CRM-21473: Add new permission to add contact notes and prevent users without edit...

[civicrm-core.git] / CRM / Contact / Page / View / Note.php

diff --git a/CRM/Contact/Page/View/Note.php b/CRM/Contact/Page/View/Note.php
index 7eb47d4c2f55bad5e982dad8e4d4bb0898832360..9345343a73bc8862cea2276e452f5d2be8cd19d2 100644 (file)
--- a/CRM/Contact/Page/View/Note.php
+++ b/CRM/Contact/Page/View/Note.php
@@ -94,6 +94,8 @@ class CRM_Contact_Page_View_Note extends CRM_Core_Page {
     }
     $mask = CRM_Core_Action::mask($permissions);
 
+    $this->assign('canAddNotes', CRM_Core_Permission::check('add contact notes'));
+
     $values = array();
     $links = self::links();
     $action = array_sum(array_keys($links)) & $mask;
@@ -212,10 +214,27 @@ class CRM_Contact_Page_View_Note extends CRM_Core_Page {
     if ($this->_action & CRM_Core_Action::VIEW) {
       $this->view();
     }
-    elseif ($this->_action & (CRM_Core_Action::UPDATE | CRM_Core_Action::ADD)) {
+    elseif ($this->_action & CRM_Core_Action::ADD) {
+      if (
+        $this->_permission != CRM_Core_Permission::EDIT &&
+        !CRM_Core_Permission::check('add contact notes')
+        ) {
+        CRM_Core_Error::statusBounce(ts('You do not have access to add notes.'));
+      }
+
+      $this->edit();
+    }
+    elseif ($this->_action & CRM_Core_Action::UPDATE) {
+      if ($this->_permission != CRM_Core_Permission::EDIT) {
+        CRM_Core_Error::statusBounce(ts('You do not have access to edit this note.'));
+      }
+
       $this->edit();
     }
     elseif ($this->_action & CRM_Core_Action::DELETE) {
+      if ($this->_permission != CRM_Core_Permission::EDIT) {
+        CRM_Core_Error::statusBounce(ts('You do not have access to delete this note.'));
+      }
       // we use the edit screen the confirm the delete
       $this->edit();
     }