From 75b351516bb3514ca4c18b5429a300b3b1256e99 Mon Sep 17 00:00:00 2001
From: jitendrapurohit <jitendra.purohit@webaccessglobal.com>
Date: Fri, 6 May 2016 16:45:36 +0530
Subject: [PATCH] CRM-18239 - 'CiviCRM: view my contact' permission results in
 user being able to edit themselves in CiviCRM

---
 CRM/Contact/BAO/Contact/Permission.php           |  2 +-
 CRM/Contact/BAO/Relationship.php                 | 14 +++++++++++++-
 CRM/Contact/Form/Relationship.php                | 16 ++++++++--------
 .../CRM/Contact/Page/Inline/ContactInfo.tpl      |  3 ++-
 4 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/CRM/Contact/BAO/Contact/Permission.php b/CRM/Contact/BAO/Contact/Permission.php
index 17e74f87f5..5a3e4710c2 100644
--- a/CRM/Contact/BAO/Contact/Permission.php
+++ b/CRM/Contact/BAO/Contact/Permission.php
@@ -260,7 +260,7 @@ AND    $operationClause LIMIT 1";
       }
     }
     if ($contactID == $selectedContactID &&
-      (CRM_Core_Permission::check('edit my contact') || CRM_Core_Permission::check('view my contact'))
+      (CRM_Core_Permission::check('edit my contact'))
     ) {
       return TRUE;
     }
diff --git a/CRM/Contact/BAO/Relationship.php b/CRM/Contact/BAO/Relationship.php
index 8183748483..079bb8b440 100644
--- a/CRM/Contact/BAO/Relationship.php
+++ b/CRM/Contact/BAO/Relationship.php
@@ -1274,8 +1274,9 @@ LEFT JOIN  civicrm_country ON (civicrm_address.country_id = civicrm_country.id)
           elseif ($status == self::DISABLED) {
             $mask |= CRM_Core_Action::ENABLE;
           }
-          $mask = $mask & $permissionMask;
         }
+        // temporary hold the value of $mask.
+        $tempMask = $mask;
       }
 
       while ($relationship->fetch()) {
@@ -1287,6 +1288,17 @@ LEFT JOIN  civicrm_country ON (civicrm_address.country_id = civicrm_country.id)
         ) {
           continue;
         }
+        if ($status != self::INACTIVE && $links) {
+          // assign the original value to $mask
+          $mask = $tempMask;
+          // display action links if $cid has edit permission for the relationship.
+          if (!($permissionMask & CRM_Core_Permission::EDIT) && CRM_Contact_BAO_Contact_Permission::allow($cid, CRM_Core_Permission::EDIT)) {
+            $permissions[] = CRM_Core_Permission::EDIT;
+            $permissions[] = CRM_Core_Permission::DELETE;
+            $permissionMask = CRM_Core_Action::mask($permissions);
+          }
+          $mask = $mask & $permissionMask;
+        }
         $values[$rid]['id'] = $rid;
         $values[$rid]['cid'] = $cid;
         $values[$rid]['contact_id_a'] = $relationship->contact_id_a;
diff --git a/CRM/Contact/Form/Relationship.php b/CRM/Contact/Form/Relationship.php
index 8f2a096f3b..f764c3eac9 100644
--- a/CRM/Contact/Form/Relationship.php
+++ b/CRM/Contact/Form/Relationship.php
@@ -131,10 +131,17 @@ class CRM_Contact_Form_Relationship extends CRM_Core_Form {
     $this->_display_name_a = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', $this->_contactId, 'display_name');
 
     $this->assign('display_name_a', $this->_display_name_a);
+    //get the relationship values.
+    $this->_values = array();
+    if ($this->_relationshipId) {
+      $params = array('id' => $this->_relationshipId);
+      CRM_Core_DAO::commonRetrieve('CRM_Contact_DAO_Relationship', $params, $this->_values);
+    }
 
     // Check for permissions
     if (in_array($this->_action, array(CRM_Core_Action::ADD, CRM_Core_Action::UPDATE, CRM_Core_Action::DELETE))) {
-      if (!CRM_Contact_BAO_Contact_Permission::allow($this->_contactId, CRM_Core_Permission::EDIT)) {
+      if (!CRM_Contact_BAO_Contact_Permission::allow($this->_contactId, CRM_Core_Permission::EDIT)
+        && !CRM_Contact_BAO_Contact_Permission::allow($this->_values['contact_id_b'], CRM_Core_Permission::EDIT)) {
         CRM_Core_Error::statusBounce(ts('You do not have the necessary permission to edit this contact.'));
       }
     }
@@ -160,13 +167,6 @@ class CRM_Contact_Form_Relationship extends CRM_Core_Form {
 
     $this->_caseId = CRM_Utils_Request::retrieve('caseID', 'Integer', $this);
 
-    //get the relationship values.
-    $this->_values = array();
-    if ($this->_relationshipId) {
-      $params = array('id' => $this->_relationshipId);
-      CRM_Core_DAO::commonRetrieve('CRM_Contact_DAO_Relationship', $params, $this->_values);
-    }
-
     if (!$this->_rtypeId) {
       $params = CRM_Utils_Request::exportValues();
       if (isset($params['relationship_type_id'])) {
diff --git a/templates/CRM/Contact/Page/Inline/ContactInfo.tpl b/templates/CRM/Contact/Page/Inline/ContactInfo.tpl
index 72d72bd6a2..cd4b5643be 100644
--- a/templates/CRM/Contact/Page/Inline/ContactInfo.tpl
+++ b/templates/CRM/Contact/Page/Inline/ContactInfo.tpl
@@ -23,7 +23,8 @@
  | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
  +--------------------------------------------------------------------+
 *}
-<div id="crm-contactinfo-content" {if $permission EQ 'edit'} class="crm-inline-edit" data-edit-params='{ldelim}"cid": "{$contactId}", "class_name": "CRM_Contact_Form_Inline_ContactInfo"{rdelim}'{/if}>
+{* data-edit-params to reload this info whenever relationship gets updated *}
+<div id="crm-contactinfo-content" {if $permission EQ 'edit'} class="crm-inline-edit" {/if} data-edit-params='{ldelim}"cid": "{$contactId}", "class_name": "CRM_Contact_Form_Inline_ContactInfo"{rdelim}'>
   <div class="crm-clear crm-inline-block-content" {if $permission EQ 'edit'}title="{ts}Edit info{/ts}"{/if}>
     {if $permission EQ 'edit'}
     <div class="crm-edit-help">
-- 
2.25.1