Merge commit '1ebbf8bfc16f4' into 4.5-missing-prs

[civicrm-core.git] / CRM / Contact / Page / AJAX.php

diff --git a/CRM/Contact/Page/AJAX.php b/CRM/Contact/Page/AJAX.php
index 11a3202147deddf92f5311c60ef3e1028a6c42f1..a1b4f10eb0537adc988554bb3a5b1801f4c92623 100644 (file)
--- a/CRM/Contact/Page/AJAX.php
+++ b/CRM/Contact/Page/AJAX.php
@@ -1071,6 +1071,10 @@ LIMIT {$offset}, {$rowCount}
     $contactID = CRM_Utils_Type::escape($_GET['cid'], 'Integer');
     $context = CRM_Utils_Type::escape($_GET['context'], 'String');
 
+    if (!CRM_Contact_BAO_Contact_Permission::allow($contactID)) {
+      return CRM_Utils_System::permissionDenied();
+    }
+
     $sortMapper = array(
       0 => 'relation',
       1 => 'sort_name',