From 252571bd197ca7b6df6cbdc22e58327bbbdf0071 Mon Sep 17 00:00:00 2001
From: Mark Crane <markjcrane@gmail.com>
Date: Mon, 26 Aug 2013 23:18:01 +0000
Subject: [PATCH] Improve the security on when adding inbound dialplans.

---
 app/dialplan_inbound/dialplan_inbound_add.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/app/dialplan_inbound/dialplan_inbound_add.php b/app/dialplan_inbound/dialplan_inbound_add.php
index 3b5761718a..9776afca66 100644
--- a/app/dialplan_inbound/dialplan_inbound_add.php
+++ b/app/dialplan_inbound/dialplan_inbound_add.php
@@ -678,7 +678,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "</td>\n";
 	echo "</tr>\n";
 
-	if (permission_exists("inbound_route_edit") && $action == "advanced") {
+	if (permission_exists("inbound_route_edit") && $action == "advanced" && if_group("superadmin")) {
 		echo "<tr>\n";
 		echo "<td class='vncellreq' valign='top' align='left' nowrap>\n";
 		echo "	".$text['label-condition_1'].":\n";
@@ -974,9 +974,11 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "<tr>\n";
 	echo "	<td colspan='5' align='right'>\n";
 	if ($action == "update") {
-		echo "			<input type='hidden' name='dialplan_uuid' value='$dialplan_uuid'>\n";
+		if ($action == "update" && if_group("superadmin")) {
+			echo "			<input type='hidden' name='dialplan_uuid' value='$dialplan_uuid'>\n";
+		}
+		echo "			<input type='submit' class='btn' value='".$text['button-save']."'>\n";
 	}
-	echo "			<input type='submit' name='submit' class='btn' value='".$text['button-save']."'>\n";
 	echo "	</td>\n";
 	echo "</tr>";