From 730afb4688f483dfeb64cb8bfc0de327f22b8986 Mon Sep 17 00:00:00 2001
From: systopia <endres@systopia.de>
Date: Wed, 12 Oct 2016 21:47:32 +0100
Subject: [PATCH] using new Permission::allowList to fix CRM-12645

---
 CRM/Contact/Selector.php | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/CRM/Contact/Selector.php b/CRM/Contact/Selector.php
index c436d83a1b..d77437d904 100644
--- a/CRM/Contact/Selector.php
+++ b/CRM/Contact/Selector.php
@@ -928,9 +928,20 @@ class CRM_Contact_Selector extends CRM_Core_Selector_Base implements CRM_Core_Se
     // mask value to hide map link if there are not lat/long
     $mapMask = $mask & 4095;
 
-    $links = self::links($this->_context, $this->_contextMenu, $this->_key);
+    // get permissions on an individual level (CRM-12645)
+    $can_edit_list = CRM_Contact_BAO_Contact_Permission::allowList(array_keys($rows), CRM_Core_Permission::EDIT);
+
+    $links_template = self::links($this->_context, $this->_contextMenu, $this->_key);
+
 
     foreach ($rows as $id => & $row) {
+      $links = $links_template;
+
+      // remove edit/view links (CRM-12645)
+      if (isset($links[CRM_Core_Action::UPDATE]) && !in_array($id, $can_edit_list)) {
+        unset($links[CRM_Core_Action::UPDATE]);
+      }
+
       if (!empty($this->_formValues['deleted_contacts']) && CRM_Core_Permission::check('access deleted contacts')
       ) {
         $links = array(
-- 
2.25.1