From ece0bc24f39551e53fe9e8d799f33446bb5035e9 Mon Sep 17 00:00:00 2001
From: Deepak Srivastava <deepak.srivastava@webaccess.co.in>
Date: Tue, 10 Sep 2013 18:25:27 +0530
Subject: [PATCH] CRM-10128

---
 CRM/Contact/BAO/Contact.php            | 7 +++++++
 CRM/Contact/BAO/Contact/Permission.php | 6 +++---
 CRM/Core/Permission.php                | 2 +-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/CRM/Contact/BAO/Contact.php b/CRM/Contact/BAO/Contact.php
index 603dd4e12a..d6e3a51fe6 100644
--- a/CRM/Contact/BAO/Contact.php
+++ b/CRM/Contact/BAO/Contact.php
@@ -1906,6 +1906,7 @@ ORDER BY civicrm_email.is_primary DESC";
     }
 
     $primaryPhoneLoc = NULL;
+    $session = CRM_Core_Session::singleton();
     foreach ($params as $key => $value) {
       $fieldName = $locTypeId = $typeId = NULL;
       list($fieldName, $locTypeId, $typeId) = CRM_Utils_System::explode('-', $key, 3);
@@ -2067,6 +2068,12 @@ ORDER BY civicrm_email.is_primary DESC";
             $value .= ' ' . $params[$key . '_time'];
           }
 
+          // if auth source is not checksum / login && $value is blank, do not proceed - CRM-10128
+          if (($session->get('authSrc') & (CRM_Core_Permission::AUTH_SRC_CHECKSUM + CRM_Core_Permission::AUTH_SRC_LOGIN)) == 0 &&
+            ($value == '' || !isset($value))) {
+            continue;
+          } 
+
           $valueId = NULL;
           if (CRM_Utils_Array::value('customRecordValues', $params)) {
             if (is_array($params['customRecordValues']) && !empty($params['customRecordValues'])) {
diff --git a/CRM/Contact/BAO/Contact/Permission.php b/CRM/Contact/BAO/Contact/Permission.php
index 555678dba2..b5b4e2ab29 100644
--- a/CRM/Contact/BAO/Contact/Permission.php
+++ b/CRM/Contact/BAO/Contact/Permission.php
@@ -341,6 +341,9 @@ WHERE  (( contact_id_a = %1 AND contact_id_b = %2 AND is_permission_a_b = 1 ) OR
         // does not come here, we redirect in the above statement
       }
       return FALSE;
+    } else if (CRM_Utils_Request::retrieve('cs', 'String', $form, FALSE)) {
+      $session = CRM_Core_Session::singleton();
+      $session->set('authSrc', CRM_Core_Permission::AUTH_SRC_CHECKSUM);
     }
 
     // so here the contact is posing as $contactID, lets set the logging contact ID variable
@@ -349,9 +352,6 @@ WHERE  (( contact_id_a = %1 AND contact_id_b = %2 AND is_permission_a_b = 1 ) OR
       array(1 => array($contactID, 'Integer'))
     );
     
-    $session = CRM_Core_Session::singleton();
-    $session->set('authSrc', CRM_Core_Permission::AUTH_SRC_CHECKSUM);
-
     return TRUE;
   }
 
diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php
index 0f60b9cec4..a3baf56d3b 100644
--- a/CRM/Core/Permission.php
+++ b/CRM/Core/Permission.php
@@ -68,7 +68,7 @@ class CRM_Core_Permission {
    *
    * @var int
    */
-  CONST AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4, ;
+  CONST AUTH_SRC_CHECKSUM = 1, AUTH_SRC_SITEKEY = 2, AUTH_SRC_LOGIN = 4;
 
   /**
    * get the current permission of this user
-- 
2.25.1