[Vtigercrm-developers] Sharing Lists

Sukhdev Mohan s.mohan at myti.it
Thu May 21 07:15:26 GMT 2020 

Hi Uma,

The CEO in my case is also the admin.

Best Regards,
Sukhdev Mohan
———————————
Cel. (+39) 320 7020345
Email s.mohan at myti.it




> Il giorno 21 mag 2020, alle ore 08:45, Uma S <uma.s at vtiger.com> ha scritto:
> 
> Hi Sukhdev,
> 
> Thanks! for the detailed explanation of the issue.
> 
> I analyzed this case by creating a ceo user with non-admin privilege and another user say test as SalesManager role.
> 
> Now creating the filter in Contacts module as ceo and sharing with SalesManager, I found that both SalesManager and Ceo has access to the filter.
> 
> Because when he login as ceo user, it enters the ($action != 'ChangeStatus') loop in isPermittedCustomView() api of CustomView.php and Satisfies the condition ($userid == $current_user->id). So it returns the permission as yes.
> 
> Please do let me know if my case scenario was right or not?
> 
> On Sat, May 16, 2020 at 2:19 AM Sukhdev Mohan <s.mohan at myti.it <mailto:s.mohan at myti.it>> wrote:
> Hi Uma,
> 
> Since the problem still persists, I’m here again. I’ll try to explain the problem as clearly as possible.
> 
> In one of the installation we have, they are facing multiple problems with custom views: The CEO created a custom view and shared it with one of the users, but the latter can’t access it.
> The problem seems in CustomView.php in the function isPermittedCustomView specifically in the query:
> 
> SELECT
>     vtiger_users.id <http://vtiger_users.id/>
> FROM
>     vtiger_customview
> INNER JOIN vtiger_users WHERE vtiger_customview.cvid = ? AND vtiger_customview.userid IN(
>     SELECT
>         vtiger_user2role.userid
>     FROM
>         vtiger_user2role
>     INNER JOIN vtiger_users ON vtiger_users.id <http://vtiger_users.id/> = vtiger_user2role.userid
>     INNER JOIN vtiger_role ON vtiger_role.roleid = vtiger_user2role.roleid
>     WHERE
>         vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq . "::%'
> )
> 
> Debugging lead me to find that 
> 
> WHERE vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq . "::%’
> 
> Leada to an empty set. Why? Because $current_user_parent_role for the user who can’t access is H1::H2::H10 while the parent role of CEO is H1::H2. Since it’s checking the parent role for the current user and NOT the parent user role of the creator, this results in check for the roles that are less and equal than the current one, which makes the scenario where a higher role shares a custom view with someone with lower rank
> 
> If this is the intended way to work how this query is supposed to check for groups? 
> 
> I’m trying to modify it to something like this
> 
> $permittedUsers = $adb->pquery("
>     SELECT userid
>     FROM vtiger_cv2users
>     WHERE cvid = ? AND userid = ?
> ", [$record_id, $current_user->id]);
> 
> $permittedRoles = $adb->pquery("
>     SELECT roleid
>     FROM `vtiger_user2role`
>     WHERE userid = ? and roleid in (
>         select roleid
>         from vtiger_cv2role
>         where cvid = ?
>         UNION
>         select rsid
>         from vtiger_cv2rs
>         where cvid = ?
>     )
> ", [$current_user->id, $record_id, $record_id]);
> 
> $permission = ($adb->num_rows($permittedUsers)) ? 'yes' : 'no';
> For groups I’m thinking of a clever way to check… Any suggestions?
> 
> Best Regards,
> Sukhdev Mohan
> ———————————
> Cel. (+39) 320 7020345
> Email s.mohan at myti.it <mailto:s.mohan at myti.it>
> _______________________________________________
> http://www.vtiger.com/ <http://www.vtiger.com/>
> 
> -- 
> With
> Best Regards
> Uma.S
> Vtiger Team
> _______________________________________________
> http://www.vtiger.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20200521/d4def950/attachment-0001.html>

More information about the vtigercrm-developers mailing list