Security/core#61 Limit Access to update smart group task to only if the logged in...

Put a permission restriction on loading page without manage groups permission when saved search id is specified in the URL

diff --git a/CRM/Contact/Form/Search.php b/CRM/Contact/Form/Search.php
index 322dc47e317bb42c42bd06f7eca146b49ce6b204..2af1c15e70be24cd20458251e8848f9b345f0fda 100644 (file)
--- a/CRM/Contact/Form/Search.php
+++ b/CRM/Contact/Form/Search.php
@@ -529,6 +529,10 @@ class CRM_Contact_Form_Search extends CRM_Core_Form_Search {
     $this->_componentMode = CRM_Utils_Request::retrieve('component_mode', 'Positive', $this, FALSE, CRM_Contact_BAO_Query::MODE_CONTACTS, $_REQUEST);
     $this->_operator = CRM_Utils_Request::retrieve('operator', 'String', $this, FALSE, CRM_Contact_BAO_Query::SEARCH_OPERATOR_AND, 'REQUEST');
 
+    if (!empty($this->_ssID) && !CRM_Core_Permission::check('edit groups')) {
+      CRM_Core_Error::statusBounce(ts('You do not have permission to modify smart groups'));
+    }
+
     /**
      * set the button names
      */

diff --git a/CRM/Core/Task.php b/CRM/Core/Task.php
index 40985c4b451b6b99720b049adf1fe584d488ad52..a947f4729c001b9fd6fb7cfdbd10d770ed01a87e 100644 (file)
--- a/CRM/Core/Task.php
+++ b/CRM/Core/Task.php
@@ -132,7 +132,7 @@ abstract class CRM_Core_Task {
    */
   public static function corePermissionedTaskTitles($tasks, $permission, $params) {
     // Only offer the "Update Smart Group" task if a smart group/saved search is already in play and we have edit permissions
-    if (!empty($params['ssID']) && ($permission == CRM_Core_Permission::EDIT)) {
+    if (!empty($params['ssID']) && ($permission == CRM_Core_Permission::EDIT) && CRM_Core_Permission::check('edit groups')) {
       $tasks[self::SAVE_SEARCH_UPDATE] = self::$_tasks[self::SAVE_SEARCH_UPDATE]['title'];
     }
     else {