CRM-10551: Only allow logged in users to remove information

author JKingsnorth <john@johnkingsnorth.co.uk>

Thu, 26 Feb 2015 14:08:38 +0000 (14:08 +0000)

committer JKingsnorth <john@johnkingsnorth.co.uk>

Thu, 26 Feb 2015 14:08:38 +0000 (14:08 +0000)
author JKingsnorth <john@johnkingsnorth.co.uk>
Thu, 26 Feb 2015 14:08:38 +0000 (14:08 +0000)
committer JKingsnorth <john@johnkingsnorth.co.uk>
Thu, 26 Feb 2015 14:08:38 +0000 (14:08 +0000)
diff --git a/CRM/Contact/BAO/Contact.php b/CRM/Contact/BAO/Contact.php

index 5a4d12a392f7a92f840059998fdacfceda61df80..55017960ae97c01ecd677f4e0a2ce7bcef9171ac 100644 (file)
--- a/CRM/Contact/BAO/Contact.php
+++ b/CRM/Contact/BAO/Contact.php
@@ -1859,8 +1859,14 @@ ORDER BY civicrm_email.is_primary DESC";
      }
  
      if ($contactID) {
-      // CRM-10551: Allow deletion of blanked location-based fields
+      // CRM-10551
+      // If a user has logged in, or accessed via a checksum
+      // Then deliberately 'blanking' a value in the profile should remove it from their record
+      $session = CRM_Core_Session::singleton();
        $params['updateBlankLocInfo'] = TRUE;
+      if (($session->get('authSrc') & (CRM_Core_Permission::AUTH_SRC_CHECKSUM + CRM_Core_Permission::AUTH_SRC_LOGIN)) == 0) {
+        $params['updateBlankLocInfo'] = FALSE;
+      }
        
        $editHook = TRUE;
        CRM_Utils_Hook::pre('edit', 'Profile', $contactID, $params);
author	JKingsnorth <john@johnkingsnorth.co.uk>
	Thu, 26 Feb 2015 14:08:38 +0000 (14:08 +0000)
committer	JKingsnorth <john@johnkingsnorth.co.uk>
	Thu, 26 Feb 2015 14:08:38 +0000 (14:08 +0000)