Fix opt out frontend access check

2026-06-27 22:46:04 +00:00 · 2026-05-16 22:07:53 +03:00
parent ac9e135fd5
commit c8b4366e7a
2 changed files with 25 additions and 5 deletions
--- a/application/Espo/Modules/Crm/Tools/TargetList/OptOutService.php
+++ b/application/Espo/Modules/Crm/Tools/TargetList/OptOutService.php
@@ -29,6 +29,7 @@

 namespace Espo\Modules\Crm\Tools\TargetList;

+use Espo\Core\Acl;
 use Espo\Core\Exceptions\Forbidden;
 use Espo\Core\Exceptions\NotFound;
 use Espo\Core\HookManager;
@@ -52,7 +53,8 @@ class OptOutService
        private EntityManager $entityManager,
        private MetadataProvider $metadataProvider,
        private EntityProvider $entityProvider,
-        private HookManager $hookManager
+        private HookManager $hookManager,
+        private Acl $acl,
    ) {}

    /**
@@ -63,7 +65,7 @@ class OptOutService
     */
    public function optOut(string $id, string $targetType, string $targetId): void
    {
-        $targetList = $this->entityProvider->getByClass(TargetList::class, $id);
+        $targetList = $this->getTargetListForEdit($id);

        $target = $this->entityManager->getEntityById($targetType, $targetId);

@@ -101,7 +103,7 @@ class OptOutService
     */
    public function cancelOptOut(string $id, string $targetType, string $targetId): void
    {
-        $targetList = $this->entityProvider->getByClass(TargetList::class, $id);
+        $targetList = $this->getTargetListForEdit($id);

        $target = $this->entityManager->getEntityById($targetType, $targetId);

@@ -118,7 +120,6 @@ class OptOutService
        $link = $map[$targetType];

        $this->entityManager
-            ->getRDBRepository(TargetList::ENTITY_TYPE)
            ->getRelation($targetList, $link)
            ->updateColumnsById($targetId, ['optedOut' => false]);

@@ -255,4 +256,19 @@ class OptOutService
    {
        $this->entityProvider->getByClass(TargetList::class, $id);
    }
+
+    /**
+     * @throws Forbidden
+     * @throws NotFound
+     */
+    private function getTargetListForEdit(string $id): TargetList
+    {
+        $targetList = $this->entityProvider->getByClass(TargetList::class, $id);
+
+        if (!$this->acl->checkEntityEdit($targetList)) {
+            throw new Forbidden("No edit access.");
+        }
+
+        return $targetList;
+    }
 }
--- a/client/modules/crm/src/views/target-list/record/row-actions/default.js
+++ b/client/modules/crm/src/views/target-list/record/row-actions/default.js
@@ -33,7 +33,11 @@ define('crm:views/target-list/record/row-actions/default', ['views/record/row-ac
        getActionList: function () {
            const list = Dep.prototype.getActionList.call(this);

-            if (this.options.acl.edit) {
+            if (
+                this.model.collection &&
+                this.model.collection.parentModel &&
+                this.getAcl().checkModel(this.model.collection.parentModel, 'edit')
+            ) {
                if (this.model.get('targetListIsOptedOut')) {
                    list.push({
                        action: 'cancelOptOut',