CRM-16512 - Fix permission checks on self

author Coleman Watts <coleman@civicrm.org>

Tue, 16 Jun 2015 15:03:16 +0000 (11:03 -0400)

committer Coleman Watts <coleman@civicrm.org>

Tue, 16 Jun 2015 15:13:17 +0000 (11:13 -0400)
author Coleman Watts <coleman@civicrm.org>
Tue, 16 Jun 2015 15:03:16 +0000 (11:03 -0400)
committer Coleman Watts <coleman@civicrm.org>
Tue, 16 Jun 2015 15:13:17 +0000 (11:13 -0400)
diff --git a/CRM/ACL/API.php b/CRM/ACL/API.php

index f3681b3fa8702eb91c056b0150f1f95fd82cb7d1..56d9b7e0da7c6d618a76ab92c0bc7958648de1f9 100644 (file)
--- a/CRM/ACL/API.php
+++ b/CRM/ACL/API.php
@@ -120,15 +120,23 @@ class CRM_ACL_API {
        return $skipDeleteClause ? ' ( 1 ) ' : $deleteClause;
      }
  
+    $user = CRM_Core_Session::getLoggedInContactID();
      if ($contactID == NULL) {
-      $session = CRM_Core_Session::singleton();
-      $contactID = $session->get('userID');
+      $contactID = $user;
      }
  
      if (!$contactID) {
        // anonymous user
        $contactID = 0;
      }
+    // Check if contact has permissions on self
+    elseif ($contactID == $user) {
+      if (CRM_Core_Permission::check('edit my contact') ||
+        ($type == self::VIEW && CRM_Core_Permission::check('view my contact'))
+      ) {
+        return ' ( 1 ) ';
+      }
+    }
  
      return implode(' AND ',
        array(
author	Coleman Watts <coleman@civicrm.org>
	Tue, 16 Jun 2015 15:03:16 +0000 (11:03 -0400)
committer	Coleman Watts <coleman@civicrm.org>
	Tue, 16 Jun 2015 15:13:17 +0000 (11:13 -0400)