From 87231513614d536c224f26b1e9c0a5a35a69f8dd Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Wed, 13 Apr 2016 18:31:42 +0200
Subject: [PATCH] check for access rights on controller actions

---
 views/bootstrap/class.RoleMgr.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/views/bootstrap/class.RoleMgr.php b/views/bootstrap/class.RoleMgr.php
index 76e0ba1c1..08beeb2e1 100644
--- a/views/bootstrap/class.RoleMgr.php
+++ b/views/bootstrap/class.RoleMgr.php
@@ -111,9 +111,10 @@ $(document).ready( function() {
 	function showRoleForm($currRole) { /* {{{ */
 		$dms = $this->params['dms'];
 		$user = $this->params['user'];
+		$accessop = $this->params['accessobject'];
 		$roles = $this->params['allroles'];
 
-		if($currRole && !$currRole->isUsed()) {
+		if($currRole && !$currRole->isUsed() && $accessop->check_controller_access('RoleMgr', array('action'=>'removerole'))) {
 ?>
 			<form style="display: inline-block;" method="post" action="../op/op.RoleMgr.php" >
 				<?php echo createHiddenFieldWithKey('removerole'); ?>
@@ -160,11 +161,15 @@ $(document).ready( function() {
 			echo "</td>";
 			echo "</tr>";
 		}
+		if($currRole && $accessop->check_controller_access('RoleMgr', array('action'=>'editrole')) || !$currRole && $accessop->check_controller_access('RoleMgr', array('action'=>'addrole'))) {
 ?>
 		<tr>
 			<td></td>
 			<td><button type="submit" class="btn"><i class="icon-save"></i> <?php printMLText($currRole ? "save" : "add_role")?></button></td>
 		</tr>
+<?php
+		}
+?>
 	</table>
 	</form>
 <?php
@@ -173,6 +178,7 @@ $(document).ready( function() {
 	function show() { /* {{{ */
 		$dms = $this->params['dms'];
 		$user = $this->params['user'];
+		$accessop = $this->params['accessobject'];
 		$selrole = $this->params['selrole'];
 		$roles = $this->params['allroles'];
 
@@ -189,7 +195,9 @@ $(document).ready( function() {
 <?php echo getMLText("selection")?>:
 <select class="chzn-select" id="selector">
 <option value="-1"><?php echo getMLText("choose_role")?>
+<?php if($accessop->check_controller_access('RoleMgr', array('action'=>'addrole'))) { ?>
 <option value="0"><?php echo getMLText("add_role")?>
+<?php } ?>
 <?php
 		foreach ($roles as $currRole) {
 			print "<option value=\"".$currRole->getID()."\" ".($selrole && $currRole->getID()==$selrole->getID() ? 'selected' : '').">" . htmlspecialchars($currRole->getName());