[Vtigercrm-commits] [vtiger-commits] r10402 - in /vtigercrm/branches/5.0.3: Smarty/templates/SelectEmail.tpl modules/Emails/language/en_us.lang.php modules/Emails/mailSelect.php

vtigercrm-commits at vtiger.fosslabs.com vtigercrm-commits at vtiger.fosslabs.com
Fri Mar 9 06:28:14 EST 2007 

Author: saraj
Date: Fri Mar  9 04:28:06 2007
New Revision: 10402

Log:
fix for security issue in Send Mail option. Fixes #3103 --Minnie.

Modified:
    vtigercrm/branches/5.0.3/Smarty/templates/SelectEmail.tpl
    vtigercrm/branches/5.0.3/modules/Emails/language/en_us.lang.php
    vtigercrm/branches/5.0.3/modules/Emails/mailSelect.php

Modified: vtigercrm/branches/5.0.3/Smarty/templates/SelectEmail.tpl
==============================================================================
--- vtigercrm/branches/5.0.3/Smarty/templates/SelectEmail.tpl (original)
+++ vtigercrm/branches/5.0.3/Smarty/templates/SelectEmail.tpl Fri Mar  9 04:28:06 2007
@@ -11,58 +11,68 @@
 -->*}
 <!-- BEGIN: main -->
 <div id="roleLay" style="z-index:12;display:block;width:400px;" class="layerPopup">
-<table border=0 cellspacing=0 cellpadding=5 width=100% class=layerHeadingULine>
-<tr>
-	<td width="90%" align="left" class="genHeaderSmall">{$MOD.SELECT_EMAIL}
-	{if $ONE_RECORD neq 'true'}
-	({$MOD.LBL_MULTIPLE} {$APP[$FROM_MODULE]})
-	{/if}
-	&nbsp;
-	</td>
-	<td width="10%" align="right"><a href="javascript:fninvsh('roleLay');"><img title="{$APP.LBL_CLOSE}" alt="{$APP.LBL_CLOSE}" src="{$IMAGE_PATH}close.gif" border="0"  align="absmiddle" /></a></td>
-</tr>
-</table>
-<table border=0 cellspacing=0 cellpadding=5 width=95% align=center> 
-<tr>
-	<td class="small">
-	<table border=0 celspacing=0 cellpadding=5 width=100% align=center bgcolor=white>
-	<tr>
-		<td align="left">
-		{if $ONE_RECORD eq 'true'}
-			<b>{$ENTITY_NAME}</b> {$MOD.LBL_MAILSELECT_INFO}.<br><br>
-		{else}
-			{$MOD.LBL_MAILSELECT_INFO1} {$APP[$FROM_MODULE]}.{$MOD.LBL_MAILSELECT_INFO2}<br><br>
-		{/if}
-			<div style="height:120px;overflow-y:auto;overflow-x:hidden;" align="center">
-			<table border="0" cellpadding="5" cellspacing="0" width="90%">
-			{foreach name=emailids key=fieldid item=elements from=$MAILINFO}
-			<tr>
-				{if $smarty.foreach.emailids.iteration eq 1}	
-					<td align="center"><input  type="checkbox" value="{$fieldid}" name="semail" /></td>
-			{else}
-					<td align="center"><input type="checkbox" value="{$fieldid}" name="semail"  /></td>
+	<table border=0 cellspacing=0 cellpadding=5 width=100% class=layerHeadingULine>
+		<tr>
+			<td width="90%" align="left" class="genHeaderSmall">{$MOD.SELECT_EMAIL}
+				{if $ONE_RECORD neq 'true'}
+				({$MOD.LBL_MULTIPLE} {$APP[$FROM_MODULE]})
 				{/if}
-				{if $ONE_RECORD eq 'true'}	
-					<td align="left"><b>{$elements.0} </b><br>{$MAILDATA[$smarty.foreach.emailids.iteration]}</td>
-				{else}
-					<td align="left"><b>{$elements.0} </b></td>
-				{/if}
-			</tr>
-			{/foreach}
+				&nbsp;
+			</td>
+			<td width="10%" align="right">
+				<a href="javascript:fninvsh('roleLay');"><img title="{$APP.LBL_CLOSE}" alt="{$APP.LBL_CLOSE}" src="{$IMAGE_PATH}close.gif" border="0"  align="absmiddle" /></a>
+			</td>
+		</tr>
+	</table>
+{if $PERMIT eq '0'}
+	<table border=0 cellspacing=0 cellpadding=5 width=95% align=center> 
+		<tr><td class="small">
+			<table border=0 cellspacing=0 cellpadding=5 width=100% align=center bgcolor=white>
+				<tr>
+					<td align="left">
+					{if $ONE_RECORD eq 'true'}
+						<b>{$ENTITY_NAME}</b> {$MOD.LBL_MAILSELECT_INFO}.<br><br>
+					{else}
+						{$MOD.LBL_MAILSELECT_INFO1} {$APP[$FROM_MODULE]}.{$MOD.LBL_MAILSELECT_INFO2}<br><br>
+					{/if}
+						<div style="height:120px;overflow-y:auto;overflow-x:hidden;" align="center">
+							<table border="0" cellpadding="5" cellspacing="0" width="90%">
+								{foreach name=emailids key=fieldid item=elements from=$MAILINFO}
+								<tr>
+									{if $smarty.foreach.emailids.iteration eq 1}	
+									<td align="center"><input type="checkbox" value="{$fieldid}" name="semail" /></td>
+									{else}
+									<td align="center"><input type="checkbox" value="{$fieldid}" name="semail"  /></td>
+									{/if}
+									{if $ONE_RECORD eq 'true'}	
+									<td align="left"><b>{$elements.0} </b><br>{$MAILDATA[$smarty.foreach.emailids.iteration]}</td>
+									{else}
+									<td align="left"><b>{$elements.0}</b></td>
+									{/if}
+								</tr>
+								{/foreach}
+							</table>
+						</div>
+					</td>	
+				</tr>
 			</table>
-			</div>
-		</td>	
-	</tr>
+		</td></tr>
 	</table>
-	</td>
-</tr>
-</table>
-<table border=0 cellspacing=0 cellpadding=5 width=100% class="layerPopupTransport">
-<tr>
-	<td align=center class="small">
-		<input type="button" name="{$APP.LBL_SELECT_BUTTON_LABEL}" value=" {$APP.LBL_SELECT_BUTTON_LABEL} " class="crmbutton small create" onClick="validate_sendmail('{$IDLIST}','{$FROM_MODULE}');"/>&nbsp;&nbsp;
-		<input type="button" name="{$APP.LBL_CANCEL_BUTTON_LABEL}" value=" {$APP.LBL_CANCEL_BUTTON_LABEL} " class="crmbutton small cancel" onclick="fninvsh('roleLay');" />
-	</td>
-</tr>
-</table>
+	<table border=0 cellspacing=0 cellpadding=5 width=100% class="layerPopupTransport">
+		<tr><td align=center class="small">
+			<input type="button" name="{$APP.LBL_SELECT_BUTTON_LABEL}" value=" {$APP.LBL_SELECT_BUTTON_LABEL} " class="crmbutton small create" onClick="validate_sendmail('{$IDLIST}','{$FROM_MODULE}');"/>&nbsp;&nbsp;
+			<input type="button" name="{$APP.LBL_CANCEL_BUTTON_LABEL}" value=" {$APP.LBL_CANCEL_BUTTON_LABEL} " class="crmbutton small cancel" onclick="fninvsh('roleLay');" />
+		</td></tr>
+	</table>
+{else}
+	<table border=0 cellspacing=0 cellpadding=5 width=95% align=center>
+                <tr><td class="small">
+			<table border=0 cellspacing=0 cellpadding=5 width=100% align=center bgcolor=white>
+                                <tr><td align="center">
+					<b>{$MOD.LBL_MAILSELECT_INFO3}</b>
+				</td></tr>
+			</table>
+		</td></tr>
+	</table>
+{/if}
 </div>

