CRM-15845 - Fix relationship datatables permission check

author Coleman Watts <coleman@civicrm.org>

Tue, 20 Jan 2015 18:09:22 +0000 (13:09 -0500)

committer Coleman Watts <coleman@civicrm.org>

Tue, 20 Jan 2015 18:09:22 +0000 (13:09 -0500)
author Coleman Watts <coleman@civicrm.org>
Tue, 20 Jan 2015 18:09:22 +0000 (13:09 -0500)
committer Coleman Watts <coleman@civicrm.org>
Tue, 20 Jan 2015 18:09:22 +0000 (13:09 -0500)
diff --git a/CRM/Contact/Page/AJAX.php b/CRM/Contact/Page/AJAX.php

index 11a3202147deddf92f5311c60ef3e1028a6c42f1..a1b4f10eb0537adc988554bb3a5b1801f4c92623 100644 (file)
--- a/CRM/Contact/Page/AJAX.php
+++ b/CRM/Contact/Page/AJAX.php
@@ -1071,6 +1071,10 @@ LIMIT {$offset}, {$rowCount}
      $contactID = CRM_Utils_Type::escape($_GET['cid'], 'Integer');
      $context = CRM_Utils_Type::escape($_GET['context'], 'String');
  
+    if (!CRM_Contact_BAO_Contact_Permission::allow($contactID)) {
+      return CRM_Utils_System::permissionDenied();
+    }
+
      $sortMapper = array(
        0 => 'relation',
        1 => 'sort_name',
diff --git a/CRM/Core/xml/Menu/Contact.xml b/CRM/Core/xml/Menu/Contact.xml

index 52819a7cb917880741da5c2920af2d3d93ef076e..ddba9d7e7caf2f377124c5bf713690c413e22c18 100644 (file)
--- a/CRM/Core/xml/Menu/Contact.xml
+++ b/CRM/Core/xml/Menu/Contact.xml
@@ -398,6 +398,6 @@
    <item>
      <path>civicrm/ajax/contactrelationships</path>
      <page_callback>CRM_Contact_Page_AJAX::getContactRelationships</page_callback>
-    <access_arguments>view all contacts;view my contact</access_arguments>
+    <access_arguments>access CiviCRM;view my contact</access_arguments>
    </item>
  </menu>
author	Coleman Watts <coleman@civicrm.org>
	Tue, 20 Jan 2015 18:09:22 +0000 (13:09 -0500)
committer	Coleman Watts <coleman@civicrm.org>
	Tue, 20 Jan 2015 18:09:22 +0000 (13:09 -0500)
CRM/Contact/Page/AJAX.php		patch \| blob \| blame \| history
CRM/Core/xml/Menu/Contact.xml		patch \| blob \| blame \| history