From 0d2a5d985229f9f5cb62fe6844287b0e25c6835b Mon Sep 17 00:00:00 2001
From: Andy Beverley <andy@andybev.com>
Date: Sun, 7 Jun 2026 22:07:11 +0100
Subject: [PATCH] Require access to current record for historical (#860)

---
 lib/GADS.pm | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/lib/GADS.pm b/lib/GADS.pm
index 64238c880..ed51fb8c3 100644
--- a/lib/GADS.pm
+++ b/lib/GADS.pm
@@ -1933,6 +1933,21 @@ any qr{/(record|history|purge|purgehistory)/([0-9]+)} => require_login sub {
         : $action eq 'purgehistory'
         ? $record->find_deleted_recordid($id)
         : $record->find_current_id($id);
+        # If it's a historical version, check that the user has access to the
+        # current version. This prevents the scenario whereby a user has a view
+        # limit on a particular condition, which potentially allows them access
+        # to the historical values of the record but not the current version.
+        # For the purposes of consistency, require that they always need access
+        # to the current version
+        if ($action eq 'history')
+        {
+            my $current = GADS::Record->new(
+                user   => $user,
+                schema => schema,
+            );
+            # Will bork if no access
+            $current->find_current_id($record->current_id);
+        }
     };
 
     if ($@)