From dfa62acb6f3e5ef3fe20eb810e08091174b40b74 Mon Sep 17 00:00:00 2001
From: Denis Chenu <denis@sondages.pro>
Date: Tue, 6 Nov 2018 15:29:10 +0100
Subject: [PATCH] Fixed issue #14216: Users without rights to delete tokens can
 still delete them Dev: disable action , hide button come after Dev:
 deleteToken must use POST : db update => must be post

---
 application/controllers/admin/tokens.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/application/controllers/admin/tokens.php b/application/controllers/admin/tokens.php
index 3358423a756..63d6ab73594 100644
--- a/application/controllers/admin/tokens.php
+++ b/application/controllers/admin/tokens.php
@@ -241,9 +241,11 @@ public function bounceprocessing($iSurveyId)
      */
     public function deleteMultiple()
     {
-        // TODO: permission checks
         $aTokenIds = json_decode(Yii::app()->getRequest()->getPost('sItems'));
         $iSid = Yii::app()->getRequest()->getPost('sid');
+        if (!Permission::model()->hasSurveyPermission($iSid, 'tokens', 'delete')) {
+            throw new CHttpException(403, gT("You do not have permission to access this page."));
+        }
         TokenDynamic::model($iSid)->deleteRecords($aTokenIds);
         return true;
     }
@@ -253,9 +255,11 @@ public function deleteMultiple()
      */
     public function deleteToken()
     {
-        // TODO: permission checks
         $aTokenId = Yii::app()->getRequest()->getParam('sItem');
         $iSid = Yii::app()->getRequest()->getParam('sid');
+        if (!Permission::model()->hasSurveyPermission($iSid, 'tokens', 'delete')) {
+            throw new CHttpException(403, gT("You do not have permission to access this page."));
+        }
         TokenDynamic::model($iSid)->deleteRecords(array($aTokenId));
         return true;
     }