add access control for EditComment and EditAttributes

op/op.EditAttributes.php

@@ -34,6 +34,11 @@ if(!checkFormKey('editattributes')) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access('EditAttributes', $_POST)) {
+	UI::exitError(getMLText("folder_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
+
 if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }

op/op.EditComment.php

@@ -34,6 +34,11 @@ if(!checkFormKey('editcomment')) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access('EditComment', $_POST)) {
+	UI::exitError(getMLText("folder_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
+
 if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }

out/out.EditAttributes.php

@@ -34,6 +34,9 @@ require_once("inc/inc.Authentication.php");
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user));
 $accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_view_access($view, $_GET)) {
+	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"), false, $isajax);
+}
 
 if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));

views/bootstrap/class.ViewDocument.php

@@ -656,12 +656,14 @@ $(document).ready( function() {
 				if($accessobject->check_view_access('AddToTransmittal'))
 					$items[] = array('link'=>"out.AddToTransmittal.php?documentid=".$latestContent->getDocument()->getId()."&version=".$latestContent->getVersion(), 'icon'=>'list', 'label'=>'add_to_transmittal');
 			}
-		if($accessobject->mayEditComment($latestContent->getDocument())) {
-			$items[] = array('link'=>"out.EditComment.php?documentid=".$latestContent->getDocument()->getId()."&version=".$latestContent->getVersion(), 'icon'=>'comment', 'label'=>'edit_comment');
-		}
-		if($accessobject->mayEditAttributes($latestContent->getDocument())) {
-			$items[] = array('link'=>"out.EditAttributes.php?documentid=".$latestContent->getDocument()->getId()."&version=".$latestContent->getVersion(), 'icon'=>'edit', 'label'=>'edit_attributes');
-		}
+		if($accessobject->check_view_access('EditComment'))
+			if($accessobject->mayEditComment($latestContent->getDocument())) {
+				$items[] = array('link'=>"out.EditComment.php?documentid=".$latestContent->getDocument()->getId()."&version=".$latestContent->getVersion(), 'icon'=>'comment', 'label'=>'edit_comment');
+			}
+		if($accessobject->check_view_access('EditAttributes'))
+			if($accessobject->mayEditAttributes($latestContent->getDocument())) {
+				$items[] = array('link'=>"out.EditAttributes.php?documentid=".$latestContent->getDocument()->getId()."&version=".$latestContent->getVersion(), 'icon'=>'edit', 'label'=>'edit_attributes');
+			}
 		if(!$islatest)
 			$items[] = array('link'=>"out.DocumentVersionDetail.php?documentid=".$latestContent->getDocument()->getId()."&version=".$latestContent->getVersion(), 'icon'=>'info', 'label'=>'details');