[Vtigercrm-developers] Sharing Lists

Uma S uma.s at vtiger.com
Wed May 6 06:32:22 GMT 2020 

Hi Sukhdev,

I am currently checking his case scenario on the latest master source.
Among the two scenarios you have mentioned


   - Scenario1 works perfectly fine, custom list shared by lower
   hierarchy role to CEO is accessible to CEO.
   - Scenario2 CEO with admin privilege creates a list and shares with user
   role lower than is accessible, But reload of list redirects to All list.


On Tue, May 5, 2020 at 8:40 PM Sukhdev Mohan <s.mohan at myti.it> wrote:

> Hi Uma,
>
> I’ve faced two scenarios:
>
> Scenario 1)
> Commercial role (which is the lowest in the role hierarchy) shared a
> custom list with CEO. CEO couldn’t see or access it, from browser or link
> in the left menu.
>
> Scenario 2)
> CEO with admin privilege creates a list and shares with a user with role
> lower than him.
>
> These scenario occurred in two different contests but share the common
> problem this query:
>
> $sql = "select vtiger_users.id from vtiger_customview inner join vtiger_users where vtiger_customview.cvid = ? and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')";
>>>
>>>
> Specifically this sub query
>
> (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')
>>>
>>>
> Basically you guys are checking that the user who is trying to access the
> list has the same role as the user who created it by checking their parent
> role.
>
> To solve this problem I had to comment out the the isPermittedCustomView()
> . I’m wondering you simply don’t check the cv_* tables where are defined
> the users/groups/roles are defined explicitly.
>
>
>
> Best Regards,
> Sukhdev Mohan
> ———————————
> Cel. (+39) 320 7020345
> Email s.mohan at myti.it <s.mohan at myti.it>
>
>
>
>
> Il giorno 5 mag 2020, alle ore 13:17, Uma S <uma.s at vtiger.com> ha scritto:
>
> Hi Sukhdev,
>
> I reviewed the mentioned case with the following case scenario.
>
>    - Created user(test B) with Role as CEO and Admin is disabled for this
>    user.
>    - Created a custom list as Admin user and shared with user (test B)
>    - Where test B user can access this list, when he clicks on the list
>    from the left panel.
>    - Now if you reload the same list from browser load, It redirects to
>    All filter.
>
> Do let me know if the validation is right or not, for me to analyze why
> load is redirecting to All filters.
>
> On Tue, Apr 28, 2020 at 2:57 PM Uma S <uma.s at vtiger.com> wrote:
>
>> Hi Sukhdev,
>>
>> Thanks! for the note.Let us review this case and get back to you.
>>
>> On Fri, Apr 24, 2020 at 4:41 PM Sukhdev Mohan <s.mohan at myti.it> wrote:
>>
>>> Hello All,
>>> For another installation we had this problem. This Time a CEO shared a
>>> custom view with someone with role Commercial, which just beneath CEO in
>>> this Case. The Commercial user can’t view the List as
>>> isPermittedCustomView() return false and the problem is:
>>>
>>> $sql = "select vtiger_users.id from vtiger_customview inner join vtiger_users where vtiger_customview.cvid = ? and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')";
>>>
>>> More specifically this part
>>>
>>> and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')
>>>
>>> Commercial user has this $current_user_parent_role_seq='H1::H2::H10';
>>>
>>> I’m wondering why on earth you let the user choose with whom to share
>>> the list but not let the user whom the list is shared with see it, unless
>>> they happen to have the save role? Ex:
>>> Commercial role can’t see the Custom views CEO created and shared with
>>> them because the $current_user_parent_role_seq pf commercia type user
>>> includes their role too, and CEO’s $current_user_parent_role_seq is H1::H2,
>>> never going to happen that Commercial user see anything shared to him by
>>> CEO. Oh this works in reverse too: a list created by Commercial and shared
>>> with CEO can’t be possibly seen by CEO.
>>> Now the question is why do you even have the table
>>> tiger_cv2users/role/groups if you aren’t going to check there, where is
