forbid disabled link

application/Espo/Core/Acl.php

@@ -276,6 +276,21 @@ class Acl
         return $this->aclManager->checkField($this->user, $scope, $field, $action);
     }
 
+    /**
+     * Check access to a link.
+     *
+     * @param string $scope A scope (entity type).
+     * @param string $link A link to check.
+     * @param Table::ACTION_READ|Table::ACTION_EDIT $action An action.
+     * @noinspection PhpDocSignatureInspection
+     *
+     * @since 9.4.0
+     */
+    public function checkLink(string $scope, string $link, string $action = Table::ACTION_READ): bool
+    {
+        return $this->aclManager->checkLink($this->user, $scope, $link, $action);
+    }
+
     /**
      * Get links forbidden for a user.
      *

application/Espo/Core/Acl/GlobalRestriction.php

@@ -187,6 +187,13 @@ class GlobalRestriction
                         $value = $this->metadata->get(['entityDefs', $scope, 'links', $link, $type]);
                     }
 
+                    if (
+                        $type === self::TYPE_FORBIDDEN &&
+                        $this->metadata->get("entityDefs.$scope.links.$link.disabled")
+                    ) {
+                        $value = true;
+                    }
+
                     if (!$value) {
                         continue;
                     }

application/Espo/Core/AclManager.php

@@ -579,6 +579,21 @@ class AclManager
         return !in_array($field, $this->getScopeForbiddenFieldList($user, $scope, $action));
     }
 
+    /**
+     * Check access to a link.
+     *
+     * @param string $scope A scope (entity type).
+     * @param string $link A link to check.
+     * @param Table::ACTION_READ|Table::ACTION_EDIT $action An action.
+     * @noinspection PhpDocSignatureInspection
+     *
+     * @since 9.4.0
+     */
+    public function checkLink(User $user, string $scope, string $link, string $action = Table::ACTION_READ): bool
+    {
+        return !in_array($link, $this->getScopeForbiddenLinkList($user, $scope, $action));
+    }
+
     /**
      * Whether a user has access to another user over a specific permission.
      *

application/Espo/Core/Record/Access/LinkCheck.php

@@ -291,6 +291,10 @@ class LinkCheck
     {
         $entityType = $entity->getEntityType();
 
+        if (!$this->acl->checkLink($entityType, $link)) {
+            throw new ForbiddenSilent("Link $link is forbidden.");
+        }
+
         /** @var AclTable::ACTION_*|null $action */
         $action = $this->getParam($entityType, $link, 'linkRequiredAccess');
 

schema/metadata/entityDefs.json

@@ -1494,6 +1494,10 @@
                     "type": "boolean",
                     "description": "The link will be hidden from the user on the UI but not disabled."
                 },
+                "disabled": {
+                    "type": "boolean",
+                    "description": "Disables the link."
+                },
                 "apiSpecDisabled": {
                     "type": "boolean",
                     "description": "Do not print the link in the API specification. As of v9.3."

tests/integration/Espo/Core/Acl/AclTest.php

@@ -156,4 +156,24 @@ class AclTest extends BaseTestCase
         $this->assertFalse($acl->checkField(Account::ENTITY_TYPE, 'assignedUser'));
         $this->assertTrue($acl->checkField(Account::ENTITY_TYPE, 'name'));
     }
+
+    public function testDisabledLink(): void
+    {
+        $metadata = $this->getMetadata();
+
+        $metadata->set('entityDefs', 'Account', [
+            'links' => [
+                'opportunities' => [
+                    'disabled' => true,
+                ]
+            ]
+        ]);
+        $metadata->save();
+
+        $this->reCreateApplication();
+
+        $acl = $this->getContainer()->getByClass(Acl::class);
+
+        $this->assertFalse($acl->checkLink('Account', 'opportunities'));
+    }
 }