From: Kevin Levie <kevin@levity.nl>
Date: Thu, 20 Aug 2015 01:12:07 +0000 (+0200)
Subject: Fix relationships permissions (CRM-17045) for 4.6 branch
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=7060f0c3959b2772f109e48654e15de804e3984b;p=civicrm-core.git

Fix relationships permissions (CRM-17045) for 4.6 branch
---

diff --git a/CRM/Contact/BAO/Relationship.php b/CRM/Contact/BAO/Relationship.php
index dd1f1305f2..dc1bd21719 100644
--- a/CRM/Contact/BAO/Relationship.php
+++ b/CRM/Contact/BAO/Relationship.php
@@ -1295,6 +1295,7 @@ LEFT JOIN  civicrm_country ON (civicrm_address.country_id = civicrm_country.id)
               $mask -= CRM_Core_Action::ENABLE;
               $mask -= CRM_Core_Action::DISABLE;
             }
+            $mask = $mask & $permissionMask;
           }
 
           // Give access to manage case link by copying to MAX_ACTION index temporarily, depending on case permission of user.
diff --git a/CRM/Contact/Form/Relationship.php b/CRM/Contact/Form/Relationship.php
index 96c5ca72af..8dfb5483f1 100644
--- a/CRM/Contact/Form/Relationship.php
+++ b/CRM/Contact/Form/Relationship.php
@@ -131,6 +131,13 @@ class CRM_Contact_Form_Relationship extends CRM_Core_Form {
 
     $this->assign('display_name_a', $this->_display_name_a);
 
+    // Check for permissions
+    if (in_array($this->_action, array(CRM_Core_Action::ADD, CRM_Core_Action::UPDATE, CRM_Core_Action::DELETE))) {
+      if (!CRM_Contact_BAO_Contact_Permission::allow($this->_contactId, CRM_Core_Permission::EDIT)) {
+        CRM_Core_Error::statusBounce(ts('You do not have the necessary permission to edit this contact.'));
+      }
+    }
+
     // Set page title based on action
     switch ($this->_action) {
       case CRM_Core_Action::VIEW: