Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Minor
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.7
-
Component/s: Core CiviCRM
-
Labels:None
-
Documentation Required?:None
-
Funding Source:Contributed Code
Description
- If a user has permission to view a contact, but not edit a contact, he/she can still edit relationships by going to the form directly.
There is no permission check in CRM_Contact_Form_Relationship::preProcess().
- I discovered this because I saw 'Edit' and 'Delete' links for expired relationships, even without the edit my/all contacts permission (see screenshot). This is because the permission mask in CRM_Contact_BAO_Relationship isn't correct for inactive relationships.
Then I found out active relationships could be edited and deleted as well.
- Am I missing something or is this in any way intentional?
If not, I created a pull request to fix both problems: https://github.com/civicrm/civicrm-core/pull/6535
This fix applies to 4.6, but the same behaviour exists in 4.4.
Attachments
Issue Links
- links to