From 345c584424b2473671edced470a2b33d0b83f150 Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Tue, 1 Mar 2022 14:32:28 +1100
Subject: [PATCH] security/core#112 Fix viewing contributions when user doesn't
 have acess to civicontribute or edit contributions permissions

---
 CRM/Contribute/Form/ContributionView.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CRM/Contribute/Form/ContributionView.php b/CRM/Contribute/Form/ContributionView.php
index 64f4c1473c..794cbb960b 100644
--- a/CRM/Contribute/Form/ContributionView.php
+++ b/CRM/Contribute/Form/ContributionView.php
@@ -28,6 +28,10 @@ class CRM_Contribute_Form_ContributionView extends CRM_Core_Form {
     if (empty($id)) {
       throw new CRM_Core_Exception('Contribution ID is required');
     }
+    // Check permission for action.
+    if (!CRM_Core_Permission::checkActionPermission('CiviContribute', $this->_action)) {
+      CRM_Core_Error::statusBounce(ts('You do not have permission to access this page.'));
+    }
     $params = ['id' => $id];
     $context = CRM_Utils_Request::retrieve('context', 'Alphanumeric', $this);
     $this->assign('context', $context);
-- 
2.25.1