[Vtigercrm-developers] Sharing Lists

Sukhdev Mohan s.mohan at myti.it
Fri May 15 20:44:38 GMT 2020 

Hi Uma,

Since the problem still persists, I’m here again. I’ll try to explain the problem as clearly as possible.

In one of the installation we have, they are facing multiple problems with custom views: The CEO created a custom view and shared it with one of the users, but the latter can’t access it.
The problem seems in CustomView.php in the function isPermittedCustomView specifically in the query:

SELECT
    vtiger_users.id
FROM
    vtiger_customview
INNER JOIN vtiger_users WHERE vtiger_customview.cvid = ? AND vtiger_customview.userid IN(
    SELECT
        vtiger_user2role.userid
    FROM
        vtiger_user2role
    INNER JOIN vtiger_users ON vtiger_users.id = vtiger_user2role.userid
    INNER JOIN vtiger_role ON vtiger_role.roleid = vtiger_user2role.roleid
    WHERE
        vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq . "::%'
)

Debugging lead me to find that 

WHERE vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq . "::%’

Leada to an empty set. Why? Because $current_user_parent_role for the user who can’t access is H1::H2::H10 while the parent role of CEO is H1::H2. Since it’s checking the parent role for the current user and NOT the parent user role of the creator, this results in check for the roles that are less and equal than the current one, which makes the scenario where a higher role shares a custom view with someone with lower rank

If this is the intended way to work how this query is supposed to check for groups? 

I’m trying to modify it to something like this

$permittedUsers = $adb->pquery("
    SELECT userid
    FROM vtiger_cv2users
    WHERE cvid = ? AND userid = ?
", [$record_id, $current_user->id]);

$permittedRoles = $adb->pquery("
    SELECT roleid
    FROM `vtiger_user2role`
    WHERE userid = ? and roleid in (
        select roleid
        from vtiger_cv2role
        where cvid = ?
        UNION
        select rsid
        from vtiger_cv2rs
        where cvid = ?
    )
", [$current_user->id, $record_id, $record_id]);

$permission = ($adb->num_rows($permittedUsers)) ? 'yes' : 'no';
For groups I’m thinking of a clever way to check… Any suggestions?

Best Regards,
Sukhdev Mohan
———————————
Cel. (+39) 320 7020345
Email s.mohan at myti.it

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20200515/4f18cb83/attachment.html>

More information about the vtigercrm-developers mailing list