff --git a/modules/com_vtiger_workflow/VTWorkflow.php b/modules/com_vtiger_workflow/VTWorkflow.php
index 60a71f93e5..736f9eb0b0 100644
--- a/modules/com_vtiger_workflow/VTWorkflow.php
+++ b/modules/com_vtiger_workflow/VTWorkflow.php
@@ -194,6 +194,11 @@ public function setup($row) {
 		}
 	}
 
+	public function checkNonAdminAccess() {
+		global $current_user;
+		return (is_admin($current_user) || $this->defaultworkflow != 1);
+	}
+
 	public function evaluate($entityCache, $id) {
 		if ($this->test=='') {
 			return true;
diff --git a/modules/com_vtiger_workflow/edittask.php b/modules/com_vtiger_workflow/edittask.php
index c88d1f156d..2139ce2d4f 100644
--- a/modules/com_vtiger_workflow/edittask.php
+++ b/modules/com_vtiger_workflow/edittask.php
@@ -62,6 +62,11 @@ function vtTaskEdit($adb, $request, $current_language, $app_strings) {
 		$util->redirectTo($errorUrl, $mod['LBL_ERROR_NO_WORKFLOW']);
 		return;
 	}
+	if (!$workflow->checkNonAdminAccess()) {
+		$errorUrl = $module->errorPageUrl(getTranslatedString('LBL_PERMISSION'));
+		$util->redirectTo($errorUrl, getTranslatedString('LBL_PERMISSION'));
+		return;
+	}
 
 	$module->setReturnUrl('');
 	$returnUrl = $module->editWorkflowUrl($task->workflowId);
diff --git a/modules/com_vtiger_workflow/editworkflow.php b/modules/com_vtiger_workflow/editworkflow.php
index 60d7740a1b..200c5d22d5 100644
--- a/modules/com_vtiger_workflow/editworkflow.php
+++ b/modules/com_vtiger_workflow/editworkflow.php
@@ -45,6 +45,11 @@ function vtWorkflowEdit($adb, $request, $requestUrl, $current_language, $app_str
 	} else {
 		if (isset($request['workflow_id'])) {
 			$workflow = $wfs->retrieve($request['workflow_id']);
+			if (!$workflow->checkNonAdminAccess()) {
+				$errorUrl = $module->errorPageUrl(getTranslatedString('LBL_PERMISSION'));
+				$util->redirectTo($errorUrl, getTranslatedString('LBL_PERMISSION'));
+				return;
+			}
 			if ($workflow->executionCondition!=VTWorkflowManager::$ON_SCHEDULE) {
 				$smarty->assign('MaxAllowedScheduledWorkflows', $wfs->getMaxAllowedScheduledWorkflows());
 			} else {