diff --git a/application/Espo/Modules/Crm/Tools/TargetList/OptOutService.php b/application/Espo/Modules/Crm/Tools/TargetList/OptOutService.php
index 88c215c0cc..60ec922330 100644
--- a/application/Espo/Modules/Crm/Tools/TargetList/OptOutService.php
+++ b/application/Espo/Modules/Crm/Tools/TargetList/OptOutService.php
@@ -29,6 +29,7 @@
 
 namespace Espo\Modules\Crm\Tools\TargetList;
 
+use Espo\Core\Acl;
 use Espo\Core\Exceptions\Forbidden;
 use Espo\Core\Exceptions\NotFound;
 use Espo\Core\HookManager;
@@ -52,7 +53,8 @@ class OptOutService
         private EntityManager $entityManager,
         private MetadataProvider $metadataProvider,
         private EntityProvider $entityProvider,
-        private HookManager $hookManager
+        private HookManager $hookManager,
+        private Acl $acl,
     ) {}
 
     /**
@@ -63,7 +65,7 @@ class OptOutService
      */
     public function optOut(string $id, string $targetType, string $targetId): void
     {
-        $targetList = $this->entityProvider->getByClass(TargetList::class, $id);
+        $targetList = $this->getTargetListForEdit($id);
 
         $target = $this->entityManager->getEntityById($targetType, $targetId);
 
@@ -101,7 +103,7 @@ class OptOutService
      */
     public function cancelOptOut(string $id, string $targetType, string $targetId): void
     {
-        $targetList = $this->entityProvider->getByClass(TargetList::class, $id);
+        $targetList = $this->getTargetListForEdit($id);
 
         $target = $this->entityManager->getEntityById($targetType, $targetId);
 
@@ -118,7 +120,6 @@ class OptOutService
         $link = $map[$targetType];
 
         $this->entityManager
-            ->getRDBRepository(TargetList::ENTITY_TYPE)
             ->getRelation($targetList, $link)
             ->updateColumnsById($targetId, ['optedOut' => false]);
 
@@ -255,4 +256,19 @@ class OptOutService
     {
         $this->entityProvider->getByClass(TargetList::class, $id);
     }
+
+    /**
+     * @throws Forbidden
+     * @throws NotFound
+     */
+    private function getTargetListForEdit(string $id): TargetList
+    {
+        $targetList = $this->entityProvider->getByClass(TargetList::class, $id);
+
+        if (!$this->acl->checkEntityEdit($targetList)) {
+            throw new Forbidden("No edit access.");
+        }
+
+        return $targetList;
+    }
 }
diff --git a/client/modules/crm/src/views/target-list/record/row-actions/default.js b/client/modules/crm/src/views/target-list/record/row-actions/default.js
index c65702f8b7..23ba662d62 100644
--- a/client/modules/crm/src/views/target-list/record/row-actions/default.js
+++ b/client/modules/crm/src/views/target-list/record/row-actions/default.js
@@ -33,7 +33,11 @@ define('crm:views/target-list/record/row-actions/default', ['views/record/row-ac
         getActionList: function () {
             const list = Dep.prototype.getActionList.call(this);
 
-            if (this.options.acl.edit) {
+            if (
+                this.model.collection &&
+                this.model.collection.parentModel &&
+                this.getAcl().checkModel(this.model.collection.parentModel, 'edit')
+            ) {
                 if (this.model.get('targetListIsOptedOut')) {
                     list.push({
                         action: 'cancelOptOut',