From 491b48f9f9d745fa102533fd10e8d785b08951c7 Mon Sep 17 00:00:00 2001
From: Isaac Connor <isaac@zoneminder.com>
Date: Fri, 18 Aug 2023 16:58:29 -0400
Subject: [PATCH] Only allow execute if you have EditEvents permission

---
 web/skins/classic/views/js/filter.js | 54 ++++++++++++++++------------
 1 file changed, 32 insertions(+), 22 deletions(-)

diff --git a/web/skins/classic/views/js/filter.js b/web/skins/classic/views/js/filter.js
index 2c524ced6f..2895180d6d 100644
--- a/web/skins/classic/views/js/filter.js
+++ b/web/skins/classic/views/js/filter.js
@@ -74,29 +74,39 @@ function updateButtons(element) {
   const form = element.form;
 
   let canExecute = false;
-  if ( form.elements['filter[AutoArchive]'] && form.elements['filter[AutoArchive]'].checked ) {
-    canExecute = true;
-  } else if ( form.elements['filter[AutoUnarchive]'] && form.elements['filter[AutoUnarchive]'].checked ) {
-    canExecute = true;
-  } else if ( form.elements['filter[AutoCopy]'] && form.elements['filter[AutoCopy]'].checked ) {
-    canExecute = true;
-  } else if ( form.elements['filter[AutoMove]'] && form.elements['filter[AutoMove]'].checked ) {
-    canExecute = true;
-  } else if ( form.elements['filter[AutoVideo]'] && form.elements['filter[AutoVideo]'].checked ) {
-    canExecute = true;
-  } else if ( form.elements['filter[AutoUpload]'] && form.elements['filter[AutoUpload]'].checked ) {
-    canExecute = true;
-  } else if ( form.elements['filter[AutoEmail]'] && form.elements['filter[AutoEmail]'].checked ) {
-    canExecute = true;
-  } else if ( form.elements['filter[AutoMessage]'] && form.elements['filter[AutoMessage]'].checked ) {
-    canExecute = true;
-  } else if ( form.elements['filter[AutoExecute]'].checked && form.elements['filter[AutoExecuteCmd]'].value != '' ) {
-    canExecute = true;
-  } else if ( form.elements['filter[AutoDelete]'].checked ) {
-    canExecute = true;
-  } else if ( form.elements['filter[UpdateDiskSpace]'].checked ) {
-    canExecute = true;
+    // If you can't edit events, then you cannot perform actions on them via filter
+  if (canEdit['Events']) {
+    if (
+      (form.elements['filter[AutoArchive]'] && form.elements['filter[AutoArchive]'].checked)
+      ||
+      (form.elements['filter[AutoUnarchive]'] && form.elements['filter[AutoUnarchive]'].checked)
+      ||
+      (form.elements['filter[AutoCopy]'] && form.elements['filter[AutoCopy]'].checked)
+      ||
+      (form.elements['filter[AutoMove]'] && form.elements['filter[AutoMove]'].checked)
+      ||
+      (form.elements['filter[AutoVideo]'] && form.elements['filter[AutoVideo]'].checked)
+      ||
+      (form.elements['filter[AutoExecute]'].checked && form.elements['filter[AutoExecuteCmd]'].value != '')
+      ||
+      (form.elements['filter[AutoDelete]'].checked)
+      ||
+      (form.elements['filter[UpdateDiskSpace]'].checked)
+    ) {
+      canExecute = true;
+    }
+  } else if (canView['Events']) {
+    if (
+      (form.elements['filter[AutoUpload]'] && form.elements['filter[AutoUpload]'].checked)
+      ||
+      (form.elements['filter[AutoEmail]'] && form.elements['filter[AutoEmail]'].checked)
+      ||
+      (form.elements['filter[AutoMessage]'] && form.elements['filter[AutoMessage]'].checked)
+    ) {
+      canExecute = true;
+    }
   }
+
   document.getElementById('executeButton').disabled = !canExecute;
   // Anyone can create a filter, only canEdit:System or the owner of the filter can edit/delete it.
   const canWeEdit = (canEdit['System'] || (user.Id == filter.UserId) || !filter.Id);