From 18f511b7075a57c664fb44e6bd68a9091612c7b1 Mon Sep 17 00:00:00 2001
From: "Donald A. Lobo" <lobo@civicrm.org>
Date: Wed, 20 Nov 2013 18:03:24 -0800
Subject: [PATCH] CRM-13806 - Only accept valid profile urls

http://issues.civicrm.org/jira/browse/CRM-13806
---
 CRM/Core/Invoke.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/CRM/Core/Invoke.php b/CRM/Core/Invoke.php
index 1dea4ae1e0..221504f210 100644
--- a/CRM/Core/Invoke.php
+++ b/CRM/Core/Invoke.php
@@ -456,8 +456,13 @@ class CRM_Core_Invoke {
       }
     }
 
-    $page = new CRM_Profile_Page_Listings();
-    return $page->run();
+    if ($secondArg == 'view' || empty($secondArg)) {
+      $page = new CRM_Profile_Page_Listings();
+      return $page->run();
+    }
+
+    CRM_Utils_System::permissionDenied();
+    return;
   }
 
   /**
-- 
2.25.1