X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=CRM%2FAdmin%2FForm%2FMessageTemplates.php;h=d316d559e26873e28c897d02afb3655863b759ca;hb=80c2f8d77bcc103cdb9f8a6fb589fd154d6e8dc3;hp=6a0b2c86aa68aa089fab6a842defeacf08a2de8f;hpb=05328349418e23e4ac7dc2353b89a8864818ca63;p=civicrm-core.git

diff --git a/CRM/Admin/Form/MessageTemplates.php b/CRM/Admin/Form/MessageTemplates.php
index 6a0b2c86aa..d316d559e2 100644
--- a/CRM/Admin/Form/MessageTemplates.php
+++ b/CRM/Admin/Form/MessageTemplates.php
@@ -1,7 +1,7 @@
 <?php
 /*
  +--------------------------------------------------------------------+
- | CiviCRM version 4.7                                                |
+ | CiviCRM version 5                                                  |
  +--------------------------------------------------------------------+
  | Copyright CiviCRM LLC (c) 2004-2018                                |
  +--------------------------------------------------------------------+
@@ -106,6 +106,7 @@ class CRM_Admin_Form_MessageTemplates extends CRM_Admin_Form {
     }
     else {
       $this->_workflow_id = CRM_Utils_Array::value('workflow_id', $this->_values);
+      $this->checkUserPermission($this->_workflow_id);
       $this->assign('workflow_id', $this->_workflow_id);
 
       if ($this->_workflow_id) {
@@ -214,6 +215,26 @@ class CRM_Admin_Form_MessageTemplates extends CRM_Admin_Form {
     }
   }
 
+  /**
+   * Restrict users access based on permission
+   *
+   * @param int $workflowId
+   */
+  private function checkUserPermission($workflowId) {
+    if (isset($workflowId)) {
+      $canView = CRM_Core_Permission::check('edit system workflow message templates');
+    }
+    else {
+      $canView = CRM_Core_Permission::check('edit user-driven message templates');
+    }
+
+    if (!$canView && !CRM_Core_Permission::check('edit message templates')) {
+      CRM_Core_Session::setStatus(ts('You do not have permission to view requested page.'), ts('Access Denied'));
+      $url = CRM_Utils_System::url('civicrm/admin/messageTemplates', "reset=1");
+      CRM_Utils_System::redirect($url);
+    }
+  }
+
   /**
    * Global form rule.
    *