From b8ba534c3748a2e2f9e86fac776118b6add38180 Mon Sep 17 00:00:00 2001
From: colemanw <coleman@civicrm.org>
Date: Sat, 2 Sep 2023 14:52:27 -0400
Subject: [PATCH] Fix security/core#126 csrf bug to delete contact image

---
 CRM/Contact/BAO/Contact.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CRM/Contact/BAO/Contact.php b/CRM/Contact/BAO/Contact.php
index 2c21311b9d..4b469a4253 100644
--- a/CRM/Contact/BAO/Contact.php
+++ b/CRM/Contact/BAO/Contact.php
@@ -1138,6 +1138,9 @@ WHERE     civicrm_contact.id = " . CRM_Utils_Type::escape($id, 'Integer');
     $cid = $cid ? $cid : $id;
     if ($action & CRM_Core_Action::DELETE) {
       if (CRM_Utils_Request::retrieve('confirmed', 'Boolean')) {
+        if (!CRM_Contact_BAO_Contact::_checkAccess('Contact', 'update', ['id' => $cid], NULL)) {
+          CRM_Utils_System::permissionDenied();
+        }
         CRM_Contact_BAO_Contact::deleteContactImage($cid);
         CRM_Core_Session::setStatus(ts('Contact image deleted successfully'), ts('Image Deleted'), 'success');
         $session = CRM_Core_Session::singleton();
-- 
2.25.1