From ceb7d6591348d7573227717fd4a36942d2625a69 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Mon, 5 Feb 2018 10:31:07 +0100
Subject: [PATCH] add additional view access checks

DocumentAccess, UsrView, GroupView, ReviewSummary, ApprovalSummary, WorkflowSummary, ReceiptSummary
---
 views/bootstrap/class.Bootstrap.php | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/views/bootstrap/class.Bootstrap.php b/views/bootstrap/class.Bootstrap.php
index 8dc0db5f7..8f9abfa8b 100644
--- a/views/bootstrap/class.Bootstrap.php
+++ b/views/bootstrap/class.Bootstrap.php
@@ -630,7 +630,8 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
 		}
 		if ($accessMode == M_ALL) {
 			$menuitems['rm_document'] = array('link'=>"../out/out.RemoveDocument".$docid, 'label'=>'rm_document');
-			$menuitems['edit_document_access'] = array('link'=>"../out/out.DocumentAccess". $docid, 'label'=>'edit_document_access');
+			if ($this->check_access('DocumentAccess'))
+				$menuitems['edit_document_access'] = array('link'=>"../out/out.DocumentAccess". $docid, 'label'=>'edit_document_access');
 		}
 		if ($accessMode >= M_READ && !$this->params['user']->isGuest()) {
 			$menuitems['edit_existing_notify'] = array('link'=>"../out/out.DocumentNotify". $docid, 'label'=>'edit_existing_notify');
@@ -679,8 +680,10 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
 		echo "<li><a href=\"../out/out.Setup2Factor.php\">".getMLText("2_factor_auth")."</a></li>\n";
 
 		if ($this->params['enableusersview']){
-			echo "<li><a href=\"../out/out.UsrView.php\">".getMLText("users")."</a></li>\n";
-			echo "<li><a href=\"../out/out.GroupView.php\">".getMLText("groups")."</a></li>\n";
+			if ($this->check_access('UsrView'))
+				echo "<li><a href=\"../out/out.UsrView.php\">".getMLText("users")."</a></li>\n";
+			if ($this->check_access('GroupView'))
+				echo "<li><a href=\"../out/out.GroupView.php\">".getMLText("groups")."</a></li>\n";
 		}		
 		echo "</ul>\n";
 		echo "</div>\n";
@@ -697,12 +700,16 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
 //		echo "<li><a href=\"../out/out.MyDocuments.php\">".getMLText("all_documents")."</a></li>\n";
 		if($this->params['workflowmode'] == 'traditional' || $this->params['workflowmode'] == 'traditional_only_approval') {
 			if($this->params['workflowmode'] == 'traditional')
-				echo "<li><a href=\"../out/out.ReviewSummary.php\">".getMLText("review_summary")."</a></li>\n";
-			echo "<li><a href=\"../out/out.ApprovalSummary.php\">".getMLText("approval_summary")."</a></li>\n";
+				if ($this->check_access('ReviewSummary'))
+					echo "<li><a href=\"../out/out.ReviewSummary.php\">".getMLText("review_summary")."</a></li>\n";
+			if ($this->check_access('ApprovalSummary'))
+				echo "<li><a href=\"../out/out.ApprovalSummary.php\">".getMLText("approval_summary")."</a></li>\n";
 		} else {
-			echo "<li><a href=\"../out/out.WorkflowSummary.php\">".getMLText("workflow_summary")."</a></li>\n";
+			if ($this->check_access('WorkflowSummary'))
+				echo "<li><a href=\"../out/out.WorkflowSummary.php\">".getMLText("workflow_summary")."</a></li>\n";
 		}
-		echo "<li><a href=\"../out/out.ReceiptSummary.php\">".getMLText("receipt_summary")."</a></li>\n";
+		if ($this->check_access('ReceiptSummary'))
+			echo "<li><a href=\"../out/out.ReceiptSummary.php\">".getMLText("receipt_summary")."</a></li>\n";
 		echo "</ul>\n";
 		echo "</div>\n";
 		return;