diff --git a/modules/Vtiger/views/ListViewQuickPreview.php b/modules/Vtiger/views/ListViewQuickPreview.php
index 619f085b61cadf6b7391938e3bc8916dd0ada469..04d3505216c8a873a7710d6168094e60682822fe 100644
--- a/modules/Vtiger/views/ListViewQuickPreview.php
+++ b/modules/Vtiger/views/ListViewQuickPreview.php
@@ -15,6 +15,24 @@ class Vtiger_ListViewQuickPreview_View extends Vtiger_Index_View {
function __construct() {
parent::__construct();
}
+
+ function checkPermission(Vtiger_Request $request) {
+ $moduleName = $request->getModule();
+ $recordId = $request->get('record');
+
+ $recordPermission = Users_Privileges_Model::isPermitted($moduleName, 'DetailView', $recordId);
+ if(!$recordPermission) {
+ throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+ }
+
+ if ($recordId) {
+ $recordEntityName = getSalesEntityType($recordId);
+ if ($recordEntityName !== $moduleName) {
+ throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+ }
+ }
+ return true;
+ }
function process(Vtiger_Request $request) {
diff --git a/modules/Vtiger/views/MergeRecord.php b/modules/Vtiger/views/MergeRecord.php
index ef946cdcdc478570a607e4d022ff481348cb2fdf..3f5411b54dd85e3247bb5f1a71202619ddd63092 100644
--- a/modules/Vtiger/views/MergeRecord.php
+++ b/modules/Vtiger/views/MergeRecord.php
@@ -9,6 +9,23 @@
**************************************************************************************/
class Vtiger_MergeRecord_View extends Vtiger_Popup_View {
+
+ public function checkPermission(Vtiger_Request $request) {
+ parent::checkPermission($request);
+
+ $moduleName = $request->getModule();
+ $actionName = 'EditView';
+
+ $records = $request->get('records');
+ $records = explode(',', $records);
+
+ foreach ($records as $record) {
+ if(!Users_Privileges_Model::isPermitted($moduleName, $actionName, $record)) {
+ throw new AppException(vtranslate('LBL_PERMISSION_DENIED'));
+ }
+ }
+ }
+
function process(Vtiger_Request $request) {
$records = $request->get('records');
$records = explode(',', $records);