[Vtigercrm-developers] Sharing Lists

Uma S uma.s at vtiger.com
Thu May 21 09:37:37 GMT 2020 

Hi Sukhdev,

Even this works without any issue, Which satisfies the
condition ($is_admin) so permission will be returned as yes.

On Thu, May 21, 2020 at 12:49 PM Sukhdev Mohan <s.mohan at myti.it> wrote:

> Hi Uma,
>
> The CEO in my case is also the admin.
>
> Best Regards,
> Sukhdev Mohan
> ———————————
> Cel. (+39) 320 7020345
> Email s.mohan at myti.it <s.mohan at myti.it>
>
>
>
>
> Il giorno 21 mag 2020, alle ore 08:45, Uma S <uma.s at vtiger.com> ha
> scritto:
>
> Hi Sukhdev,
>
> Thanks! for the detailed explanation of the issue.
>
> I analyzed this case by creating a ceo user with non-admin privilege and
> another user say test as SalesManager role.
>
> Now creating the filter in Contacts module as ceo and sharing with
> SalesManager, I found that both SalesManager and Ceo has access to the
> filter.
>
> Because when he login as ceo user, it enters the ($action !=
> 'ChangeStatus') loop in isPermittedCustomView() api of CustomView.php and
> Satisfies the condition ($userid == $current_user->id). So it returns the
> permission as yes.
>
> Please do let me know if my case scenario was right or not?
>
> On Sat, May 16, 2020 at 2:19 AM Sukhdev Mohan <s.mohan at myti.it> wrote:
>
>> Hi Uma,
>>
>> Since the problem still persists, I’m here again. I’ll try to explain the
>> problem as clearly as possible.
>>
>> In one of the installation we have, they are facing multiple problems
>> with custom views: The CEO created a custom view and shared it with one of
>> the users, but the latter can’t access it.
>> The problem seems in CustomView.php in the function isPermittedCustomView
>>  specifically in the query:
>>
>> SELECT
>>     vtiger_users.id
>> FROM
>>     vtiger_customview
>> INNER JOIN vtiger_users WHERE vtiger_customview.cvid = ? AND
>> vtiger_customview.userid IN(
>>     SELECT
>>         vtiger_user2role.userid
>>     FROM
>>         vtiger_user2role
>>     INNER JOIN vtiger_users ON vtiger_users.id = vtiger_user2role.userid
>>     INNER JOIN vtiger_role ON vtiger_role.roleid = vtiger_user2role.roleid
>>     WHERE
>>         vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq .
>> "::%'
>> )
>>
>> Debugging lead me to find that
>>
>> WHERE vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq .
>> "::%’
>>
>> Leada to an empty set. Why? Because $current_user_parent_role for the
>> user who can’t access is H1::H2::H10 while the parent role of CEO is
>> H1::H2. Since it’s checking the parent role for the current user and NOT
>> the parent user role of the creator, this results in check for the roles
>> that are less and equal than the current one, which makes the scenario
>> where a higher role shares a custom view with someone with lower rank
>>
>> If this is the intended way to work how this query is supposed to check
>> for groups?
>>
>> I’m trying to modify it to something like this
>>
>> $permittedUsers = $adb->pquery("
>>     SELECT userid
>>     FROM vtiger_cv2users
>>     WHERE cvid = ? AND userid = ?
>> ", [$record_id, $current_user->id]);
>>
>> $permittedRoles = $adb->pquery("
>>     SELECT roleid
>>     FROM `vtiger_user2role`
>>     WHERE userid = ? and roleid in (
>>         select roleid
>>         from vtiger_cv2role
>>         where cvid = ?
>>         UNION
>>         select rsid
>>         from vtiger_cv2rs
>>         where cvid = ?
>>     )
>> ", [$current_user->id, $record_id, $record_id]);
>>
>> $permission = ($adb->num_rows($permittedUsers)) ? 'yes' : 'no';
>>
>> For groups I’m thinking of a clever way to check… Any suggestions?
>>
>> Best Regards,
>> Sukhdev Mohan
>> ———————————
>> Cel. (+39) 320 7020345
>> Email s.mohan at myti.it <s.mohan at myti.it>
>>
>> _______________________________________________
>> http://www.vtiger.com/
>
>
>
> --
> With
> Best Regards
> Uma.S
> Vtiger Team
> _______________________________________________
> http://www.vtiger.com/
>
>
> _______________________________________________
> http://www.vtiger.com/



-- 
With
Best Regards
Uma.S
Vtiger Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20200521/893c4ff0/attachment.html>

More information about the vtigercrm-developers mailing list