<div dir="ltr">Hi Sukhdev,<br><div><br></div><div>I am currently checking his case scenario on the latest master source. Among the two scenarios you have mentioned</div><div><br></div><div><ul><li>Scenario1 works perfectly fine, custom list shared by lower hierarchy role to CEO is accessible to CEO.</li><li>Scenario2 CEO with admin privilege creates a list and shares with user role lower than is accessible, But reload of list redirects to All list.</li></ul></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 5, 2020 at 8:40 PM Sukhdev Mohan <<a href="mailto:s.mohan@myti.it">s.mohan@myti.it</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;">Hi Uma,<div><br></div><div>I’ve faced two scenarios: </div><div><br></div><div>Scenario 1)</div><div>Commercial role (which is the lowest in the role hierarchy) shared a custom list with CEO. CEO couldn’t see or access it, from browser or link in the left menu.</div><div><br></div><div>Scenario 2)</div><div>CEO with admin privilege creates a list and shares with a user with role lower than him.</div><div><br></div><div>These scenario occurred in two different contests but share the common problem this query: </div><div><blockquote type="cite"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div><pre style="background-color:rgb(255,255,255);color:rgb(74,92,110);font-family:Menlo"><span style="color:rgb(155,112,177)">$sql </span>= <span style="color:rgb(166,202,145)">"select <a href="http://vtiger_users.id/" target="_blank">vtiger_users.id</a> from vtiger_customview inner join vtiger_users where vtiger_customview.cvid = ? and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on <a href="http://vtiger_users.id/" target="_blank">vtiger_users.id</a>=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" </span>. <span style="color:rgb(155,112,177)">$current_user_parent_role_seq </span>. <span style="color:rgb(166,202,145)">"::%')"</span><span style="color:rgb(242,137,49)">;</span></pre></div></div></blockquote></div></blockquote></div></blockquote></div><div><br></div><div>Specifically this sub query</div><div><br></div><div><div><blockquote type="cite"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div><pre style="background-color:rgb(255,255,255);color:rgb(74,92,110);font-family:Menlo"><span style="color:rgb(166,202,145)">(select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on <a href="http://vtiger_users.id/" target="_blank">vtiger_users.id</a>=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" </span>. <span style="color:rgb(155,112,177)">$current_user_parent_role_seq </span>. <span style="color:rgb(166,202,145)">"::%')</span></pre></div></div></blockquote></div></blockquote></div></blockquote><div><br></div></div></div><div>Basically you guys are checking that the user who is trying to access the list has the same role as the user who created it by checking their parent role.</div><div><br></div><div>To solve this problem I had to comment out the the isPermittedCustomView() . I’m wondering you simply don’t check the cv_* tables where are defined the users/groups/roles are defined explicitly.</div><div><div><br></div><div><br></div><div><br></div><div>
<div dir="auto" style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div>Best Regards,<br>Sukhdev Mohan<br>———————————</div><div>Cel. (+39) 320 7020345<br><a href="mailto:s.mohan@myti.it" target="_blank">Email s.mohan@myti.it</a></div><div><br></div></div><br><br>
</div>
<div><br><blockquote type="cite"><div>Il giorno 5 mag 2020, alle ore 13:17, Uma S <<a href="mailto:uma.s@vtiger.com" target="_blank">uma.s@vtiger.com</a>> ha scritto:</div><br><div><div dir="ltr">Hi Sukhdev,<br><div><br></div><div>I reviewed the mentioned case with the following case scenario.</div><div><ul><li>Created user(test B) with Role as CEO and Admin is disabled for this user.</li><li>Created a custom list as Admin user and shared with user (test B)</li><li>Where test B user can access this list, when he clicks on the list from the left panel.</li><li>Now if you reload the same list from browser load, It redirects to All filter.