[Vtigercrm-developers] Sharing Lists

Sukhdev Mohan s.mohan at myti.it
Wed May 6 09:53:48 GMT 2020


Hi Uma,

Please refer to my first email in this thread. I solved by changing the appending in that installation.

Now for both of the installation I’m facing a problem with editing the lists… Owner of the list can’t update ant parameters they set, if it involves custom fields both in the column list and in condition form… 
Best Regards,
Sukhdev Mohan
———————————
Cel. (+39) 320 7020345
Email s.mohan at myti.it




> Il giorno 6 mag 2020, alle ore 08:32, Uma S <uma.s at vtiger.com> ha scritto:
> 
> Hi Sukhdev,
> 
> I am currently checking his case scenario on the latest master source. Among the two scenarios you have mentioned
> 
> Scenario1 works perfectly fine, custom list shared by lower hierarchy role to CEO is accessible to CEO.
> Scenario2 CEO with admin privilege creates a list and shares with user role lower than is accessible, But reload of list redirects to All list.
> 
> On Tue, May 5, 2020 at 8:40 PM Sukhdev Mohan <s.mohan at myti.it <mailto:s.mohan at myti.it>> wrote:
> Hi Uma,
> 
> I’ve faced two scenarios: 
> 
> Scenario 1)
> Commercial role (which is the lowest in the role hierarchy) shared a custom list with CEO. CEO couldn’t see or access it, from browser or link in the left menu.
> 
> Scenario 2)
> CEO with admin privilege creates a list and shares with a user with role lower than him.
> 
> These scenario occurred in two different contests but share the common problem this query: 
>> $sql = "select vtiger_users.id <http://vtiger_users.id/> from vtiger_customview inner join vtiger_users where vtiger_customview.cvid = ? and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id <http://vtiger_users.id/>=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')";
> 
> 
> Specifically this sub query
> 
>> (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id <http://vtiger_users.id/>=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')
> 
> Basically you guys are checking that the user who is trying to access the list has the same role as the user who created it by checking their parent role.
> 
> To solve this problem I had to comment out the the isPermittedCustomView() . I’m wondering you simply don’t check the cv_* tables where are defined the users/groups/roles are defined explicitly.
> 
> 
> 
> Best Regards,
> Sukhdev Mohan
> ———————————
> Cel. (+39) 320 7020345
> Email s.mohan at myti.it <mailto:s.mohan at myti.it>
> 
> 
> 
> 
>> Il giorno 5 mag 2020, alle ore 13:17, Uma S <uma.s at vtiger.com <mailto:uma.s at vtiger.com>> ha scritto:
>> 
>> Hi Sukhdev,
>> 
>> I reviewed the mentioned case with the following case scenario.
>> Created user(test B) with Role as CEO and Admin is disabled for this user.
>> Created a custom list as Admin user and shared with user (test B)
>> Where test B user can access this list, when he clicks on the list from the left panel.
>> Now if you reload the same list from browser load, It redirects to All filter.
>> Do let me know if the validation is right or not, for me to analyze why load is redirecting to All filters.
>> 
>> On Tue, Apr 28, 2020 at 2:57 PM Uma S <uma.s at vtiger.com <mailto:uma.s at vtiger.com>> wrote:
>> Hi Sukhdev,
>> 
>> Thanks! for the note.Let us review this case and get back to you.
>> 
>> On Fri, Apr 24, 2020 at 4:41 PM Sukhdev Mohan <s.mohan at myti.it <mailto:s.mohan at myti.it>> wrote:
>> Hello All,
>> For another installation we had this problem. This Time a CEO shared a custom view with someone with role Commercial, which just beneath CEO in this Case. The Commercial user can’t view the List as isPermittedCustomView() return false and the problem is:
>> 
>> $sql = "select vtiger_users.id <http://vtiger_users.id/> from vtiger_customview inner join vtiger_users where vtiger_customview.cvid = ? and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id <http://vtiger_users.id/>=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')";
>> More specifically this part
>> and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id <http://vtiger_users.id/>=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')
>> Commercial user has this $current_user_parent_role_seq='H1::H2::H10';
>> 
>> I’m wondering why on earth you let the user choose with whom to share the list but not let the user whom the list is shared with see it, unless they happen to have the save role? Ex:
>> Commercial role can’t see the Custom views CEO created and shared with them because the $current_user_parent_role_seq pf commercia type user includes their role too, and CEO’s $current_user_parent_role_seq is H1::H2, never going to happen that Commercial user see anything shared to him by CEO. Oh this works in reverse too: a list created by Commercial and shared with CEO can’t be possibly seen by CEO.
