From c826cd958b226b2b5ebf507069df08741e220652 Mon Sep 17 00:00:00 2001
From: Edsel <edsel.lopez@jmaconsulting.biz>
Date: Tue, 14 Apr 2015 18:01:54 +0530
Subject: [PATCH] CIVI-28 Added permission check for membership view, edit and
 delete for individual memberships

---
 CRM/Member/Form/MembershipView.php           |  6 ++++++
 templates/CRM/Member/Form/MembershipView.tpl | 12 ++++++++----
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/CRM/Member/Form/MembershipView.php b/CRM/Member/Form/MembershipView.php
index f5badbe6cb..2700b1880b 100644
--- a/CRM/Member/Form/MembershipView.php
+++ b/CRM/Member/Form/MembershipView.php
@@ -160,6 +160,12 @@ class CRM_Member_Form_MembershipView extends CRM_Core_Form {
       $params = array('id' => $id);
 
       CRM_Member_BAO_Membership::retrieve($params, $values);
+      $finTypeId = CRM_Core_DAO::getFieldValue('CRM_Member_DAO_MembershipType', $values['membership_type_id'], 'financial_type_id');
+      $finType = CRM_Contribute_PseudoConstant::financialType($finTypeId);
+      if (!CRM_Core_Permission::check('view contributions of type ' . $finType)) {
+        CRM_Core_Error::fatal(ts('You do not have permissionn to access this page.'));
+      }
+      $this->assign('financialTypeId', $finType);
       $membershipType = CRM_Member_BAO_MembershipType::getMembershipTypeDetails($values['membership_type_id']);
 
       // Do the action on related Membership if needed
diff --git a/templates/CRM/Member/Form/MembershipView.tpl b/templates/CRM/Member/Form/MembershipView.tpl
index 029c1e6eb9..ef01e4c25d 100644
--- a/templates/CRM/Member/Form/MembershipView.tpl
+++ b/templates/CRM/Member/Form/MembershipView.tpl
@@ -27,14 +27,16 @@
 <div class="crm-block crm-content-block crm-membership-view-form-block">
     <div class="crm-submit-buttons">
         {* Check permissions and make sure this is not an inherited membership (edit and delete not allowed for inherited memberships) *}
-        {if ! $owner_contact_id AND call_user_func(array('CRM_Core_Permission','check'), 'edit memberships') }
+        {if ! $owner_contact_id AND call_user_func(array('CRM_Core_Permission','check'), 'edit memberships')
+          && call_user_func(array('CRM_Core_Permission', 'check'), "edit contributions of type $financialTypeId")}
       {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=update&context=$context"}
       {if ( $context eq 'fulltext' || $context eq 'search' ) && $searchKey}
       {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=update&context=$context&key=$searchKey"}
       {/if}
             <a class="button" href="{crmURL p='civicrm/contact/view/membership' q=$urlParams}" accesskey="e" id="crm-membership-edit-button-top"><span><div class="icon ui-icon-pencil"></div> {ts}Edit{/ts}</span></a>
         {/if}
-        {if ! $owner_contact_id AND call_user_func(array('CRM_Core_Permission','check'), 'delete in CiviMember')}
+        {if ! $owner_contact_id AND call_user_func(array('CRM_Core_Permission','check'), 'delete in CiviMember')
+          && call_user_func(array('CRM_Core_Permission', 'check'), "delete contributions of type $financialTypeId")}
             {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=delete&context=$context"}
       {if ( $context eq 'fulltext' || $context eq 'search' ) && $searchKey}
       {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=delete&context=$context&key=$searchKey"}
@@ -83,14 +85,16 @@
 
     <div class="crm-submit-buttons">
         {* Check permissions and make sure this is not a related membership (edit and delete not allowed for related memberships) *}
-        {if ! $owner_contact_id AND call_user_func(array('CRM_Core_Permission','check'), 'edit memberships') }
+        {if ! $owner_contact_id AND call_user_func(array('CRM_Core_Permission','check'), 'edit memberships')
+          && call_user_func(array('CRM_Core_Permission', 'check'), "edit contributions of type $financialTypeId")}
           {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=update&context=$context"}
           {if ( $context eq 'fulltext' || $context eq 'search' ) && $searchKey}
             {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=update&context=$context&key=$searchKey"}
           {/if}
           <a class="button" href="{crmURL p='civicrm/contact/view/membership' q=$urlParams}" accesskey="e" id="crm-membership-edit-button-bottom"><span><div class="icon ui-icon-pencil"></div> {ts}Edit{/ts}</span></a>
         {/if}
-        {if ! $owner_contact_id AND call_user_func(array('CRM_Core_Permission','check'), 'delete in CiviMember')}
+        {if ! $owner_contact_id AND call_user_func(array('CRM_Core_Permission','check'), 'delete in CiviMember')
+          && call_user_func(array('CRM_Core_Permission', 'check'), "delete contributions of type $financialTypeId")}
           {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=delete&context=$context"}
           {if ( $context eq 'fulltext' || $context eq 'search' ) && $searchKey}
             {assign var='urlParams' value="reset=1&id=$id&cid=$contact_id&action=delete&context=$context&key=$searchKey"}
-- 
2.25.1