[Vtigercrm-developers] Sharing Lists

Uma S uma.s at vtiger.com
Tue May 5 11:17:41 GMT 2020 

Hi Sukhdev,

I reviewed the mentioned case with the following case scenario.

   - Created user(test B) with Role as CEO and Admin is disabled for this
   user.
   - Created a custom list as Admin user and shared with user (test B)
   - Where test B user can access this list, when he clicks on the list
   from the left panel.
   - Now if you reload the same list from browser load, It redirects to All
   filter.

Do let me know if the validation is right or not, for me to analyze why
load is redirecting to All filters.

On Tue, Apr 28, 2020 at 2:57 PM Uma S <uma.s at vtiger.com> wrote:

> Hi Sukhdev,
>
> Thanks! for the note.Let us review this case and get back to you.
>
> On Fri, Apr 24, 2020 at 4:41 PM Sukhdev Mohan <s.mohan at myti.it> wrote:
>
>> Hello All,
>> For another installation we had this problem. This Time a CEO shared a
>> custom view with someone with role Commercial, which just beneath CEO in
>> this Case. The Commercial user can’t view the List as
>> isPermittedCustomView() return false and the problem is:
>>
>> $sql = "select vtiger_users.id from vtiger_customview inner join vtiger_users where vtiger_customview.cvid = ? and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')";
>>
>> More specifically this part
>>
>> and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')
>>
>> Commercial user has this $current_user_parent_role_seq='H1::H2::H10';
>>
>> I’m wondering why on earth you let the user choose with whom to share the
>> list but not let the user whom the list is shared with see it, unless they
>> happen to have the save role? Ex:
>> Commercial role can’t see the Custom views CEO created and shared with
>> them because the $current_user_parent_role_seq pf commercia type user
>> includes their role too, and CEO’s $current_user_parent_role_seq is H1::H2,
>> never going to happen that Commercial user see anything shared to him by
>> CEO. Oh this works in reverse too: a list created by Commercial and shared
>> with CEO can’t be possibly seen by CEO.
>> Now the question is why do you even have the table
>> tiger_cv2users/role/groups if you aren’t going to check there, where is
>> literally written who have access to the custom view. I don’t understand…
>>
>>
>> Best Regards,
>> Sukhdev Mohan
>> ———————————
>> Cel. (+39) 320 7020345
>> Email s.mohan at myti.it <s.mohan at myti.it>
>>
>>
>>
>>
>> Il giorno 14 apr 2020, alle ore 23:14, Sukhdev Mohan <s.mohan at myti.it>
>> ha scritto:
>>
>>  Hello all,
>>
>> I’m having some trouble with sharing lists. The workflow the client is
>> following:
>> Admin creates lista -> shares it with users
>>
>> The User can’t access this list and is redirected to the general list all.
>>
>> User with whom the list is shared have role CEO (we had to make all CEO
>> in order for them to assign tasks to any user of any role - very particular
>> use case, I’d argue they should review their process), using Vtiger 7.1
>>
>> Debugging I found this code in modules/CutomView/CustomView.php line 2007
>> and following in function isPermittedCustomView(), (any one can tell me why
>> so much code is commented out?)
>>
>> elseif ($status == CV_STATUS_PRIVATE || $status == CV_STATUS_PENDING) {
>>    $log->debug("Entering when status=1 or 2");
>>    if ($userid == $current_user->id)
>>       $permission = "yes";
>>    else {
>>       /* if($action == 'ListView' || $action == $module."Ajax" || $action == 'index')
>>         { */
>>       $log->debug("Entering when status=1 or status=2 & action = ListView or $module.Ajax or index");
>>       $sql = "select vtiger_users.id from vtiger_customview inner join vtiger_users where vtiger_customview.cvid = ? and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')";
>>       $result = $adb->pquery($sql, array($record_id));
>>       while ($row = $adb->fetchByAssoc($result)) {
>>          $temp_result[] = $row['id'];
>>       }
>>       $user_array = $temp_result;
>>       if (sizeof($user_array) > 0) {
>>          if (!in_array($current_user->id, $user_array))
>>             $permission = "no";
>>          else
>>             $permission = "yes";
>>       }
>>       else
>>          $permission = "no";
>>
>>
>> The problem seems the query in this part:
>>
>> where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')
>>
>> So when it compiles for my user it becomes this:
>>
>>
>> SELECT
>>     vtiger_users.id
>> FROM
>>     vtiger_customview
>> INNER JOIN vtiger_users WHERE vtiger_customview.cvid = '207' AND
>> vtiger_customview.userid IN(
>>     SELECT
>>         vtiger_user2role.userid
>>     FROM
>>         vtiger_user2role
>>     INNER JOIN vtiger_users ON vtiger_users.id = vtiger_user2role.userid
>>     INNER JOIN vtiger_role ON vtiger_role.roleid = vtiger_user2role.roleid
>>     WHERE
>>         vtiger_role.parentrole LIKE '%H1::H2::%'
>> )
>>
>>
>> The last ::% makes the query return empty set. I think before appending
>> “::%”  you should consider if it’s a specific role or a set of roles and
>> sub. I’ve tried sharing with just role CEO still nothing changes… Also in
>> past I’ve had problem updating list which used custom fields in column list
>> or condition, error was just a json with generic error message.
>>
>> Any ideas how I can solve without disabling the whole check?
>>
>> P.S.
>> Wouldn’t be more efficient doing check in query directly
>> $current_user->id and $current_user->role instead of doing on PHP side?
>>
>> Best Regards,
>> Sukhdev Mohan
>> ———————————
>> Cel. (+39) 320 7020345
>> Email s.mohan at myti.it <s.mohan at myti.it>
>>
>>
>>
>>
>>
>> _______________________________________________
>> http://www.vtiger.com/
>
>
>
> --
> With
> Best Regards
> Uma.S
> Vtiger Team
>


-- 
With
Best Regards
Uma.S
Vtiger Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20200505/20076c99/attachment.html>

More information about the vtigercrm-developers mailing list