Refactored access control on user-save operation.

modules/Users/actions/Save.php

@@ -15,8 +15,22 @@ class Users_Save_Action extends Vtiger_Save_Action {
 		$record = $request->get('record');
 		$recordModel = Vtiger_Record_Model::getInstanceById($record, $moduleName);
 		$currentUserModel = Users_Record_Model::getCurrentUserModel();
-		if(!Users_Privileges_Model::isPermitted($moduleName, 'Save', $record) || ($recordModel->isAccountOwner() && 
-							$currentUserModel->get('id') != $recordModel->getId() && !$currentUserModel->isAdminUser())) {
+
+		// Check for operation access.
+		$allowed = Users_Privileges_Model::isPermitted($moduleName, 'Save', $record);
+		
+		if ($allowed) {
+			// Deny access if not administrator or account-owner or self
+			if(!$currentUserModel->isAdminUser()) {
+				if (empty($record)) {
+					$allowed = false;
+				} else if (!$recordModel->isAccountOwner() || ($currentUserModel->get('id') != $recordModel->getId())) {
+					$allowed = false;
+				}
+			}
+		}
+
+		if(!$allowed) {
 			throw new AppException('LBL_PERMISSION_DENIED');
 		}
 	}

[Prasad]

Also add fix 88716121 and 59d831f0