mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-12-26 16:48:49 +01:00
Fix ACL error allowing regular users to delete global categories
This commit is contained in:
parent
afa106cbf3
commit
f1837813a4
@ -369,6 +369,17 @@ class admin_categories
|
||||
{
|
||||
$row['class'] .= ' rowNoEdit rowNoDelete ';
|
||||
}
|
||||
else if (!$GLOBALS['egw_info']['user']['apps']['admin'])
|
||||
{
|
||||
if(!$cats->check_perms(EGW_ACL_EDIT, $row['id']))
|
||||
{
|
||||
$row['class'] .= ' rowNoEdit';
|
||||
}
|
||||
if(!$cats->check_perms(EGW_ACL_DELETE, $row['id']))
|
||||
{
|
||||
$row['class'] .= ' rowNoDelete';
|
||||
}
|
||||
}
|
||||
// Can only edit (via context menu) categories for the selected app (backend restriction)
|
||||
if($row['appname'] != $query['appname'] || (array_sum($row['owner']) > 0))
|
||||
{
|
||||
@ -661,11 +672,18 @@ class admin_categories
|
||||
switch($action)
|
||||
{
|
||||
case 'delete':
|
||||
$action_msg = lang('deleted');
|
||||
foreach($checked as $id)
|
||||
{
|
||||
$cats->delete($id,$settings == 'sub',$settings != 'sub');
|
||||
$action_msg = lang('deleted');
|
||||
$success++;
|
||||
if($cats->check_perms(EGW_ACL_DELETE, $id, (boolean)$GLOBALS['egw_info']['user']['apps']['admin']))
|
||||
{
|
||||
$cats->delete($id,$settings == 'sub',$settings != 'sub');
|
||||
$success++;
|
||||
}
|
||||
else
|
||||
{
|
||||
$failed++;
|
||||
}
|
||||
}
|
||||
break;
|
||||
case 'owner':
|
||||
|
Loading…
Reference in New Issue
Block a user