From 088101a4f90e68e7e8b361ebb043fff5dfd7eb8b Mon Sep 17 00:00:00 2001
From: Omar abu hussein <opetmar91@gmail.com>
Date: Thu, 23 Nov 2017 00:59:51 +0200
Subject: [PATCH] CRM-21473: Add new permission to add contact notes and
 prevent users without edit contact permission to edit or delete notes

---
 CRM/Contact/Page/View/Note.php           | 21 ++++++++++++++++++++-
 CRM/Core/Permission.php                  |  4 ++++
 templates/CRM/Contact/Page/View/Note.tpl |  2 +-
 3 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/CRM/Contact/Page/View/Note.php b/CRM/Contact/Page/View/Note.php
index 7eb47d4c2f..9345343a73 100644
--- a/CRM/Contact/Page/View/Note.php
+++ b/CRM/Contact/Page/View/Note.php
@@ -94,6 +94,8 @@ class CRM_Contact_Page_View_Note extends CRM_Core_Page {
     }
     $mask = CRM_Core_Action::mask($permissions);
 
+    $this->assign('canAddNotes', CRM_Core_Permission::check('add contact notes'));
+
     $values = array();
     $links = self::links();
     $action = array_sum(array_keys($links)) & $mask;
@@ -212,10 +214,27 @@ class CRM_Contact_Page_View_Note extends CRM_Core_Page {
     if ($this->_action & CRM_Core_Action::VIEW) {
       $this->view();
     }
-    elseif ($this->_action & (CRM_Core_Action::UPDATE | CRM_Core_Action::ADD)) {
+    elseif ($this->_action & CRM_Core_Action::ADD) {
+      if (
+        $this->_permission != CRM_Core_Permission::EDIT &&
+        !CRM_Core_Permission::check('add contact notes')
+        ) {
+        CRM_Core_Error::statusBounce(ts('You do not have access to add notes.'));
+      }
+
+      $this->edit();
+    }
+    elseif ($this->_action & CRM_Core_Action::UPDATE) {
+      if ($this->_permission != CRM_Core_Permission::EDIT) {
+        CRM_Core_Error::statusBounce(ts('You do not have access to edit this note.'));
+      }
+
       $this->edit();
     }
     elseif ($this->_action & CRM_Core_Action::DELETE) {
+      if ($this->_permission != CRM_Core_Permission::EDIT) {
+        CRM_Core_Error::statusBounce(ts('You do not have access to delete this note.'));
+      }
       // we use the edit screen the confirm the delete
       $this->edit();
     }
diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php
index d6a1915cb3..e7be11b4a6 100644
--- a/CRM/Core/Permission.php
+++ b/CRM/Core/Permission.php
@@ -806,6 +806,10 @@ class CRM_Core_Permission {
         $prefix . ts('view all notes'),
         ts("View notes (for visible contacts) even if they're marked admin only"),
       ),
+      'add contact notes' => array(
+        $prefix . ts('add contact notes'),
+        ts("Create notes for contacts"),
+      ),
       'access AJAX API' => array(
         $prefix . ts('access AJAX API'),
         ts('Allow API access even if Access CiviCRM is not granted'),
diff --git a/templates/CRM/Contact/Page/View/Note.tpl b/templates/CRM/Contact/Page/View/Note.tpl
index 6d541df883..14b779b575 100644
--- a/templates/CRM/Contact/Page/View/Note.tpl
+++ b/templates/CRM/Contact/Page/View/Note.tpl
@@ -98,7 +98,7 @@
 
 {/if}
 
-{if $permission EQ 'edit' AND ($action eq 16)}
+{if ($permission EQ 'edit' OR $canAddNotes) AND ($action eq 16)}
    <div class="action-link">
    <a accesskey="N" href="{crmURL p='civicrm/contact/view/note' q="cid=`$contactId`&action=add"}" class="button medium-popup"><span><i class="crm-i fa-comment"></i> {ts}Add Note{/ts}</span></a>
    </div>
-- 
2.25.1