From b02664034bd2a91aed87b0a8c504ef55f7405c03 Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Tue, 20 Jan 2015 13:09:22 -0500
Subject: [PATCH] CRM-15845 - Fix relationship datatables permission check

---
 CRM/Contact/Page/AJAX.php     | 4 ++++
 CRM/Core/xml/Menu/Contact.xml | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CRM/Contact/Page/AJAX.php b/CRM/Contact/Page/AJAX.php
index 11a3202147..a1b4f10eb0 100644
--- a/CRM/Contact/Page/AJAX.php
+++ b/CRM/Contact/Page/AJAX.php
@@ -1071,6 +1071,10 @@ LIMIT {$offset}, {$rowCount}
     $contactID = CRM_Utils_Type::escape($_GET['cid'], 'Integer');
     $context = CRM_Utils_Type::escape($_GET['context'], 'String');
 
+    if (!CRM_Contact_BAO_Contact_Permission::allow($contactID)) {
+      return CRM_Utils_System::permissionDenied();
+    }
+
     $sortMapper = array(
       0 => 'relation',
       1 => 'sort_name',
diff --git a/CRM/Core/xml/Menu/Contact.xml b/CRM/Core/xml/Menu/Contact.xml
index 52819a7cb9..ddba9d7e7c 100644
--- a/CRM/Core/xml/Menu/Contact.xml
+++ b/CRM/Core/xml/Menu/Contact.xml
@@ -398,6 +398,6 @@
   <item>
     <path>civicrm/ajax/contactrelationships</path>
     <page_callback>CRM_Contact_Page_AJAX::getContactRelationships</page_callback>
-    <access_arguments>view all contacts;view my contact</access_arguments>
+    <access_arguments>access CiviCRM;view my contact</access_arguments>
   </item>
 </menu>
-- 
2.25.1