From 4f4052f638e8c05d6b297df4541bfd244dea24d2 Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Tue, 27 Sep 2016 16:35:09 -0400
Subject: [PATCH] CRM-19363 - Add price_set api permission checks

---
 CRM/Core/DAO/permissions.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/CRM/Core/DAO/permissions.php b/CRM/Core/DAO/permissions.php
index 04ad1cfbbb..ca0790cbe7 100644
--- a/CRM/Core/DAO/permissions.php
+++ b/CRM/Core/DAO/permissions.php
@@ -305,6 +305,16 @@ function _civicrm_api3_permissions($entity, $action, &$params) {
   // Loc block is only used for events
   $permissions['loc_block'] = $permissions['event'];
 
+  // Price sets are shared by several components, user needs access to at least one of them
+  $permissions['price_set'] = array(
+    'default' => array(
+      array('access CiviEvent', 'access CiviContribute', 'access CiviMember'),
+    ),
+    'get' => array(
+      array('access CiviCRM', 'view event info', 'make online contributions'),
+    ),
+  );
+
   // File permissions
   $permissions['file'] = array(
     'default' => array(
-- 
2.25.1