</li></ul></div><div>Do let me know if the validation is right or not, for me to analyze why load is redirecting to All filters.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 28, 2020 at 2:57 PM Uma S <<a href="mailto:uma.s@vtiger.com" target="_blank">uma.s@vtiger.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Sukhdev,<br><div><br></div><div>Thanks! for the note.Let us review this case and get back to you.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Apr 24, 2020 at 4:41 PM Sukhdev Mohan <<a href="mailto:s.mohan@myti.it" target="_blank">s.mohan@myti.it</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Hello All,<div>For another installation we had this problem. This Time a CEO shared a custom view with someone with role Commercial, which just beneath CEO in this Case. The Commercial user can’t view the List as isPermittedCustomView() return false and the problem is:</div><div><br></div><div><pre style="background-color:rgb(255,255,255);color:rgb(74,92,110);font-family:Menlo"><span style="color:rgb(155,112,177)">$sql </span>= <span style="color:rgb(166,202,145)">"select <a href="http://vtiger_users.id/" target="_blank">vtiger_users.id</a> from vtiger_customview inner join vtiger_users where vtiger_customview.cvid = ? and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on <a href="http://vtiger_users.id/" target="_blank">vtiger_users.id</a>=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" </span>. <span style="color:rgb(155,112,177)">$current_user_parent_role_seq </span>. <span style="color:rgb(166,202,145)">"::%')"</span><span style="color:rgb(242,137,49)">;<br></span></pre><div>More specifically this part</div></div><div><pre style="background-color:rgb(255,255,255);color:rgb(74,92,110);font-family:Menlo"><span style="color:rgb(166,202,145)">and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on <a href="http://vtiger_users.id/" target="_blank">vtiger_users.id</a>=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" </span>. <span style="color:rgb(155,112,177)">$current_user_parent_role_seq </span>. <span style="color:rgb(166,202,145)">"::%')</span></pre><div>Commercial user has this <span style="font-family:Menlo;background-color:rgb(255,255,255);color:rgb(155,112,177)">$current_user_parent_role_seq</span><span style="color:rgb(74,92,110);font-family:Menlo;background-color:rgb(255,255,255)">=</span><span style="font-family:Menlo;background-color:rgb(255,255,255);color:rgb(166,202,145)">'H1::H2::H10'</span><span style="font-family:Menlo;background-color:rgb(255,255,255);color:rgb(242,137,49)">;</span></div><div><br></div><div>I’m wondering why on earth you let the user choose with whom to share the list but not let the user whom the list is shared with see it, unless they happen to have the save role? Ex:</div></div><div>Commercial role can’t see the Custom views CEO created and shared with them because the $current_user_parent_role_seq pf commercia type user includes their role too, and CEO’s $current_user_parent_role_seq is H1::H2, never going to happen that Commercial user see anything shared to him by CEO. Oh this works in reverse too: a list created by Commercial and shared with CEO can’t be possibly seen by CEO.</div><div>Now the question is why do you even have the table tiger_cv2users/role/groups if you aren’t going to check there, where is literally written who have access to the custom view. I don’t understand… </div><div><br></div><div><br><div>
<div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div>Best Regards,<br>Sukhdev Mohan<br>———————————</div><div>Cel. (+39) 320 7020345<br><a href="mailto:s.mohan@myti.it" target="_blank">Email s.mohan@myti.it</a></div><div><br></div></div><br><br>
</div>
