[Vtigercrm-developers] Sharing Lists
Uma S
uma.s at vtiger.com
Thu May 21 06:45:12 GMT 2020
Hi Sukhdev,
Thanks! for the detailed explanation of the issue.
I analyzed this case by creating a ceo user with non-admin privilege and
another user say test as SalesManager role.
Now creating the filter in Contacts module as ceo and sharing with
SalesManager, I found that both SalesManager and Ceo has access to the
filter.
Because when he login as ceo user, it enters the ($action !=
'ChangeStatus') loop in isPermittedCustomView() api of CustomView.php and
Satisfies the condition ($userid == $current_user->id). So it returns the
permission as yes.
Please do let me know if my case scenario was right or not?
On Sat, May 16, 2020 at 2:19 AM Sukhdev Mohan <s.mohan at myti.it> wrote:
> Hi Uma,
>
> Since the problem still persists, I’m here again. I’ll try to explain the
> problem as clearly as possible.
>
> In one of the installation we have, they are facing multiple problems with
> custom views: The CEO created a custom view and shared it with one of the
> users, but the latter can’t access it.
> The problem seems in CustomView.php in the function isPermittedCustomView specifically
> in the query:
>
> SELECT
> vtiger_users.id
> FROM
> vtiger_customview
> INNER JOIN vtiger_users WHERE vtiger_customview.cvid = ? AND
> vtiger_customview.userid IN(
> SELECT
> vtiger_user2role.userid
> FROM
> vtiger_user2role
> INNER JOIN vtiger_users ON vtiger_users.id = vtiger_user2role.userid
> INNER JOIN vtiger_role ON vtiger_role.roleid = vtiger_user2role.roleid
> WHERE
> vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq .
> "::%'
> )
>
> Debugging lead me to find that
>
> WHERE vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq .
> "::%’
>
> Leada to an empty set. Why? Because $current_user_parent_role for the user
> who can’t access is H1::H2::H10 while the parent role of CEO is H1::H2.
> Since it’s checking the parent role for the current user and NOT the parent
> user role of the creator, this results in check for the roles that are less
> and equal than the current one, which makes the scenario where a higher
> role shares a custom view with someone with lower rank
>
> If this is the intended way to work how this query is supposed to check
> for groups?
>
> I’m trying to modify it to something like this
>
> $permittedUsers = $adb->pquery("
> SELECT userid
> FROM vtiger_cv2users
> WHERE cvid = ? AND userid = ?
> ", [$record_id, $current_user->id]);
>
> $permittedRoles = $adb->pquery("
> SELECT roleid
> FROM `vtiger_user2role`
> WHERE userid = ? and roleid in (
> select roleid
> from vtiger_cv2role
> where cvid = ?
> UNION
> select rsid
> from vtiger_cv2rs
> where cvid = ?
> )
> ", [$current_user->id, $record_id, $record_id]);
>
> $permission = ($adb->num_rows($permittedUsers)) ? 'yes' : 'no';
>
> For groups I’m thinking of a clever way to check… Any suggestions?
>
> Best Regards,
> Sukhdev Mohan
> ———————————
> Cel. (+39) 320 7020345
> Email s.mohan at myti.it <s.mohan at myti.it>
>
> _______________________________________________
> http://www.vtiger.com/
--
With
Best Regards
Uma.S
Vtiger Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20200521/5bd679f6/attachment.html>
More information about the vtigercrm-developers
mailing list