using new Permission::allowList to fix CRM-12645

author systopia <endres@systopia.de>

Wed, 12 Oct 2016 20:47:32 +0000 (21:47 +0100)

committer eileenmcnaugton <eileen@fuzion.co.nz>

Mon, 24 Oct 2016 02:17:32 +0000 (15:17 +1300)
author systopia <endres@systopia.de>
Wed, 12 Oct 2016 20:47:32 +0000 (21:47 +0100)
committer eileenmcnaugton <eileen@fuzion.co.nz>
Mon, 24 Oct 2016 02:17:32 +0000 (15:17 +1300)
diff --git a/CRM/Contact/Selector.php b/CRM/Contact/Selector.php

index c436d83a1bdcd7ac420476959c82672991680fdd..d77437d904a799d8921b2f45c7ce6acaad24dabc 100644 (file)
--- a/CRM/Contact/Selector.php
+++ b/CRM/Contact/Selector.php
@@ -928,9 +928,20 @@ class CRM_Contact_Selector extends CRM_Core_Selector_Base implements CRM_Core_Se
      // mask value to hide map link if there are not lat/long
      $mapMask = $mask & 4095;
  
-    $links = self::links($this->_context, $this->_contextMenu, $this->_key);
+    // get permissions on an individual level (CRM-12645)
+    $can_edit_list = CRM_Contact_BAO_Contact_Permission::allowList(array_keys($rows), CRM_Core_Permission::EDIT);
+
+    $links_template = self::links($this->_context, $this->_contextMenu, $this->_key);
+
  
      foreach ($rows as $id => & $row) {
+      $links = $links_template;
+
+      // remove edit/view links (CRM-12645)
+      if (isset($links[CRM_Core_Action::UPDATE]) && !in_array($id, $can_edit_list)) {
+        unset($links[CRM_Core_Action::UPDATE]);
+      }
+
        if (!empty($this->_formValues['deleted_contacts']) && CRM_Core_Permission::check('access deleted contacts')
        ) {
          $links = array(
author	systopia <endres@systopia.de>
	Wed, 12 Oct 2016 20:47:32 +0000 (21:47 +0100)
committer	eileenmcnaugton <eileen@fuzion.co.nz>
	Mon, 24 Oct 2016 02:17:32 +0000 (15:17 +1300)