[Vtigercrm-developers] Sharing Lists

Uma S uma.s at vtiger.com
Tue Apr 28 09:27:15 GMT 2020


Hi Sukhdev,

Thanks! for the note.Let us review this case and get back to you.

On Fri, Apr 24, 2020 at 4:41 PM Sukhdev Mohan <s.mohan at myti.it> wrote:

> Hello All,
> For another installation we had this problem. This Time a CEO shared a
> custom view with someone with role Commercial, which just beneath CEO in
> this Case. The Commercial user can’t view the List as
> isPermittedCustomView() return false and the problem is:
>
> $sql = "select vtiger_users.id from vtiger_customview inner join vtiger_users where vtiger_customview.cvid = ? and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')";
>
> More specifically this part
>
> and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')
>
> Commercial user has this $current_user_parent_role_seq='H1::H2::H10';
>
> I’m wondering why on earth you let the user choose with whom to share the
> list but not let the user whom the list is shared with see it, unless they
> happen to have the save role? Ex:
> Commercial role can’t see the Custom views CEO created and shared with
> them because the $current_user_parent_role_seq pf commercia type user
> includes their role too, and CEO’s $current_user_parent_role_seq is H1::H2,
> never going to happen that Commercial user see anything shared to him by
> CEO. Oh this works in reverse too: a list created by Commercial and shared
> with CEO can’t be possibly seen by CEO.
> Now the question is why do you even have the table
> tiger_cv2users/role/groups if you aren’t going to check there, where is
> literally written who have access to the custom view. I don’t understand…
>
>
> Best Regards,
> Sukhdev Mohan
> ———————————
> Cel. (+39) 320 7020345
> Email s.mohan at myti.it <s.mohan at myti.it>
>
>
>
>
> Il giorno 14 apr 2020, alle ore 23:14, Sukhdev Mohan <s.mohan at myti.it> ha
> scritto:
>
>  Hello all,
>
> I’m having some trouble with sharing lists. The workflow the client is
> following:
> Admin creates lista -> shares it with users
>
> The User can’t access this list and is redirected to the general list all.
>
> User with whom the list is shared have role CEO (we had to make all CEO in
> order for them to assign tasks to any user of any role - very particular
> use case, I’d argue they should review their process), using Vtiger 7.1
>
> Debugging I found this code in modules/CutomView/CustomView.php line 2007
> and following in function isPermittedCustomView(), (any one can tell me why
> so much code is commented out?)
>
> elseif ($status == CV_STATUS_PRIVATE || $status == CV_STATUS_PENDING) {
>    $log->debug("Entering when status=1 or 2");
>    if ($userid == $current_user->id)
>       $permission = "yes";
>    else {
>       /* if($action == 'ListView' || $action == $module."Ajax" || $action == 'index')
>         { */
>       $log->debug("Entering when status=1 or status=2 & action = ListView or $module.Ajax or index");
>       $sql = "select vtiger_users.id from vtiger_customview inner join vtiger_users where vtiger_customview.cvid = ? and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')";
>       $result = $adb->pquery($sql, array($record_id));
>       while ($row = $adb->fetchByAssoc($result)) {
>          $temp_result[] = $row['id'];
>       }
>       $user_array = $temp_result;
>       if (sizeof($user_array) > 0) {
>          if (!in_array($current_user->id, $user_array))
>             $permission = "no";
>          else
>             $permission = "yes";
>       }
>       else
>          $permission = "no";
>
>
> The problem seems the query in this part:
>
> where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')
>
> So when it compiles for my user it becomes this:
>
>
> SELECT
>     vtiger_users.id
> FROM
>     vtiger_customview
> INNER JOIN vtiger_users WHERE vtiger_customview.cvid = '207' AND
> vtiger_customview.userid IN(
>     SELECT
>         vtiger_user2role.userid
>     FROM
>         vtiger_user2role
>     INNER JOIN vtiger_users ON vtiger_users.id = vtiger_user2role.userid
>     INNER JOIN vtiger_role ON vtiger_role.roleid = vtiger_user2role.roleid
>     WHERE
>         vtiger_role.parentrole LIKE '%H1::H2::%'
> )
>
>
> The last ::% makes the query return empty set. I think before appending
> “::%”  you should consider if it’s a specific role or a set of roles and
> sub. I’ve tried sharing with just role CEO still nothing changes… Also in
> past I’ve had problem updating list which used custom fields in column list
> or condition, error was just a json with generic error message.
>
> Any ideas how I can solve without disabling the whole check?
>
> P.S.
> Wouldn’t be more efficient doing check in query directly $current_user->id
> and $current_user->role instead of doing on PHP side?
>
> Best Regards,
> Sukhdev Mohan
> ———————————
> Cel. (+39) 320 7020345
> Email s.mohan at myti.it <s.mohan at myti.it>
>
>
>
>
>
> _______________________________________________
> http://www.vtiger.com/



-- 
With
Best Regards
Uma.S
Vtiger Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20200428/2b48e6fc/attachment.html>


More information about the vtigercrm-developers mailing list