security/core#112 Fix viewing contributions when user doesn't have acess to...

security/core#112 Fix viewing contributions when user doesn't have acess to civicontribute or edit contributions permissions

security/core#112 Fix viewing contributions when user doesn't have acess to...
d2496d53 · Seamus Lee · totten · 1c0bb994 · d2496d53
Commit d2496d53 authored 3 years ago by Seamus Lee Committed by totten 3 years ago
--- a/CRM/Contribute/Form/ContributionView.php
+++ b/CRM/Contribute/Form/ContributionView.php
@@ -28,6 +28,10 @@ class CRM_Contribute_Form_ContributionView extends CRM_Core_Form {
    if (empty($id)) {
      throw new CRM_Core_Exception('Contribution ID is required');
    }
+    // Check permission for action.
+    if (!CRM_Core_Permission::checkActionPermission('CiviContribute', $this->_action)) {
+      CRM_Core_Error::statusBounce(ts('You do not have permission to access this page.'));
+    }
    $params = ['id' => $id];
    $context = CRM_Utils_Request::retrieve('context', 'Alphanumeric', $this);
    $this->assign('context', $context);