X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=CRM%2FCase%2FPage%2FAJAX.php;h=9479fbf5c3ca3f96bd95339d69ee40cf7b7b4881;hb=6c6c5975dc0c5af5bade49cbb4936ddd5b3d7613;hp=e685b96e185ef5ec300712accc9898db92e7be0a;hpb=ba9eb348014a1316a8874e26033c1cbb54b62b67;p=civicrm-core.git

diff --git a/CRM/Case/Page/AJAX.php b/CRM/Case/Page/AJAX.php
index e685b96e18..9479fbf5c3 100644
--- a/CRM/Case/Page/AJAX.php
+++ b/CRM/Case/Page/AJAX.php
@@ -66,13 +66,12 @@ class CRM_Case_Page_AJAX {
 
   function processCaseTags() {
 
-    $caseId = CRM_Utils_Type::escape($_POST['case_id'], 'Integer');
+    $caseId = CRM_Utils_Type::escape($_POST['case_id'], 'Positive');
     $tags = CRM_Utils_Type::escape($_POST['tag'], 'String');
     $tagList = $_POST['taglist'];
 
-    if (empty($caseId)) {
-      echo 'false';
-      CRM_Utils_System::civiExit();
+    if (!CRM_Case_BAO_Case::accessCase($caseId)) {
+      CRM_Utils_System::permissionDenied();
     }
 
     $tagIds = array();
@@ -125,7 +124,12 @@ class CRM_Case_Page_AJAX {
   }
 
   function caseDetails() {
-    $caseId    = CRM_Utils_Type::escape($_GET['caseId'], 'Integer');
+    $caseId = CRM_Utils_Type::escape($_GET['caseId'], 'Positive');
+
+    if (!CRM_Case_BAO_Case::accessCase($caseId, FALSE)) {
+      CRM_Utils_System::permissionDenied();
+    }
+
     $sql       = "SELECT civicrm_case.*, civicrm_case_type.title as case_type
         FROM civicrm_case
         INNER JOIN civicrm_case_type ON civicrm_case.case_type_id = civicrm_case_type.id
@@ -154,8 +158,12 @@ class CRM_Case_Page_AJAX {
   }
 
   function addClient() {
-    $caseId = CRM_Utils_Type::escape($_POST['caseID'], 'Integer');
-    $contactId = CRM_Utils_Type::escape($_POST['contactID'], 'Integer');
+    $caseId = CRM_Utils_Type::escape($_POST['caseID'], 'Positive');
+    $contactId = CRM_Utils_Type::escape($_POST['contactID'], 'Positive');
+
+    if (!$contactId || !CRM_Case_BAO_Case::accessCase($caseId)) {
+      CRM_Utils_System::permissionDenied();
+    }
 
     $params = array(
       'case_id' => $caseId,
@@ -193,8 +201,12 @@ class CRM_Case_Page_AJAX {
    * Delete relationships specific to case and relationship type
    */
   static function deleteCaseRoles() {
-    $caseId  = CRM_Utils_Type::escape($_POST['case_id'], 'Integer');
-    $relType = CRM_Utils_Type::escape($_POST['rel_type'], 'Integer');
+    $caseId  = CRM_Utils_Type::escape($_POST['case_id'], 'Positive');
+    $relType = CRM_Utils_Type::escape($_POST['rel_type'], 'Positive');
+
+    if (!$relType || !CRM_Case_BAO_Case::accessCase($caseId)) {
+      CRM_Utils_System::permissionDenied();
+    }
 
     $sql = "DELETE FROM civicrm_relationship WHERE case_id={$caseId} AND relationship_type_id={$relType}";
     CRM_Core_DAO::executeQuery($sql);