Added some belt and braces ACL checks on form submission (corner case…

… if spoof checking disabled)

components/com_fabrik/controllers/form.php

@@ -185,7 +185,7 @@ public function process()
 		$profiler = JProfiler::getInstance('Application');
 		JDEBUG ? $profiler->mark('controller process: start') : null;
 
-		$app = JFactory::getApplication();
+		$app   = JFactory::getApplication();
 		$input = $app->input;
 
 		if ($input->get('format', '') == 'raw')
@@ -204,8 +204,29 @@ public function process()
 
 		$model->setId($input->getInt('formid', 0));
 		$model->packageId = $input->getInt('packageId');
-		$this->isMambot = $input->get('isMambot', 0);
-		$model->rowId = $input->get('rowid', '', 'string');
+		$this->isMambot   = $input->get('isMambot', 0);
+		$model->rowId     = $input->get('rowid', '', 'string');
+		$listModel        = $model->getListModel();
+
+		// Do some ACL sanity checks
+
+		$aclOK            = false;
+
+		if ($model->isNewRecord() && $listModel->canAdd())
+		{
+			$aclOK = true;
+		}
+		else if (!$model->isNewRecord() && $listModel->canEdit(new stdClass()))
+		{
+			$aclOK = true;
+		}
+
+		if (!$aclOK)
+		{
+			$msg = $model->aclMessage(true);
+			$app->enqueueMessage($msg);
+			return;
+		}
 
 		/**
 		 * $$$ hugh - need this in plugin manager to be able to treat a "Copy" form submission

components/com_fabrik/models/form.php

@@ -5139,13 +5139,15 @@ public function showACLMsg()
 	 * If trying to add/edit a record when the user doesn't have rights to do so,
 	 * what message, if any should we show.
 	 *
+	 * @param  bool  $force  if true don't check if messages suppressed
+	 *
 	 * @since  3.0.7
 	 *
 	 * @return string
 	 */
-	public function aclMessage()
+	public function aclMessage($force = false)
 	{
-		if (!$this->showACLMsg())
+		if (!$force && !$this->showACLMsg())
 		{
 			return '';
 		}