From 96db3ecbff2df6b26e7d83222c1c739a79dcef9a Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Wed, 29 Apr 2020 17:53:46 +1000 Subject: [PATCH] Security/core#61 Limit Access to update smart group task to only if the logged in user has edit groups permission. Put a permission restriction on loading page without manage groups permission when saved search id is specified in the URL --- CRM/Contact/Form/Search.php | 4 ++++ CRM/Core/Task.php | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CRM/Contact/Form/Search.php b/CRM/Contact/Form/Search.php index 322dc47e31..2af1c15e70 100644 --- a/CRM/Contact/Form/Search.php +++ b/CRM/Contact/Form/Search.php @@ -529,6 +529,10 @@ class CRM_Contact_Form_Search extends CRM_Core_Form_Search { $this->_componentMode = CRM_Utils_Request::retrieve('component_mode', 'Positive', $this, FALSE, CRM_Contact_BAO_Query::MODE_CONTACTS, $_REQUEST); $this->_operator = CRM_Utils_Request::retrieve('operator', 'String', $this, FALSE, CRM_Contact_BAO_Query::SEARCH_OPERATOR_AND, 'REQUEST'); + if (!empty($this->_ssID) && !CRM_Core_Permission::check('edit groups')) { + CRM_Core_Error::statusBounce(ts('You do not have permission to modify smart groups')); + } + /** * set the button names */ diff --git a/CRM/Core/Task.php b/CRM/Core/Task.php index 40985c4b45..a947f4729c 100644 --- a/CRM/Core/Task.php +++ b/CRM/Core/Task.php @@ -132,7 +132,7 @@ abstract class CRM_Core_Task { */ public static function corePermissionedTaskTitles($tasks, $permission, $params) { // Only offer the "Update Smart Group" task if a smart group/saved search is already in play and we have edit permissions - if (!empty($params['ssID']) && ($permission == CRM_Core_Permission::EDIT)) { + if (!empty($params['ssID']) && ($permission == CRM_Core_Permission::EDIT) && CRM_Core_Permission::check('edit groups')) { $tasks[self::SAVE_SEARCH_UPDATE] = self::$_tasks[self::SAVE_SEARCH_UPDATE]['title']; } else { -- 2.25.1