[Vtigercrm-developers] Sharing Lists

Sukhdev Mohan s.mohan at myti.it
Fri Apr 24 11:07:44 GMT 2020


Hello All,
For another installation we had this problem. This Time a CEO shared a custom view with someone with role Commercial, which just beneath CEO in this Case. The Commercial user can’t view the List as isPermittedCustomView() return false and the problem is:

$sql = "select vtiger_users.id from vtiger_customview inner join vtiger_users where vtiger_customview.cvid = ? and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')";
More specifically this part
and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')
Commercial user has this $current_user_parent_role_seq='H1::H2::H10';

I’m wondering why on earth you let the user choose with whom to share the list but not let the user whom the list is shared with see it, unless they happen to have the save role? Ex:
Commercial role can’t see the Custom views CEO created and shared with them because the $current_user_parent_role_seq pf commercia type user includes their role too, and CEO’s $current_user_parent_role_seq is H1::H2, never going to happen that Commercial user see anything shared to him by CEO. Oh this works in reverse too: a list created by Commercial and shared with CEO can’t be possibly seen by CEO.
Now the question is why do you even have the table tiger_cv2users/role/groups if you aren’t going to check there, where is literally written who have access to the custom view. I don’t understand… 


Best Regards,
Sukhdev Mohan
———————————
Cel. (+39) 320 7020345
Email s.mohan at myti.it




> Il giorno 14 apr 2020, alle ore 23:14, Sukhdev Mohan <s.mohan at myti.it> ha scritto:
> 
>  Hello all,
> 
> I’m having some trouble with sharing lists. The workflow the client is following:
> Admin creates lista -> shares it with users
> 
> The User can’t access this list and is redirected to the general list all.
> 
> User with whom the list is shared have role CEO (we had to make all CEO in order for them to assign tasks to any user of any role - very particular use case, I’d argue they should review their process), using Vtiger 7.1
> 
> Debugging I found this code in modules/CutomView/CustomView.php line 2007 and following in function isPermittedCustomView(), (any one can tell me why so much code is commented out?)
> 
> elseif ($status == CV_STATUS_PRIVATE || $status == CV_STATUS_PENDING) {
>    $log->debug("Entering when status=1 or 2");
>    if ($userid == $current_user->id)
>       $permission = "yes";
>    else {
>       /* if($action == 'ListView' || $action == $module."Ajax" || $action == 'index')
>         { */
>       $log->debug("Entering when status=1 or status=2 & action = ListView or $module.Ajax or index");
>       $sql = "select vtiger_users.id <http://vtiger_users.id/> from vtiger_customview inner join vtiger_users where vtiger_customview.cvid = ? and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id <http://vtiger_users.id/>=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')";
>       $result = $adb->pquery($sql, array($record_id));
>       while ($row = $adb->fetchByAssoc($result)) {
>          $temp_result[] = $row['id'];
>       }
>       $user_array = $temp_result;
>       if (sizeof($user_array) > 0) {
>          if (!in_array($current_user->id, $user_array))
>             $permission = "no";
>          else
>             $permission = "yes";
>       }
>       else
>          $permission = "no";
> 
> The problem seems the query in this part:
> where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')
> So when it compiles for my user it becomes this:
> 
> 
> SELECT
>     vtiger_users.id <http://vtiger_users.id/>
> FROM
>     vtiger_customview
> INNER JOIN vtiger_users WHERE vtiger_customview.cvid = '207' AND vtiger_customview.userid IN(
>     SELECT
>         vtiger_user2role.userid
>     FROM
>         vtiger_user2role
>     INNER JOIN vtiger_users ON vtiger_users.id <http://vtiger_users.id/> = vtiger_user2role.userid
>     INNER JOIN vtiger_role ON vtiger_role.roleid = vtiger_user2role.roleid
>     WHERE
>         vtiger_role.parentrole LIKE '%H1::H2::%'
> )
> 
> 
> The last ::% makes the query return empty set. I think before appending “::%”  you should consider if it’s a specific role or a set of roles and sub. I’ve tried sharing with just role CEO still nothing changes… Also in past I’ve had problem updating list which used custom fields in column list or condition, error was just a json with generic error message.
> 
> Any ideas how I can solve without disabling the whole check?
> 
> P.S. 
> Wouldn’t be more efficient doing check in query directly $current_user->id and $current_user->role instead of doing on PHP side? 
> 
> Best Regards,
> Sukhdev Mohan
> ———————————
> Cel. (+39) 320 7020345
> Email s.mohan at myti.it <mailto:s.mohan at myti.it>
> 
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20200424/ea315995/attachment-0001.html>


More information about the vtigercrm-developers mailing list