From ad623fd4f0f1266734a603733afa21181276bc0e Mon Sep 17 00:00:00 2001
From: Dave Greenberg <dave@civicrm.org>
Date: Wed, 17 Jul 2013 18:15:46 -0700
Subject: [PATCH] CRM-10935 Fixing a number of pages and forms that were
 ignoring the edit my contact permission with hard-coded conditional allowing
 a user to edit their own contact record regardless of permissions.

----------------------------------------
* CRM-10935: Create new Core Permission - CiviCRM: Access own Contact or both "CiviCRM: View own Contact"  and "CiviCRM: Edit own Contact"
  http://issues.civicrm.org/jira/browse/CRM-10935
---
 CRM/Contact/BAO/Contact/Permission.php | 2 +-
 CRM/Contact/Form/Contact.php           | 4 +---
 CRM/Contact/Page/View.php              | 4 ++--
 3 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/CRM/Contact/BAO/Contact/Permission.php b/CRM/Contact/BAO/Contact/Permission.php
index 4b4cce81c3..c7e74915c9 100644
--- a/CRM/Contact/BAO/Contact/Permission.php
+++ b/CRM/Contact/BAO/Contact/Permission.php
@@ -252,7 +252,7 @@ AND    $operationClause LIMIT 1";
         return FALSE;
       }
     }
-    if ($contactID == $selectedContactID) {
+    if ($contactID == $selectedContactID && CRM_Core_Permission::check('edit my contact')) {
       return TRUE;
     }
     else {
diff --git a/CRM/Contact/Form/Contact.php b/CRM/Contact/Form/Contact.php
index 184f63bfaa..2cb4b81511 100644
--- a/CRM/Contact/Form/Contact.php
+++ b/CRM/Contact/Form/Contact.php
@@ -206,9 +206,7 @@ class CRM_Contact_Form_Contact extends CRM_Core_Form {
 
         // check for permissions
         $session = CRM_Core_Session::singleton();
-        if ($session->get('userID') != $this->_contactId &&
-          !CRM_Contact_BAO_Contact_Permission::allow($this->_contactId, CRM_Core_Permission::EDIT)
-        ) {
+        if (!CRM_Contact_BAO_Contact_Permission::allow($this->_contactId, CRM_Core_Permission::EDIT)) {
           CRM_Core_Error::statusBounce(ts('You do not have the necessary permission to edit this contact.'));
         }
 
diff --git a/CRM/Contact/Page/View.php b/CRM/Contact/Page/View.php
index 3b92dd4e95..50c9f90f20 100644
--- a/CRM/Contact/Page/View.php
+++ b/CRM/Contact/Page/View.php
@@ -203,7 +203,7 @@ class CRM_Contact_Page_View extends CRM_Core_Page {
       'isDeleted' => $isDeleted,
     );
 
-    if (($session->get('userID') == $this->_contactId) ||
+    if (
       CRM_Contact_BAO_Contact_Permission::allow($this->_contactId, CRM_Core_Permission::EDIT)
     ) {
       $recentOther['editUrl'] = CRM_Utils_System::url('civicrm/contact/add', "reset=1&action=update&cid={$this->_contactId}");
@@ -286,7 +286,7 @@ class CRM_Contact_Page_View extends CRM_Core_Page {
     // things easier in dashboard
     $session = CRM_Core_Session::singleton();
 
-    if ($session->get('userID') == $contactID) {
+    if ($session->get('userID') == $contactID && CRM_Core_Permission::check('edit my contact')) {
       $page->assign('permission', 'edit');
       $page->_permission = CRM_Core_Permission::EDIT;
       // deleted contacts’ stuff should be (at best) only viewable
-- 
2.25.1