Fix relationships permissions (CRM-17045) for 4.6 branch

diff --git a/CRM/Contact/BAO/Relationship.php b/CRM/Contact/BAO/Relationship.php
index dd1f1305f2b1c765816b3aa92cb64657c6eb02e1..dc1bd2171958ba966944a0ac8eea55deb6b989b7 100644 (file)
--- a/CRM/Contact/BAO/Relationship.php
+++ b/CRM/Contact/BAO/Relationship.php
@@ -1295,6 +1295,7 @@ LEFT JOIN  civicrm_country ON (civicrm_address.country_id = civicrm_country.id)
               $mask -= CRM_Core_Action::ENABLE;
               $mask -= CRM_Core_Action::DISABLE;
             }
+            $mask = $mask & $permissionMask;
           }
 
           // Give access to manage case link by copying to MAX_ACTION index temporarily, depending on case permission of user.

diff --git a/CRM/Contact/Form/Relationship.php b/CRM/Contact/Form/Relationship.php
index 96c5ca72af6e9ec695c07412d07408af23680259..8dfb5483f122b8cac4ba442de5804caa4abbff0c 100644 (file)
--- a/CRM/Contact/Form/Relationship.php
+++ b/CRM/Contact/Form/Relationship.php
@@ -131,6 +131,13 @@ class CRM_Contact_Form_Relationship extends CRM_Core_Form {
 
     $this->assign('display_name_a', $this->_display_name_a);
 
+    // Check for permissions
+    if (in_array($this->_action, array(CRM_Core_Action::ADD, CRM_Core_Action::UPDATE, CRM_Core_Action::DELETE))) {
+      if (!CRM_Contact_BAO_Contact_Permission::allow($this->_contactId, CRM_Core_Permission::EDIT)) {
+        CRM_Core_Error::statusBounce(ts('You do not have the necessary permission to edit this contact.'));
+      }
+    }
+
     // Set page title based on action
     switch ($this->_action) {
       case CRM_Core_Action::VIEW: