From b3cc272941e9316cea36c216de88b4ba6bde40be Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Mon, 25 Nov 2019 09:33:13 +0100
Subject: [PATCH] check access

---
 op/op.LockDocument.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/op/op.LockDocument.php b/op/op.LockDocument.php
index a72b873fa..b4937e706 100644
--- a/op/op.LockDocument.php
+++ b/op/op.LockDocument.php
@@ -40,6 +40,11 @@ if (!is_object($document)) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
 
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access('LockDocument', $_POST)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
+
 $folder = $document->getFolder();
 $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>";