From 2f7d0f17957d24ff6239fd63ae92d7513f79a60f Mon Sep 17 00:00:00 2001
From: Daniel Maya <daniel.maya@artica.es>
Date: Thu, 11 Mar 2021 16:11:06 +0100
Subject: [PATCH] fixed permissions on response

---
 pandora_console/include/ajax/events.php      | 12 ++++++
 pandora_console/include/functions_events.php | 43 +++++++++++++-------
 pandora_console/operation/events/events.php  | 16 +++++++-
 3 files changed, 55 insertions(+), 16 deletions(-)

diff --git a/pandora_console/include/ajax/events.php b/pandora_console/include/ajax/events.php
index 9476b41718..aa639d1640 100644
--- a/pandora_console/include/ajax/events.php
+++ b/pandora_console/include/ajax/events.php
@@ -1381,6 +1381,12 @@ if ($get_extended_event) {
             'EW',
             $event['clean_tags'],
             $childrens_ids
+        )) || (tags_checks_event_acl(
+            $config['id_user'],
+            $event['id_grupo'],
+            'ER',
+            $event['clean_tags'],
+            $childrens_ids
         )))
     ) {
         $tabs .= "<li><a href='#extended_event_responses_page' id='link_responses'>".html_print_image(
@@ -1444,6 +1450,12 @@ if ($get_extended_event) {
             'EW',
             $event['clean_tags'],
             $childrens_ids
+        )) || (tags_checks_event_acl(
+            $config['id_user'],
+            $event['id_grupo'],
+            'ER',
+            $event['clean_tags'],
+            $childrens_ids
         )))
     ) {
         $responses = events_page_responses($event);
diff --git a/pandora_console/include/functions_events.php b/pandora_console/include/functions_events.php
index 543fe06a13..940a4c229f 100644
--- a/pandora_console/include/functions_events.php
+++ b/pandora_console/include/functions_events.php
@@ -3591,22 +3591,37 @@ function events_page_responses($event, $childrens_ids=[])
         );
     }
 
-    $table_responses->data[] = $data;
+    if ((tags_checks_event_acl(
+        $config['id_user'],
+        $event['id_grupo'],
+        'EM',
+        $event['clean_tags'],
+        $childrens_ids
+    )) || (tags_checks_event_acl(
+        $config['id_user'],
+        $event['id_grupo'],
+        'EW',
+        $event['clean_tags'],
+        $childrens_ids
+    ))
+    ) {
+        $table_responses->data[] = $data;
 
-    // Comments.
-    $data = [];
-    $data[0] = __('Comment');
-    $data[1] = '';
-    $data[2] = html_print_button(
-        __('Add comment'),
-        'comment_button',
-        false,
-        '$(\'#link_comments\').trigger(\'click\');',
-        'class="sub next w70p"',
-        true
-    );
+        // Comments.
+        $data = [];
+        $data[0] = __('Comment');
+        $data[1] = '';
+        $data[2] = html_print_button(
+            __('Add comment'),
+            'comment_button',
+            false,
+            '$(\'#link_comments\').trigger(\'click\');',
+            'class="sub next w70p"',
+            true
+        );
 
-    $table_responses->data[] = $data;
+        $table_responses->data[] = $data;
+    }
 
     if (tags_checks_event_acl(
         $config['id_user'],
diff --git a/pandora_console/operation/events/events.php b/pandora_console/operation/events/events.php
index b216a3fe2f..a2e37b6b05 100644
--- a/pandora_console/operation/events/events.php
+++ b/pandora_console/operation/events/events.php
@@ -1603,8 +1603,20 @@ try {
 }
 
 // Event responses.
-$sql_event_resp = "SELECT id, name FROM tevent_response WHERE type LIKE 'command'";
-$event_responses = db_get_all_rows_sql($sql_event_resp);
+if (is_user_admin($config['id_user'])) {
+    $sql_event_resp = "SELECT id, name FROM tevent_response WHERE type LIKE 'command'";
+    $event_responses = db_get_all_rows_sql($sql_event_resp);
+} else {
+    $id_groups = array_keys(users_get_groups(false, 'EW'));
+    $event_responses = db_get_all_rows_filter(
+        'tevent_response',
+        [
+            'id_group' => $id_groups,
+            'type'     => 'command',
+        ]
+    );
+}
+
 
 if ($config['event_replication'] != 1) {
     if ($event_w && !$readonly) {