CRM-18239 - 4.6 fix CiviCRM: view my contact permission results in user being able...

diff --git a/CRM/Contact/BAO/Contact/Permission.php b/CRM/Contact/BAO/Contact/Permission.php
index 3a326ca6e34a3c4d130a3ce42373b40375a38c50..3e79d0a912ef5a9efebcd86434ba05d1002a4beb 100644 (file)
--- a/CRM/Contact/BAO/Contact/Permission.php
+++ b/CRM/Contact/BAO/Contact/Permission.php
@@ -257,7 +257,7 @@ AND    $operationClause LIMIT 1";
       }
     }
     if ($contactID == $selectedContactID &&
-      (CRM_Core_Permission::check('edit my contact') || CRM_Core_Permission::check('view my contact'))
+      (CRM_Core_Permission::check('edit my contact'))
     ) {
       return TRUE;
     }

diff --git a/CRM/Contact/BAO/Relationship.php b/CRM/Contact/BAO/Relationship.php
index adb8dc0a60ce823cd4e0724619bc3280874774fa..cf734959db0a7ccfe14892301da7d9d509f3c10a 100644 (file)
--- a/CRM/Contact/BAO/Relationship.php
+++ b/CRM/Contact/BAO/Relationship.php
@@ -1223,7 +1223,8 @@ LEFT JOIN  civicrm_country ON (civicrm_address.country_id = civicrm_country.id)
           elseif ($status == self::DISABLED) {
             $mask |= CRM_Core_Action::ENABLE;
           }
-          $mask = $mask & $permissionMask;
+          // temporary hold the value of $mask.
+          $tempMask = $mask;
         }
       }
 
@@ -1236,6 +1237,17 @@ LEFT JOIN  civicrm_country ON (civicrm_address.country_id = civicrm_country.id)
         ) {
           continue;
         }
+        if ($status != self::INACTIVE && $links) {
+          // assign the original value to $mask
+          $mask = $tempMask;
+          // display action links if $cid has edit permission for the relationship.
+          if (!($permissionMask & CRM_Core_Permission::EDIT) && CRM_Contact_BAO_Contact_Permission::allow($cid, CRM_Core_Permission::EDIT)) {
+            $permissions[] = CRM_Core_Permission::EDIT;
+            $permissions[] = CRM_Core_Permission::DELETE;
+            $permissionMask = CRM_Core_Action::mask($permissions);
+          }
+          $mask = $mask & $permissionMask;
+        }
         $values[$rid]['id'] = $rid;
         $values[$rid]['cid'] = $cid;
         $values[$rid]['contact_id_a'] = $relationship->contact_id_a;

diff --git a/CRM/Contact/Form/Relationship.php b/CRM/Contact/Form/Relationship.php
index 8dfb5483f122b8cac4ba442de5804caa4abbff0c..3d9499c0b0f645788fec1b0d830eea5ae46cb897 100644 (file)
--- a/CRM/Contact/Form/Relationship.php
+++ b/CRM/Contact/Form/Relationship.php
@@ -130,10 +130,17 @@ class CRM_Contact_Form_Relationship extends CRM_Core_Form {
     $this->_display_name_a = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', $this->_contactId, 'display_name');
 
     $this->assign('display_name_a', $this->_display_name_a);
+    //get the relationship values.
+    $this->_values = array();
+    if ($this->_relationshipId) {
+      $params = array('id' => $this->_relationshipId);
+      CRM_Core_DAO::commonRetrieve('CRM_Contact_DAO_Relationship', $params, $this->_values);
+    }
 
     // Check for permissions
     if (in_array($this->_action, array(CRM_Core_Action::ADD, CRM_Core_Action::UPDATE, CRM_Core_Action::DELETE))) {
-      if (!CRM_Contact_BAO_Contact_Permission::allow($this->_contactId, CRM_Core_Permission::EDIT)) {
+      if (!CRM_Contact_BAO_Contact_Permission::allow($this->_contactId, CRM_Core_Permission::EDIT)
+        && !CRM_Contact_BAO_Contact_Permission::allow($this->_values['contact_id_b'], CRM_Core_Permission::EDIT)) {
         CRM_Core_Error::statusBounce(ts('You do not have the necessary permission to edit this contact.'));
       }
     }
@@ -159,13 +166,6 @@ class CRM_Contact_Form_Relationship extends CRM_Core_Form {
 
     $this->_caseId = CRM_Utils_Request::retrieve('caseID', 'Integer', $this);
 
-    //get the relationship values.
-    $this->_values = array();
-    if ($this->_relationshipId) {
-      $params = array('id' => $this->_relationshipId);
-      CRM_Core_DAO::commonRetrieve('CRM_Contact_DAO_Relationship', $params, $this->_values);
-    }
-
     if (!$this->_rtypeId) {
       $params = $this->controller->exportValues($this->_name);
       if (isset($params['relationship_type_id'])) {

diff --git a/templates/CRM/Contact/Page/Inline/ContactInfo.tpl b/templates/CRM/Contact/Page/Inline/ContactInfo.tpl
index 9d3d2087ebc86a8f18a75e8ff666c1a904b5c3ca..f0c260c674b3577c17b58ee39b85fd37e0e72e3d 100644 (file)
--- a/templates/CRM/Contact/Page/Inline/ContactInfo.tpl
+++ b/templates/CRM/Contact/Page/Inline/ContactInfo.tpl
@@ -23,7 +23,8 @@
  | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
  +--------------------------------------------------------------------+
 *}
-<div id="crm-contactinfo-content" {if $permission EQ 'edit'} class="crm-inline-edit" data-edit-params='{ldelim}"cid": "{$contactId}", "class_name": "CRM_Contact_Form_Inline_ContactInfo"{rdelim}'{/if}>
+{* data-edit-params to reload this info whenever relationship gets updated *}
+<div id="crm-contactinfo-content" {if $permission EQ 'edit'} class="crm-inline-edit" {/if} data-edit-params='{ldelim}"cid": "{$contactId}", "class_name": "CRM_Contact_Form_Inline_ContactInfo"{rdelim}'>
   <div class="crm-clear crm-inline-block-content" {if $permission EQ 'edit'}title="{ts}Edit info{/ts}"{/if}>
     {if $permission EQ 'edit'}
     <div class="crm-edit-help">