>> Now the question is why do you even have the table tiger_cv2users/role/groups if you aren’t going to check there, where is literally written who have access to the custom view. I don’t understand… 
>> 
>> 
>> Best Regards,
>> Sukhdev Mohan
>> ———————————
>> Cel. (+39) 320 7020345
>> Email s.mohan at myti.it <mailto:s.mohan at myti.it>
>> 
>> 
>> 
>> 
>>> Il giorno 14 apr 2020, alle ore 23:14, Sukhdev Mohan <s.mohan at myti.it <mailto:s.mohan at myti.it>> ha scritto:
>>> 
>>>  Hello all,
>>> 
>>> I’m having some trouble with sharing lists. The workflow the client is following:
>>> Admin creates lista -> shares it with users
>>> 
>>> The User can’t access this list and is redirected to the general list all.
>>> 
>>> User with whom the list is shared have role CEO (we had to make all CEO in order for them to assign tasks to any user of any role - very particular use case, I’d argue they should review their process), using Vtiger 7.1
>>> 
>>> Debugging I found this code in modules/CutomView/CustomView.php line 2007 and following in function isPermittedCustomView(), (any one can tell me why so much code is commented out?)
>>> 
>>> elseif ($status == CV_STATUS_PRIVATE || $status == CV_STATUS_PENDING) {
>>>    $log->debug("Entering when status=1 or 2");
>>>    if ($userid == $current_user->id)
>>>       $permission = "yes";
>>>    else {
>>>       /* if($action == 'ListView' || $action == $module."Ajax" || $action == 'index')
>>>         { */
>>>       $log->debug("Entering when status=1 or status=2 & action = ListView or $module.Ajax or index");
>>>       $sql = "select vtiger_users.id <http://vtiger_users.id/> from vtiger_customview inner join vtiger_users where vtiger_customview.cvid = ? and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on vtiger_users.id <http://vtiger_users.id/>=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')";
>>>       $result = $adb->pquery($sql, array($record_id));
>>>       while ($row = $adb->fetchByAssoc($result)) {
>>>          $temp_result[] = $row['id'];
>>>       }
>>>       $user_array = $temp_result;
>>>       if (sizeof($user_array) > 0) {
>>>          if (!in_array($current_user->id, $user_array))
>>>             $permission = "no";
>>>          else
>>>             $permission = "yes";
>>>       }
>>>       else
>>>          $permission = "no";
>>> 
>>> The problem seems the query in this part:
>>> where vtiger_role.parentrole like '%" . $current_user_parent_role_seq . "::%')
>>> So when it compiles for my user it becomes this:
>>> 
>>> 
>>> SELECT
>>>     vtiger_users.id <http://vtiger_users.id/>
>>> FROM
>>>     vtiger_customview
>>> INNER JOIN vtiger_users WHERE vtiger_customview.cvid = '207' AND vtiger_customview.userid IN(
>>>     SELECT
>>>         vtiger_user2role.userid
>>>     FROM
>>>         vtiger_user2role
>>>     INNER JOIN vtiger_users ON vtiger_users.id <http://vtiger_users.id/> = vtiger_user2role.userid
>>>     INNER JOIN vtiger_role ON vtiger_role.roleid = vtiger_user2role.roleid
>>>     WHERE
>>>         vtiger_role.parentrole LIKE '%H1::H2::%'
>>> )
>>> 
>>> 
>>> The last ::% makes the query return empty set. I think before appending “::%”  you should consider if it’s a specific role or a set of roles and sub. I’ve tried sharing with just role CEO still nothing changes… Also in past I’ve had problem updating list which used custom fields in column list or condition, error was just a json with generic error message.
>>> 
>>> Any ideas how I can solve without disabling the whole check?
>>> 
>>> P.S. 
>>> Wouldn’t be more efficient doing check in query directly $current_user->id and $current_user->role instead of doing on PHP side? 
>>> 
>>> Best Regards,
>>> Sukhdev Mohan
>>> ———————————
>>> Cel. (+39) 320 7020345
>>> Email s.mohan at myti.it <mailto:s.mohan at myti.it>
>>> 
>>> 
>>> 
>>> 
>> 
>> _______________________________________________
>> http://www.vtiger.com/ <http://www.vtiger.com/>
>> 
>> -- 
>> With
>> Best Regards
>> Uma.S
>> Vtiger Team
>> 
>> 
>> -- 
>> With
>> Best Regards
>> Uma.S
>> Vtiger Team
>> _______________________________________________
>> http://www.vtiger.com/ <http://www.vtiger.com/>
> _______________________________________________
> http://www.vtiger.com/ <http://www.vtiger.com/>
> 
> -- 
> With
> Best Regards
> Uma.S
> Vtiger Team
> _______________________________________________
> http://www.vtiger.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20200506/0ce85e87/attachment-0001.html>


More information about the vtigercrm-developers mailing list