From a3ea05177ac7486df310b1bdff880edbcb5b4fc7 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Tue, 4 Feb 2025 08:27:05 +0100
Subject: [PATCH] controll access on batch operations by advanced access rights

---
 views/bootstrap/class.Search.php | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/views/bootstrap/class.Search.php b/views/bootstrap/class.Search.php
index b37d9e897..fe52a077b 100644
--- a/views/bootstrap/class.Search.php
+++ b/views/bootstrap/class.Search.php
@@ -1473,8 +1473,8 @@ $(document).ready(function() {
 		/* Batch operations {{{ */
 		if($settings->_batchOperations && $total)
 			$this->contentHeading(getMLText('batch_operation'));
-		if($totaldocs || $totalfolders) {
-			if(in_array('export', $settings->_batchOperations)) {
+		if(($totaldocs || $totalfolders) && in_array('export', $settings->_batchOperations)) {
+			if($accessobject->check_view_access($this, array('action'=>'export'))) {
 			ob_start();
 			$this->formField(
 				getMLText("include_content"),
@@ -1496,6 +1496,7 @@ $(document).ready(function() {
 		/* All other batch operations are only allowed for admins */
 		if($user->isAdmin()) {
 			if($total && in_array('change_owner', $settings->_batchOperations)) {
+			if($accessobject->check_view_access($this, array('action'=>'change_owner'))) {
 			ob_start();
 			$users = $dms->getAllUsers();
 			$options = array();
@@ -1521,8 +1522,10 @@ $(document).ready(function() {
 			$content = ob_get_clean();
 			$this->printAccordion(getMLText('batch_change_owner'), $content);
 			}
+			}
 
 			if($totaldocs && in_array('add_reviewer', $settings->_batchOperations)) {
+			if($accessobject->check_view_access($this, array('action'=>'add_reviewer'))) {
 			ob_start();
 			$users = $dms->getAllUsers();
 			$options = array();
@@ -1547,8 +1550,10 @@ $(document).ready(function() {
 			$content = ob_get_clean();
 			$this->printAccordion(getMLText('batch_add_reviewer'), $content);
 			}
+			}
 
 			if($totaldocs && in_array('add_approver', $settings->_batchOperations)) {
+			if($accessobject->check_view_access($this, array('action'=>'add_approver'))) {
 			ob_start();
 			$users = $dms->getAllUsers();
 			$options = array();
@@ -1573,8 +1578,10 @@ $(document).ready(function() {
 			$content = ob_get_clean();
 			$this->printAccordion(getMLText('batch_add_approver'), $content);
 			}
+			}
 
 			if($totaldocs && in_array('change_category', $settings->_batchOperations)) {
+			if($accessobject->check_view_access($this, array('action'=>'change_category'))) {
 			ob_start();
 			$cats = $dms->getDocumentCategories();
 			if($cats) {
@@ -1611,6 +1618,7 @@ $(document).ready(function() {
 				$this->printAccordion(getMLText('batch_change_category'), $content);
 			}
 			}
+			}
 		}
 		// }}}