[Vtigercrm-developers] Sharing Lists

Sukhdev Mohan s.mohan at myti.it
Thu May 21 11:07:46 GMT 2020 

I don’t know what to say… Had to rewrite that part of function with the code I emailed you to make it work… 

Also had problem with owner trying to edit/save lists: the problem was you check duplicates on frontend with cycling through an array of names. In my case some of the list were written in Italian with letters like this => è ò ù etc and  there were some other special characters. EditAjax.php passed the variable but in template the zend::json function didn’t handle the these and returned empty string opposed to return empty array. This. Caused the check duplicate to fail. Fixed it by passing the array of names passing through htmlspecialchars… I think you need to enable support for utf-8 globally.
Best Regards,
Sukhdev Mohan
———————————
Cel. (+39) 320 7020345
Email s.mohan at myti.it




> Il giorno 21 mag 2020, alle ore 11:37, Uma S <uma.s at vtiger.com> ha scritto:
> 
> Hi Sukhdev,
> 
> Even this works without any issue, Which satisfies the condition ($is_admin) so permission will be returned as yes.
> 
> On Thu, May 21, 2020 at 12:49 PM Sukhdev Mohan <s.mohan at myti.it <mailto:s.mohan at myti.it>> wrote:
> Hi Uma,
> 
> The CEO in my case is also the admin.
> 
> Best Regards,
> Sukhdev Mohan
> ———————————
> Cel. (+39) 320 7020345
> Email s.mohan at myti.it <mailto:s.mohan at myti.it>
> 
> 
> 
> 
>> Il giorno 21 mag 2020, alle ore 08:45, Uma S <uma.s at vtiger.com <mailto:uma.s at vtiger.com>> ha scritto:
>> 
>> Hi Sukhdev,
>> 
>> Thanks! for the detailed explanation of the issue.
>> 
>> I analyzed this case by creating a ceo user with non-admin privilege and another user say test as SalesManager role.
>> 
>> Now creating the filter in Contacts module as ceo and sharing with SalesManager, I found that both SalesManager and Ceo has access to the filter.
>> 
>> Because when he login as ceo user, it enters the ($action != 'ChangeStatus') loop in isPermittedCustomView() api of CustomView.php and Satisfies the condition ($userid == $current_user->id). So it returns the permission as yes.
>> 
>> Please do let me know if my case scenario was right or not?
>> 
>> On Sat, May 16, 2020 at 2:19 AM Sukhdev Mohan <s.mohan at myti.it <mailto:s.mohan at myti.it>> wrote:
>> Hi Uma,
>> 
>> Since the problem still persists, I’m here again. I’ll try to explain the problem as clearly as possible.
>> 
>> In one of the installation we have, they are facing multiple problems with custom views: The CEO created a custom view and shared it with one of the users, but the latter can’t access it.
>> The problem seems in CustomView.php in the function isPermittedCustomView specifically in the query:
>> 
>> SELECT
>>     vtiger_users.id <http://vtiger_users.id/>
>> FROM
>>     vtiger_customview
>> INNER JOIN vtiger_users WHERE vtiger_customview.cvid = ? AND vtiger_customview.userid IN(
>>     SELECT
>>         vtiger_user2role.userid
>>     FROM
>>         vtiger_user2role
>>     INNER JOIN vtiger_users ON vtiger_users.id <http://vtiger_users.id/> = vtiger_user2role.userid
>>     INNER JOIN vtiger_role ON vtiger_role.roleid = vtiger_user2role.roleid
>>     WHERE
>>         vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq . "::%'
>> )
>> 
>> Debugging lead me to find that 
>> 
>> WHERE vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq . "::%’
>> 
>> Leada to an empty set. Why? Because $current_user_parent_role for the user who can’t access is H1::H2::H10 while the parent role of CEO is H1::H2. Since it’s checking the parent role for the current user and NOT the parent user role of the creator, this results in check for the roles that are less and equal than the current one, which makes the scenario where a higher role shares a custom view with someone with lower rank
>> 
>> If this is the intended way to work how this query is supposed to check for groups? 
>> 
>> I’m trying to modify it to something like this
>> 
>> $permittedUsers = $adb->pquery("
>>     SELECT userid
>>     FROM vtiger_cv2users
>>     WHERE cvid = ? AND userid = ?
>> ", [$record_id, $current_user->id]);
>> 
>> $permittedRoles = $adb->pquery("
>>     SELECT roleid
>>     FROM `vtiger_user2role`
>>     WHERE userid = ? and roleid in (
>>         select roleid
>>         from vtiger_cv2role
>>         where cvid = ?
>>         UNION
>>         select rsid
>>         from vtiger_cv2rs
>>         where cvid = ?
>>     )
>> ", [$current_user->id, $record_id, $record_id]);
>> 
>> $permission = ($adb->num_rows($permittedUsers)) ? 'yes' : 'no';
>> For groups I’m thinking of a clever way to check… Any suggestions?
>> 
>> Best Regards,
>> Sukhdev Mohan
>> ———————————
>> Cel. (+39) 320 7020345
>> Email s.mohan at myti.it <mailto:s.mohan at myti.it>
>> _______________________________________________
>> http://www.vtiger.com/ <http://www.vtiger.com/>
>> 
>> -- 
>> With
>> Best Regards
>> Uma.S
>> Vtiger Team
>> _______________________________________________
>> http://www.vtiger.com/ <http://www.vtiger.com/>
> _______________________________________________
> http://www.vtiger.com/ <http://www.vtiger.com/>
> 
> -- 
> With
> Best Regards
> Uma.S
> Vtiger Team
> _______________________________________________
> http://www.vtiger.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20200521/bf24839d/attachment-0001.html>

More information about the vtigercrm-developers mailing list