by eggsurplus

Control what your users can access and save time, money, and frustrations. Lock down sensitive data in SugarCRM or SuiteCRM to specific groups or teams. Supports unlimited assigned users, unlimited group assignments to records, custom layouts for each group, login/sudo capabilities and much more.

Free 30 day trial
Try it Now

By clicking you consent to share your profile with the developer

#95 - EmailTemplate dropdown in EmailMarketing module

Closed Bug? created by kevin Verified Purchase 9 years ago

We found that there is missing SecuritySuite protection of the list of email templates available to users in the drop-down box labeled "Email Templates:" in the Email Marketing module. Users are able to select all Email Templates, even if we've tried to protect the Email Templates with SecuritySuite. We patched it on our own installation, but we'd like to see a proper patch added to an upcoming version.

Below we're including the patch file we used. We'd also appreciate any feedback on this solution.

Thank you! KTSI

diff -c modules/EmailMarketing/EditView.php custom/modules/EmailMarketing/EditView.php *** modules/EmailMarketing/EditView.php 2013-03-28 01:27:08.679449492 -0400 --- custom/modules/EmailMarketing/EditView.php 2013-03-28 21:57:00.461443092 -0400


*** 121,127 **** $xtpl->assign("TIME_START", $time_start); $xtpl->assign("TIME_FORMAT", '('. $timedate->get_user_time_format().')');

! $email_templates_arr = get_bean_select_array(true, 'EmailTemplate','name',"(type IS NULL OR type='' OR type='campaign')",'name'); if($focus->template_id) { $xtpl->assign("TEMPLATE_ID", $focus->template_id); $xtpl->assign("EMAIL_TEMPLATE_OPTIONS", get_select_options_with_id($email_templates_arr, $focus->template_id)); --- 121,156 ---- $xtpl->assign("TIME_START", $time_start); $xtpl->assign("TIME_FORMAT", '('. $timedate->get_user_time_format().')');

! $where = "(type IS NULL OR type='' OR type='campaign')"; ! ! /* BEGIN - SECURITY GROUPS / ! global $beanFiles; ! require_once($beanFiles['EmailTemplate']); ! $email_templates_bean = new EmailTemplate(); ! ! if($email_templates_bean->bean_implements('ACL') && ACLController::requireSecurityGroup($email_templates_bean->module_dir, 'list') ) ! { ! require_once('modules/SecurityGroups/SecurityGroup.php'); ! $owner_where = " email_templates.created_by ='$current_user->id' "; ! $group_where = SecurityGroup::getGroupWhere($email_templates_bean->table_name,$email_templates_bean->module_dir,$current_user->id); ! ! if(!empty($owner_where)){ ! if(empty($where)) ! { ! $where = " (". $owner_where." or ".$group_where.") "; ! } else { ! $where .= " AND (". $owner_where." or ".$group_where.") "; ! } ! } else { ! $where .= ' AND '. $group_where; ! } ! ! } ! / END - SECURITY GROUPS */ ! ! ! $email_templates_arr = get_bean_select_array(true, 'EmailTemplate','name',$where,'name'); ! if($focus->template_id) { $xtpl->assign("TEMPLATE_ID", $focus->template_id); $xtpl->assign("EMAIL_TEMPLATE_OPTIONS", get_select_options_with_id($email_templates_arr, $focus->template_id));

  1. eggsurplus member avatar

    eggsurplus Provider Affiliate

    9 years ago

    Thanks Kevin! I'll probably get that included upstream in the get_bean_select_array function to catch other possible areas.

  2. eggsurplus member avatar

    eggsurplus Provider Affiliate

    9 years ago

    Included in 6.5.12 by adding logic to include/utils.php->get_bean_select_array().

This case is public. Please leave out any sensitive information such as URLs, passwords, etc.
Saving Comment Saving Comment...
Rating
Rating
  • "The perfect solution for managing security. Very stable and easy to implement. Must-have add-on for every CE implementation!"

    Read More Reviews