Modified: vtigercrm/branches/5.0.3/modules/Emails/language/en_us.lang.php
==============================================================================
--- vtigercrm/branches/5.0.3/modules/Emails/language/en_us.lang.php (original)
+++ vtigercrm/branches/5.0.3/modules/Emails/language/en_us.lang.php Fri Mar  9 04:28:06 2007
@@ -163,7 +163,7 @@
 'LBL_NO_RCPTS_EMAIL_ERROR'=>'No recepients specified',
 'LBL_CONF_MAILSERVER_ERROR'=>'Please configure your outgoing mailserver under Settings ---> Outgoing Server link',
 'LBL_VTIGER_EMAIL_CLIENT'=>'vtiger Email Client',
-
+'LBL_MAILSELECT_INFO3'=>'You don\'t have permission to view email id(s) of the selected Record(s).',
 );
 
 ?>

Modified: vtigercrm/branches/5.0.3/modules/Emails/mailSelect.php
==============================================================================
--- vtigercrm/branches/5.0.3/modules/Emails/mailSelect.php (original)
+++ vtigercrm/branches/5.0.3/modules/Emails/mailSelect.php Fri Mar  9 04:28:06 2007
@@ -12,10 +12,7 @@
 require_once('include/database/PearDatabase.php');
 
 
-global $app_strings;
-global $mod_strings;
-
-global $theme;
+global $app_strings,$mod_strings,$current_user,$theme;
 $image_path = 'themes/'.$theme.'/images/';
 $idlist = $_REQUEST['idlist'];
 $pmodule=$_REQUEST['return_module'];
@@ -26,6 +23,25 @@
 	$single_record = true;
 }
 $smarty = new vtigerCRM_Smarty;
+
+$userid =  $current_user->id;
+if($pmodule == "Contacts")
+{
+	$permit = getFieldVisibilityPermission("Contacts", $userid, "email");
+}
+elseif($pmodule == "Accounts")
+{
+	$permit = getFieldVisibilityPermission("Accounts", $userid, "email1");
+}
+elseif($pmodule == "Leads")
+{
+	$permit = getFieldVisibilityPermission("Leads", $userid, "email");
+}
+if($permit == '0');
+{
+	$smarty->assign("PERMIT", $permit);
+}
+
 if ($pmodule=='Accounts')
 {
 	$querystr="select fieldid,fieldlabel,columnname,tablename from vtiger_field where tabid=6 and uitype=13;"; 
@@ -49,7 +65,6 @@
 	$fieldid=$adb->query_result($result,$i,'fieldid');
 	$value[] =$adb->query_result($result,$i,'fieldlabel');
 	$returnvalue [$fieldid]= $value;
-	
 }
 
 if($single_record)

More information about the vtigercrm-commits mailing list