>>> literally written who have access to the custom view. I don’t understand…
>>>
>>>
>>> Best Regards,
>>> Sukhdev Mohan
>>> ———————————
>>> Cel. (+39) 320 7020345
>>> Email s.mohan at myti.it <s.mohan at myti.it>
>>>
>>>
>>>
>>>
>>> Il giorno 14 apr 2020, alle ore 23:14, Sukhdev Mohan <s.mohan at myti.it>
>>> ha scritto:
>>>
>>>  Hello all,
>>>
>>> I’m having some trouble with sharing lists. The workflow the client is
>>> following:
>>> Admin creates lista -> shares it with users
>>>
>>> The User can’t access this list and is redirected to the general list
>>> all.
>>>
>>> User with whom the list is shared have role CEO (we had to make all CEO
>>> in order for them to assign tasks to any user of any role - very particular
>>> use case, I’d argue they should review their process), using Vtiger 7.1
>>>
>>> Debugging I found this code in modules/CutomView/CustomView.php line
>>> 2007 and following in function isPermittedCustomView(), (any one can tell
>>> me why so much code is commented out?)
>>>
>>> elseif ($status == CV_STATUS_PRIVATE || $status == CV_STATUS_PENDING) {
>>>    $log->debug("Entering when status=1 or 2");
>>>    if ($userid == $current_user->id)
>>>       $permission = "yes";
>>>    else {
>>>       /* if($action == 'ListView' || $action == $module."Ajax" || $action == 'index')
>>>         { */
>>>       $log->debug("Entering when status=1 or status=2 & action = ListView or $module.Ajax or index");
>>>       $sql = "select vtiger_users.id from vtiger_customview inner join vtiger_users where vtiger_customview.cvid = ? and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')";
>>>       $result = $adb->pquery($sql, array($record_id));
>>>       while ($row = $adb->fetchByAssoc($result)) {
>>>          $temp_result[] = $row['id'];
>>>       }
>>>       $user_array = $temp_result;
>>>       if (sizeof($user_array) > 0) {
>>>          if (!in_array($current_user->id, $user_array))
>>>             $permission = "no";
>>>          else
>>>             $permission = "yes";
>>>       }
>>>       else
>>>          $permission = "no";
>>>
>>>
>>> The problem seems the query in this part:
>>>
>>> where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')
>>>
>>> So when it compiles for my user it becomes this:
>>>
>>>
>>> SELECT
>>>     vtiger_users.id
>>> FROM
>>>     vtiger_customview
>>> INNER JOIN vtiger_users WHERE vtiger_customview.cvid = '207' AND
>>> vtiger_customview.userid IN(
>>>     SELECT
>>>         vtiger_user2role.userid
>>>     FROM
>>>         vtiger_user2role
>>>     INNER JOIN vtiger_users ON vtiger_users.id = vtiger_user2role.userid
>>>     INNER JOIN vtiger_role ON vtiger_role.roleid =
>>> vtiger_user2role.roleid
>>>     WHERE
>>>         vtiger_role.parentrole LIKE '%H1::H2::%'
>>> )
>>>
>>>
>>> The last ::% makes the query return empty set. I think before appending
>>> “::%”  you should consider if it’s a specific role or a set of roles and
>>> sub. I’ve tried sharing with just role CEO still nothing changes… Also in
>>> past I’ve had problem updating list which used custom fields in column list
>>> or condition, error was just a json with generic error message.
>>>
>>> Any ideas how I can solve without disabling the whole check?
>>>
>>> P.S.
>>> Wouldn’t be more efficient doing check in query directly
>>> $current_user->id and $current_user->role instead of doing on PHP side?
>>>
>>> Best Regards,
>>> Sukhdev Mohan
>>> ———————————
>>> Cel. (+39) 320 7020345
>>> Email s.mohan at myti.it <s.mohan at myti.it>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> http://www.vtiger.com/
>>
>>
>>
>> --
>> With
>> Best Regards
>> Uma.S
>> Vtiger Team
>>
>
>
> --
> With
> Best Regards
> Uma.S
> Vtiger Team
> _______________________________________________
> http://www.vtiger.com/
>
>
> _______________________________________________
> http://www.vtiger.com/



-- 
With
Best Regards
Uma.S
Vtiger Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20200506/13efd55c/attachment-0001.html>

More information about the vtigercrm-developers mailing list