View access permission not checked in the Dataform view block and resource.

View access permission not checked in the Dataform view block and resource.

Possible solution:
In mod_dataform_dataform::get_content_inline and mod_dataform_dataform::get_content_embedded check that the requested view id exists in the views menu which should contain only views the user can access.

        // Make sure user can access the view

        if (!array_key_exists($viewid, $viewman->views_menu)) {

            return null;

        }