SuiteCRM 7.12.7 Release

salesagility · Aug 16, 2022 · 7b6ac1b · 7b6ac1b
1 parent 285c554
commit 7b6ac1b
Show file tree

Hide file tree

Showing 8 changed files with 135 additions and 35 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
   <img width="180px" height="41px" src="https://suitecrm.com/wp-content/uploads/2017/12/logo.png" align="right" />
 </a>
 
-# SuiteCRM 7.12.6
+# SuiteCRM 7.12.7
 
 [![Build Status](https://travis-ci.org/salesagility/SuiteCRM.svg?branch=hotfix)](https://travis-ci.org/salesagility/SuiteCRM)
 [![codecov](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix/graph/badge.svg)](https://codecov.io/gh/salesagility/SuiteCRM/branch/hotfix)

diff --git a/files.md5 b/files.md5
diff --git a/include/OutboundEmail/OutboundEmail.php b/include/OutboundEmail/OutboundEmail.php
@@ -500,6 +500,8 @@ protected function getValues(&$keys)
      */
     public function save()
     {
+        $this->checkSavePermissions();
+
         require_once('include/utils/encryption_utils.php');
         if (empty($this->id)) {
             $this->id = create_guid();
@@ -657,4 +659,44 @@ public function getMailerByName($user, $name)
 
         return $this->retrieve($a['id']);
     }
+
+    /**
+     * @return void
+     */
+    protected function checkSavePermissions(): void
+    {
+        global $log;
+
+
+        $original = null;
+
+        if (!empty($this->id)) {
+            $original = new OutboundEmail();
+            $original->retrieve($this->id);
+        }
+
+        if (empty($original)) {
+            $original = $this;
+        }
+
+        $type = $this->type ?? '';
+
+        $authenticatedUser = get_authenticated_user();
+        if ($authenticatedUser === null) {
+            $log->security("OutboundEmail::checkSavePermissions - not logged in - skipping check");
+            return;
+        }
+
+        if ($type === 'system' && !is_admin($authenticatedUser)) {
+            $log->security("OutboundEmail::checkSavePermissions - trying to save a system outbound email with non-admin user");
+            throw new RuntimeException('Access denied');
+        }
+
+        $oeUserId = $original->user_id ?? '';
+
+        if (!empty($oeUserId) && $oeUserId !== $authenticatedUser->id && !is_admin($authenticatedUser)) {
+            $log->security("OutboundEmail::checkSavePermissions - trying to save a outbound email for another user");
+            throw new RuntimeException('Access denied');
+        }
+    }
 }
diff --git a/include/utils.php b/include/utils.php
@@ -872,6 +872,27 @@ function get_user_name($id)
     return (empty($a)) ? '' : $a['user_name'];
 }
 
+/**
+ * Get currently authenticated user
+ * @return User
+ */
+function get_authenticated_user(): ?User {
+    $authenticatedUserId = $_SESSION['authenticated_user_id'] ?? '';
+
+    if (empty($authenticatedUserId)){
+        return null;
+    }
+
+    /** @var User $authenticatedUser */
+    $authenticatedUser = BeanFactory::getBean('Users', $authenticatedUserId);
+
+    if (empty($authenticatedUser)) {
+        return null;
+    }
+
+    return $authenticatedUser;
+}
+
 //TODO Update to use global cache
 /**
  * get_user_array.

diff --git a/modules/Emails/EmailUIAjax.php b/modules/Emails/EmailUIAjax.php
@@ -103,11 +103,12 @@ function handleSubs($subs, $email, $json, $user = null)
 $ie->email = $email;
 $json = getJSONobj();
 
+global $current_user;
 
 $showFolders = sugar_unserialize(base64_decode($current_user->getPreference('showFolders', 'Emails')));
 
 if (isset($_REQUEST['emailUIAction'])) {
-    if (isset($_REQUEST['user']) && $_REQUEST['user']) {
+    if (isset($_REQUEST['user']) && $_REQUEST['user'] && is_admin($current_user)) {
         $cid = $current_user->id;
         $current_user = BeanFactory::getBean('Users', $_REQUEST['user']);
     } else {

diff --git a/modules/Employees/Employee.php b/modules/Employees/Employee.php
@@ -314,6 +314,31 @@ public function save($check_notify = false)
             }
         }
 
+        if (!$this->hasSaveAccess()) {
+            throw new RuntimeException('Not authorized');
+        }
+
         return parent::save($check_notify);
     }
+
+    /**
+     * Check if current user can save the current employee record
+     * @return bool
+     */
+    protected function hasSaveAccess(): bool
+    {
+        global $current_user;
+
+        if (empty($this->id)) {
+            return true;
+        }
+
+        if (empty($current_user->id)) {
+            return false;
+        }
+
+        $sameUser = $current_user->id === $this->id;
+
+        return $sameUser || is_admin($current_user);
+    }
 }
diff --git a/modules/Users/GeneratePassword.php b/modules/Users/GeneratePassword.php
@@ -126,6 +126,12 @@
     // if i need to generate a password (not a link)
     $password = $isLink ? '' : User::generatePassword();
 
+$isPasswordGenerationActive = $res['SystemGeneratedPasswordON'] ?? false;
+if(!$isLink && empty($isPasswordGenerationActive)) {
+    echo 'Access Denied';
+    return;
+}
+
 // Create URL
 if ($isLink) {
     global $timedate;

diff --git a/suitecrm_version.php b/suitecrm_version.php
@@ -3,5 +3,5 @@
     die('Not A Valid Entry Point');
 }
 
-$suitecrm_version = '7.12.6';
-$suitecrm_timestamp = '2022-05-19 12:00:00';
+$suitecrm_version = '7.12.7';
+$suitecrm_timestamp = '2022-08-10 12:00:00';