fix: check read access before loading data

crm/api/contact.py

@@ -23,11 +23,11 @@ def update_deals_email_mobile_no(doc):
 
 @frappe.whitelist()
 def get_contact(name):
-	Contact = frappe.qb.DocType("Contact")
+	contact = frappe.get_doc("Contact", name)
+	contact.check_permission("read")
 
-	query = frappe.qb.from_(Contact).select("*").where(Contact.name == name).limit(1)
+	contact = contact.as_dict()
 
-	contact = query.run(as_dict=True)
 	if not len(contact):
 		frappe.throw(_("Contact not found"), frappe.DoesNotExistError)
 	contact = contact.pop()

crm/fcrm/doctype/crm_deal/api.py

@@ -6,7 +6,10 @@ from crm.fcrm.doctype.crm_form_script.crm_form_script import get_form_script
 
 @frappe.whitelist()
 def get_deal(name):
-	deal = frappe.get_doc("CRM Deal", name).as_dict()
+	deal = frappe.get_doc("CRM Deal", name)
+	deal.check_permission("read")
+
+	deal = deal.as_dict()
 
 	deal["fields_meta"] = get_fields_meta("CRM Deal")
 	deal["_form_script"] = get_form_script("CRM Deal")

crm/fcrm/doctype/crm_lead/api.py

@@ -6,7 +6,10 @@ from crm.fcrm.doctype.crm_form_script.crm_form_script import get_form_script
 
 @frappe.whitelist()
 def get_lead(name):
-	lead = frappe.get_doc("CRM Lead", name).as_dict()
+	lead = frappe.get_doc("CRM Lead", name)
+	lead.check_permission("read")
+
+	lead = lead.as_dict()
 
 	lead["fields_meta"] = get_fields_meta("CRM Lead")
 	lead["_form_script"] = get_form_script("CRM Lead")