From f26fa703dff992f56e0996d8766745eb7bdf0d67 Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Tue, 10 Jul 2018 18:45:43 -0400
Subject: [PATCH] CustomValue gettree api - More accurate permission check

---
 CRM/Core/Permission.php | 4 ++++
 api/v3/CustomValue.php  | 1 +
 2 files changed, 5 insertions(+)

diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php
index 762c6ae9511..a532a4a2c4d 100644
--- a/CRM/Core/Permission.php
+++ b/CRM/Core/Permission.php
@@ -1473,6 +1473,10 @@ public static function getEntityActionPermissions() {
     $permissions['option_value'] = $permissions['uf_group'];
     $permissions['option_group'] = $permissions['option_value'];
 
+    $permissions['custom_value'] = array(
+      'gettree' => array('access CiviCRM'),
+    );
+
     $permissions['message_template'] = array(
       'get' => array('access CiviCRM'),
       'create' => array('edit message templates', 'edit user-driven message templates', 'edit system workflow message templates'),
diff --git a/api/v3/CustomValue.php b/api/v3/CustomValue.php
index 20aa18c5188..e53b39d88a7 100644
--- a/api/v3/CustomValue.php
+++ b/api/v3/CustomValue.php
@@ -341,6 +341,7 @@ function civicrm_api3_custom_value_gettree($params) {
   if ($ret || !empty($params['check_permissions'])) {
     $entityData = civicrm_api3($params['entity_type'], 'getsingle', array(
       'id' => $params['entity_id'],
+      'check_permissions' => !empty($params['check_permissions']),
       'return' => array_merge(array('id'), array_values($ret)),
     ));
     foreach ($ret as $param => $key) {