From 32e84ec59a8fc274ba5e946512b3b204d00f0b07 Mon Sep 17 00:00:00 2001
From: jamesorose <james.o.rose@gmail.com>
Date: Wed, 25 Mar 2026 08:43:53 -0500
Subject: [PATCH] Update music_on_hold.php (#7805)

* Update music_on_hold.php

The music on hold app doesn't follow the proper permissions (like the rest of FusionPBX). I've fixed it so that you can set this up such that someone with only music_on_hold_domain sees just that. Prior, it didn't matter what was selected (music_on_hold_domain or music_on_hold_all) , if you had any access you could change/delete the default MOH.

In my use case, I have a client that hired an outside firm to do their MOH, and they are want access to upload new files. Now you can limit what they can see with a new permissions/menu role.
---
 app/music_on_hold/music_on_hold.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/music_on_hold/music_on_hold.php b/app/music_on_hold/music_on_hold.php
index 9d48d59f2..4f79e3647 100644
--- a/app/music_on_hold/music_on_hold.php
+++ b/app/music_on_hold/music_on_hold.php
@@ -46,12 +46,13 @@
 //get the music_on_hold array
 	$sql = "select * from v_music_on_hold ";
 	$sql .= "where true ";
-	if ($show != "all" || !permission_exists('music_on_hold_all')) {
+	if ( permission_exists('music_on_hold_all')) {
 		$sql .= "and (domain_uuid = :domain_uuid or domain_uuid is null) ";
 		$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
 	}
-	if (permission_exists('music_on_hold_domain')) {
-		$sql .= "or domain_uuid is null ";
+	elseif (permission_exists('music_on_hold_domain')) {
+		$sql .= "and domain_uuid = :domain_uuid ";
+		$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
 	}
 	$sql .= "order by domain_uuid desc, music_on_hold_name asc, music_on_hold_rate asc";
 	$streams = $database->select($sql, $parameters ?? null, 'all');