From f91b40e99b24a4457864abc6c9bb3493018ee1e0 Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Tue, 1 Mar 2022 14:32:28 +1100
Subject: [PATCH] security/core#112 Fix viewing contributions when user doesn't
 have acess to civicontribute or edit contributions permissions

---
 CRM/Contribute/Form/ContributionView.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CRM/Contribute/Form/ContributionView.php b/CRM/Contribute/Form/ContributionView.php
index 6946745252..f71c4272da 100644
--- a/CRM/Contribute/Form/ContributionView.php
+++ b/CRM/Contribute/Form/ContributionView.php
@@ -31,6 +31,11 @@ class CRM_Contribute_Form_ContributionView extends CRM_Core_Form {
   public function preProcess() {
     $id = $this->getID();
 
+    // Check permission for action.
+    if (!CRM_Core_Permission::checkActionPermission('CiviContribute', $this->_action)) {
+      CRM_Core_Error::statusBounce(ts('You do not have permission to access this page.'));
+    }
+    $params = ['id' => $id];
     $context = CRM_Utils_Request::retrieve('context', 'Alphanumeric', $this);
     $this->assign('context', $context);
 
-- 
2.25.1