diff --git a/app/access_controls/access_control_edit.php b/app/access_controls/access_control_edit.php index 6e028545dd..f9327b3358 100644 --- a/app/access_controls/access_control_edit.php +++ b/app/access_controls/access_control_edit.php @@ -26,10 +26,7 @@ require_once "resources/check_auth.php"; //check permissions - if (permission_exists('access_control_add') || permission_exists('access_control_edit')) { - //access granted - } - else { + if (!permission_exists('access_control_view')) { echo "access denied"; exit; } @@ -63,6 +60,12 @@ //process the user data and save it to the database if (count($_POST) > 0 && empty($_POST["persistformvar"])) { + //check permissions + if (!permission_exists('access_control_add') || !permission_exists('access_control_edit')) { + echo "access denied"; + exit; + } + //enforce valid data if ($access_control_name == 'providers' || $access_control_name == 'domains') { $access_control_default = 'deny'; @@ -334,7 +337,9 @@ echo button::create(['type'=>'button','label'=>$text['button-delete'],'icon'=>$settings->get('theme', 'button_icon_delete'),'id'=>'btn_delete','name'=>'btn_delete','style'=>'display: none; margin-right: 15px;','onclick'=>"modal_open('modal-delete','btn_delete');"]); } } - echo button::create(['type'=>'submit','label'=>$text['button-save'],'icon'=>$settings->get('theme', 'button_icon_save'),'id'=>'btn_save','collapse'=>'hide-xs']); + if (permission_exists('access_control_add') || permission_exists('access_control_edit')) { + echo button::create(['type'=>'submit','label'=>$text['button-save'],'icon'=>$settings->get('theme', 'button_icon_save'),'id'=>'btn_save','collapse'=>'hide-xs']); + } echo " \n"; echo "
\n"; echo "\n"; @@ -485,4 +490,4 @@ //include the footer require_once "resources/footer.php"; -?> +?> \ No newline at end of file diff --git a/app/access_controls/access_controls.php b/app/access_controls/access_controls.php index fdd1425773..faf6cab642 100644 --- a/app/access_controls/access_controls.php +++ b/app/access_controls/access_controls.php @@ -212,7 +212,7 @@ $x = 0; foreach ($access_controls as $row) { $list_row_url = ''; - if (permission_exists('access_control_edit')) { + if (permission_exists('access_control_view')) { $list_row_url = "access_control_edit.php?id=".urlencode($row['access_control_uuid']); if ($row['domain_uuid'] != $_SESSION['domain_uuid'] && permission_exists('domain_select')) { $list_row_url .= '&domain_uuid='.urlencode($row['domain_uuid']).'&domain_change=true'; @@ -258,4 +258,3 @@ require_once "resources/footer.php"; ?> -