From cd056f13b8e133feab7f321beb05633f0817ce9d Mon Sep 17 00:00:00 2001
From: Kevin Levie <kevin@levity.nl>
Date: Wed, 19 Aug 2015 08:33:57 +0200
Subject: [PATCH] Fix permission handling for relationships

---
 CRM/Contact/BAO/Relationship.php  | 1 +
 CRM/Contact/Form/Relationship.php | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/CRM/Contact/BAO/Relationship.php b/CRM/Contact/BAO/Relationship.php
index 2487c43ef9..d35940f49f 100644
--- a/CRM/Contact/BAO/Relationship.php
+++ b/CRM/Contact/BAO/Relationship.php
@@ -1297,6 +1297,7 @@ LEFT JOIN  civicrm_country ON (civicrm_address.country_id = civicrm_country.id)
               $mask -= CRM_Core_Action::ENABLE;
               $mask -= CRM_Core_Action::DISABLE;
             }
+            $mask = $mask & $permissionMask;
           }
 
           // Give access to manage case link by copying to MAX_ACTION index temporarily, depending on case permission of user.
diff --git a/CRM/Contact/Form/Relationship.php b/CRM/Contact/Form/Relationship.php
index 6f3926119f..470df63814 100644
--- a/CRM/Contact/Form/Relationship.php
+++ b/CRM/Contact/Form/Relationship.php
@@ -132,6 +132,13 @@ class CRM_Contact_Form_Relationship extends CRM_Core_Form {
 
     $this->assign('display_name_a', $this->_display_name_a);
 
+    // Check for permissions
+    if(in_array($this->_action, array(CRM_Core_Action::ADD, CRM_Core_Action::UPDATE, CRM_Core_Action::DELETE))) {
+      if (!CRM_Contact_BAO_Contact_Permission::allow($this->_contactId, CRM_Core_Permission::EDIT)) {
+        CRM_Core_Error::statusBounce(ts('You do not have the necessary permission to edit this contact.'));
+      }
+    }
+
     // Set page title based on action
     switch ($this->_action) {
       case CRM_Core_Action::VIEW:
-- 
2.25.1