From dc6b437a02d39df256b7a68107bfc04c3a71b721 Mon Sep 17 00:00:00 2001
From: Guanhuan Chen <oooomic@gmail.com>
Date: Fri, 8 May 2015 19:28:39 +0100
Subject: [PATCH] Add permission for users to view their own invoices

---
 CRM/Contribute/xml/Menu/Contribute.xml |  2 +-
 CRM/Core/Permission.php                | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/CRM/Contribute/xml/Menu/Contribute.xml b/CRM/Contribute/xml/Menu/Contribute.xml
index 1f5c3a2a09..f366685d8a 100644
--- a/CRM/Contribute/xml/Menu/Contribute.xml
+++ b/CRM/Contribute/xml/Menu/Contribute.xml
@@ -304,7 +304,7 @@
     <path>civicrm/contribute/invoice</path>
     <title>PDF Invoice</title>
     <page_callback>CRM_Contribute_Form_Task_Invoice::getPrintPDF</page_callback>
-    <access_arguments>access CiviContribute</access_arguments>
+    <access_callback>CRM_Core_Permission::checkDownloadInvoice</access_callback>
     <page_type>1</page_type>
     <weight>620</weight>
     <component>CiviContribute</component>
diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php
index 94409e2627..d8756cf2ba 100644
--- a/CRM/Core/Permission.php
+++ b/CRM/Core/Permission.php
@@ -822,6 +822,10 @@ class CRM_Core_Permission {
       'edit message templates' => array(
         $prefix . ts('edit message templates'),
       ),
+      'view my invoices' => array(
+        $prefix . ts('download my invoices'),
+        ts('Allow users to view/ download their own invoices'),
+      ),
     );
 
     if (!$descriptions) {
@@ -944,4 +948,22 @@ class CRM_Core_Permission {
     ) ? TRUE : FALSE;
   }
 
+  /**
+   * Verify if the user has permission to get the invoice.
+   *
+   * @return bool
+   *   TRUE if the user has download all invoices permission or download my
+   *   invoices permission and the invoice author is the current user.
+   */
+  public static function checkDownloadInvoice() {
+    global $user;
+    $cid = CRM_Core_BAO_UFMatch::getContactId($user->uid);
+    if (CRM_Core_Permission::check('access CiviContribute') ||
+      (CRM_Core_Permission::check('view my invoices') && $_GET['cid'] == $cid)
+    ) {
+      return TRUE;
+    }
+    return FALSE;
+  }
+
 }
-- 
2.25.1