From c7ae3b3a63647065710b5254b0ce52642c823aff Mon Sep 17 00:00:00 2001 From: FusionPBX Date: Fri, 13 Oct 2023 14:25:02 -0600 Subject: [PATCH] [SECURITY] Prevent showing Missed and Recent Calls to users that are not in xml_cdr_domain group and not assigned any extensions. --- .../resources/dashboard/missed_calls.php | 27 ++++++++------ .../resources/dashboard/recent_calls.php | 35 +++++++++++-------- 2 files changed, 36 insertions(+), 26 deletions(-) diff --git a/app/xml_cdr/resources/dashboard/missed_calls.php b/app/xml_cdr/resources/dashboard/missed_calls.php index c56e37f2db..c418081994 100644 --- a/app/xml_cdr/resources/dashboard/missed_calls.php +++ b/app/xml_cdr/resources/dashboard/missed_calls.php @@ -45,19 +45,24 @@ $sql .= " ) \n"; $sql .= " and (missed_call = true or bridge_uuid is null) "; $sql .= " and hangup_cause <> 'LOSE_RACE' "; - if (!empty($assigned_extensions)) { - $x = 0; - foreach ($assigned_extensions as $assigned_extension_uuid => $assigned_extension) { - $sql_where_array[] = "extension_uuid = :assigned_extension_uuid_".$x; - $sql_where_array[] = "destination_number = :destination_number_".$x; - $parameters['assigned_extension_uuid_'.$x] = $assigned_extension_uuid; - $parameters['destination_number_'.$x] = $assigned_extension; - $x++; + if (!permission_exists('xml_cdr_domain')) { + if (!empty($assigned_extensions)) { + $x = 0; + foreach ($assigned_extensions as $assigned_extension_uuid => $assigned_extension) { + $sql_where_array[] = "extension_uuid = :assigned_extension_uuid_".$x; + $sql_where_array[] = "destination_number = :destination_number_".$x; + $parameters['assigned_extension_uuid_'.$x] = $assigned_extension_uuid; + $parameters['destination_number_'.$x] = $assigned_extension; + $x++; + } + if (!empty($sql_where_array)) { + $sql .= "and (".implode(' or ', $sql_where_array).") \n"; + } + unset($sql_where_array); } - if (!empty($sql_where_array)) { - $sql .= "and (".implode(' or ', $sql_where_array).") \n"; + else { + $sql .= "and false \n"; } - unset($sql_where_array); } $sql .= "and start_epoch > ".(time() - 86400)." \n"; $sql .= "order by \n"; diff --git a/app/xml_cdr/resources/dashboard/recent_calls.php b/app/xml_cdr/resources/dashboard/recent_calls.php index a3a041e6b8..a884afabcb 100644 --- a/app/xml_cdr/resources/dashboard/recent_calls.php +++ b/app/xml_cdr/resources/dashboard/recent_calls.php @@ -44,23 +44,28 @@ v_xml_cdr where domain_uuid = :domain_uuid "; - if (!empty($assigned_extensions)) { - $x = 0; - foreach ($assigned_extensions as $assigned_extension_uuid => $assigned_extension) { - $sql_where_array[] = "extension_uuid = :extension_uuid_".$x; - $sql_where_array[] = "caller_id_number = :caller_id_number_".$x; - $sql_where_array[] = "destination_number = :destination_number_1_".$x; - $sql_where_array[] = "destination_number = :destination_number_2_".$x; - $parameters['extension_uuid_'.$x] = $assigned_extension_uuid; - $parameters['caller_id_number_'.$x] = $assigned_extension; - $parameters['destination_number_1_'.$x] = $assigned_extension; - $parameters['destination_number_2_'.$x] = '*99'.$assigned_extension; - $x++; + if (!permission_exists('xml_cdr_domain')) { + if (!empty($assigned_extensions)) { + $x = 0; + foreach ($assigned_extensions as $assigned_extension_uuid => $assigned_extension) { + $sql_where_array[] = "extension_uuid = :extension_uuid_".$x; + $sql_where_array[] = "caller_id_number = :caller_id_number_".$x; + $sql_where_array[] = "destination_number = :destination_number_1_".$x; + $sql_where_array[] = "destination_number = :destination_number_2_".$x; + $parameters['extension_uuid_'.$x] = $assigned_extension_uuid; + $parameters['caller_id_number_'.$x] = $assigned_extension; + $parameters['destination_number_1_'.$x] = $assigned_extension; + $parameters['destination_number_2_'.$x] = '*99'.$assigned_extension; + $x++; + } + if (!empty($sql_where_array)) { + $sql .= "and (".implode(' or ', $sql_where_array).") "; + } + unset($sql_where_array); } - if (!empty($sql_where_array)) { - $sql .= "and (".implode(' or ', $sql_where_array).") "; + else { + $sql .= "and false \n"; } - unset($sql_where_array); } $sql .= " and start_epoch > ".(time() - 86400)."