From a21270c09309062f6ab429566255953e229de0b6 Mon Sep 17 00:00:00 2001
From: Jon Goldberg <jon@megaphonetech.com>
Date: Wed, 5 Dec 2018 22:37:13 -0500
Subject: [PATCH] core#571 - check logged in OR checksum user permissions to
 edit recurring contributions

---
 CRM/Contribute/Form/CancelSubscription.php | 3 +--
 CRM/Contribute/Form/UpdateBilling.php      | 3 +--
 CRM/Contribute/Form/UpdateSubscription.php | 3 +--
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/CRM/Contribute/Form/CancelSubscription.php b/CRM/Contribute/Form/CancelSubscription.php
index ec4aabd93b..4b633d8081 100644
--- a/CRM/Contribute/Form/CancelSubscription.php
+++ b/CRM/Contribute/Form/CancelSubscription.php
@@ -106,8 +106,7 @@ class CRM_Contribute_Form_CancelSubscription extends CRM_Core_Form {
     }
 
     if (!CRM_Core_Permission::check('edit contributions')) {
-      $userChecksum = CRM_Utils_Request::retrieve('cs', 'String', $this, FALSE);
-      if (!CRM_Contact_BAO_Contact_Utils::validChecksum($this->_subscriptionDetails->contact_id, $userChecksum)) {
+      if ($this->_subscriptionDetails->contact_id != $this->getContactID()) {
         CRM_Core_Error::fatal(ts('You do not have permission to cancel this recurring contribution.'));
       }
       $this->_selfService = TRUE;
diff --git a/CRM/Contribute/Form/UpdateBilling.php b/CRM/Contribute/Form/UpdateBilling.php
index da6604388b..0ef1fdfcb9 100644
--- a/CRM/Contribute/Form/UpdateBilling.php
+++ b/CRM/Contribute/Form/UpdateBilling.php
@@ -88,8 +88,7 @@ class CRM_Contribute_Form_UpdateBilling extends CRM_Core_Form {
       CRM_Core_Error::fatal('Required information missing.');
     }
     if (!CRM_Core_Permission::check('edit contributions')) {
-      $userChecksum = CRM_Utils_Request::retrieve('cs', 'String', $this, FALSE);
-      if (!CRM_Contact_BAO_Contact_Utils::validChecksum($this->_subscriptionDetails->contact_id, $userChecksum)) {
+      if ($this->_subscriptionDetails->contact_id != $this->getContactID()) {
         CRM_Core_Error::fatal(ts('You do not have permission to cancel subscription.'));
       }
       $this->_selfService = TRUE;
diff --git a/CRM/Contribute/Form/UpdateSubscription.php b/CRM/Contribute/Form/UpdateSubscription.php
index 3ed257189b..4bea1cd892 100644
--- a/CRM/Contribute/Form/UpdateSubscription.php
+++ b/CRM/Contribute/Form/UpdateSubscription.php
@@ -124,8 +124,7 @@ class CRM_Contribute_Form_UpdateSubscription extends CRM_Core_Form {
     }
 
     if (!CRM_Core_Permission::check('edit contributions')) {
-      $userChecksum = CRM_Utils_Request::retrieve('cs', 'String', $this, FALSE);
-      if (!CRM_Contact_BAO_Contact_Utils::validChecksum($this->_subscriptionDetails->contact_id, $userChecksum)) {
+      if ($this->_subscriptionDetails->contact_id != $this->getContactID()) {
         CRM_Core_Error::statusBounce(ts('You do not have permission to update subscription.'));
       }
       $this->_selfService = TRUE;
-- 
2.25.1