From e272d26f300a49e0d8299435f0c969fc8f7a8213 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Mon, 5 Sep 2016 10:05:16 +0200
Subject: [PATCH] add access check

---
 out/out.WorkflowGraph.php | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/out/out.WorkflowGraph.php b/out/out.WorkflowGraph.php
index 47362bdca..e03c0a9ac 100644
--- a/out/out.WorkflowGraph.php
+++ b/out/out.WorkflowGraph.php
@@ -27,6 +27,13 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 
+$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
+$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_view_access($view, $_GET)) {
+	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
+}
+
 $workflow = $dms->getWorkflow($_GET['workflow']);
 if (is_bool($workflow)) {
 	UI::exitError(getMLText("admin_tools"),getMLText("internal_error"));
@@ -50,12 +57,11 @@ if(isset($_GET['transitions']) && $_GET['transitions']) {
 	}
 }
 
-$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
-$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user));
 if($view) {
 	$view->setParam('workflow', $workflow);
 	$view->setParam('transitions', $transitions);
 	$view->setParam('document', $document);
+	$view->setParam('accessobject', $accessop);
 	$view($_GET);
 	exit;
 }