viscous/espocrm
1
0
Fork 0
mirror of https://github.com/espocrm/espocrm.git synced 2026-06-27 22:46:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix opt out frontend access check

Browse Source
This commit is contained in:
Yurii
2026-05-16 22:07:53 +03:00
parent ac9e135fd5
commit c8b4366e7a
2 changed files with 25 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
application/Espo/Modules/Crm/Tools/TargetList/OptOutService.php
View File

@@ -29,6 +29,7 @@
namespace Espo\Modules\Crm\Tools\TargetList;
use Espo\Core\Acl;
use Espo\Core\Exceptions\Forbidden;
use Espo\Core\Exceptions\NotFound;
use Espo\Core\HookManager;
@@ -52,7 +53,8 @@ class OptOutService
private EntityManager $entityManager,
private MetadataProvider $metadataProvider,
private EntityProvider $entityProvider,
private HookManager $hookManager
private HookManager $hookManager,
private Acl $acl,
) {}
/**
@@ -63,7 +65,7 @@ class OptOutService
*/
public function optOut(string $id, string $targetType, string $targetId): void
{
$targetList = $this->entityProvider->getByClass(TargetList::class, $id);
$targetList = $this->getTargetListForEdit($id);
$target = $this->entityManager->getEntityById($targetType, $targetId);
@@ -101,7 +103,7 @@ class OptOutService
*/
public function cancelOptOut(string $id, string $targetType, string $targetId): void
{
$targetList = $this->entityProvider->getByClass(TargetList::class, $id);
$targetList = $this->getTargetListForEdit($id);
$target = $this->entityManager->getEntityById($targetType, $targetId);
@@ -118,7 +120,6 @@ class OptOutService
$link = $map[$targetType];
$this->entityManager
->getRDBRepository(TargetList::ENTITY_TYPE)
->getRelation($targetList, $link)
->updateColumnsById($targetId, ['optedOut' => false]);
@@ -255,4 +256,19 @@ class OptOutService
{
$this->entityProvider->getByClass(TargetList::class, $id);
}
/**
* @throws Forbidden
* @throws NotFound
*/
private function getTargetListForEdit(string $id): TargetList
{
$targetList = $this->entityProvider->getByClass(TargetList::class, $id);
if (!$this->acl->checkEntityEdit($targetList)) {
throw new Forbidden("No edit access.");
}
return $targetList;
}
}