From 8c0ea1d7e8bdddcd0e10acfa6c444551fdb6c0f8 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Fri, 5 Sep 2014 22:03:00 -0700
Subject: [PATCH] CRM-15247 - CRM_Contact_Page_AJAX::getContactEmail - Validate
 inputs

---
 CRM/Contact/Page/AJAX.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CRM/Contact/Page/AJAX.php b/CRM/Contact/Page/AJAX.php
index 90fc183330..4dbb69d595 100644
--- a/CRM/Contact/Page/AJAX.php
+++ b/CRM/Contact/Page/AJAX.php
@@ -642,6 +642,9 @@ WHERE sort_name LIKE '%$name%'";
   static function getContactEmail() {
     if (CRM_Utils_Array::value('contact_id', $_REQUEST)) {
       $contactID = CRM_Utils_Type::escape($_REQUEST['contact_id'], 'Positive');
+      if (!CRM_Contact_BAO_Contact_Permission::allow($contactID, CRM_Core_Permission::EDIT)) {
+        return;
+      }
       list($displayName,
         $userEmail
       ) = CRM_Contact_BAO_Contact_Location::getEmailDetails($contactID);
-- 
2.25.1