Make tokens and the EMS obey the token's view permissions. Fixes bug #11583

docs/changelog/7.x.x.txt

@@ -4,6 +4,7 @@
  - fixed #11578: Collaboration System: add edit stamp uses wrong user
  - added #9774: More owner information in the gallery
  - fixed #11581: Calendar problems
+ - fixed #11583: EMS: Tokens do not follow their permissions
 
 7.9.5
  - Asset->www_copy now has a progress bar

lib/WebGUI/Asset/Sku/EMSToken.pm

@@ -233,7 +233,7 @@ Takes form variable badgeId and add the token to the cart.
 
 sub www_addToCart {
 	my ($self) = @_;
-	return $self->session->privilege->noAccess() unless $self->getParent->canView;
+	return $self->session->privilege->noAccess() unless $self->getParent->canView && $self->canView;
 	my $badgeId = $self->session->form->get('badgeId');
 	$self->addToCart({badgeId=>$badgeId});
 	return $self->getParent->www_buildBadge($badgeId);

lib/WebGUI/Asset/Wobject/EventManagementSystem.pm

@@ -1957,7 +1957,8 @@ sub www_getTokensAsJson {
     my ($db, $form) = $session->quick(qw(db form));
     my %results = ();
     $results{records} = [];  ##Initialize to an empty array
-	foreach my $token (@{$self->getTokens}) {
+	TOKEN: foreach my $token (@{$self->getTokens}) {
+        next TOKEN unless $token->canView;
 		push(@{$results{records}}, {
 			title 				=> $token->getTitle,
 			description			=> $token->get('description'),