<div><br><blockquote type="cite"><div>Il giorno 14 apr 2020, alle ore 23:14, Sukhdev Mohan <<a href="mailto:s.mohan@myti.it" target="_blank">s.mohan@myti.it</a>> ha scritto:</div><br><div><div> Hello all,<div><br></div><div>I’m having some trouble with sharing lists. The workflow the client is following:</div><div>Admin creates lista -> shares it with users</div><div><br></div><div>The User can’t access this list and is redirected to the general list all.</div><div><br></div><div>User with whom the list is shared have role CEO (we had to make all CEO in order for them to assign tasks to any user of any role - very particular use case, I’d argue they should review their process), using Vtiger 7.1</div><div><br></div><div>Debugging I found this code in modules/CutomView/CustomView.php line 2007 and following in function isPermittedCustomView(), (any one can tell me why so much code is commented out?)</div><div><br></div><div><pre style="background-color:rgb(255,255,255);color:rgb(74,92,110);font-family:Menlo"><span style="color:rgb(242,137,49)">elseif </span>(<span style="color:rgb(155,112,177)">$status </span>== <span style="color:rgb(155,112,177);font-style:italic">CV_STATUS_PRIVATE </span>|| <span style="color:rgb(155,112,177)">$status </span>== <span style="color:rgb(155,112,177);font-style:italic">CV_STATUS_PENDING</span>) {<br> <span style="color:rgb(155,112,177)">$log</span>-><span style="color:rgb(167,95,0)">debug</span>(<span style="color:rgb(166,202,145)">"Entering when status=1 or 2"</span>)<span style="color:rgb(242,137,49)">;<br></span><span style="color:rgb(242,137,49)"> if </span>(<span style="color:rgb(155,112,177)">$userid </span>== <span style="color:rgb(155,112,177)">$current_user</span>-><span style="color:rgb(155,112,177)">id</span>)<br> <span style="color:rgb(155,112,177)">$permission </span>= <span style="color:rgb(166,202,145)">"yes"</span><span style="color:rgb(242,137,49)">;<br></span><span style="color:rgb(242,137,49)"> else </span>{<br> <span style="color:rgb(159,159,159)">/* if($action == 'ListView' || $action == $module."Ajax" || $action == 'index')<br></span><span style="color:rgb(159,159,159)"> { */<br></span><span style="color:rgb(159,159,159)"> </span><span style="color:rgb(155,112,177)">$log</span>-><span style="color:rgb(167,95,0)">debug</span>(<span style="color:rgb(166,202,145)">"Entering when status=1 or status=2 & action = ListView or </span><span style="color:rgb(155,112,177)">$module</span><span style="color:rgb(166,202,145)">.Ajax or index"</span>)<span style="color:rgb(242,137,49)">;<br></span><span style="color:rgb(242,137,49)"> </span><span style="color:rgb(155,112,177)">$sql </span>= <span style="color:rgb(166,202,145)">"select <a href="http://vtiger_users.id/" target="_blank">vtiger_users.id</a> from vtiger_customview inner join vtiger_users where vtiger_customview.cvid = ? and vtiger_customview.userid in (select vtiger_user2role.userid from vtiger_user2role inner join vtiger_users on <a href="http://vtiger_users.id/" target="_blank">vtiger_users.id</a>=vtiger_user2role.userid inner join vtiger_role on vtiger_role.roleid=vtiger_user2role.roleid where vtiger_role.parentrole like '%" </span>. <span style="color:rgb(155,112,177)">$current_user_parent_role_seq </span>. <span style="color:rgb(166,202,145)">"::%')"</span><span style="color:rgb(242,137,49)">;<br></span><span style="color:rgb(242,137,49)"> </span><span style="color:rgb(155,112,177)">$result </span>= <span style="color:rgb(155,112,177)">$adb</span>-><span style="color:rgb(167,95,0)">pquery</span>(<span style="color:rgb(155,112,177)">$sql</span><span style="color:rgb(242,137,49)">, array</span>(<span style="color:rgb(155,112,177)">$record_id</span>))<span style="color:rgb(242,137,49)">;<br></span><span style="color:rgb(242,137,49)"> while </span>(<span style="color:rgb(155,112,177)">$row </span>= <span style="color:rgb(155,112,177)">$adb</span>-><span style="color:rgb(167,95,0)">fetchByAssoc</span>(<span style="color:rgb(155,112,177)">$result</span>)) {<br> <span style="color:rgb(155,112,177)">$temp_result</span>[] = <span style="color:rgb(155,112,177)">$row</span>[<span style="color:rgb(166,202,145)">'id'</span>]<span style="color:rgb(242,137,49)">;<br></span><span style="color:rgb(242,137,49)"> </span>}<br> <span style="color:rgb(155,112,177)">$user_array </span>= <span style="color:rgb(155,112,177)">$temp_result</span><span style="color:rgb(242,137,49)">;<br></span><span style="color:rgb(242,137,49)"> if </span>(sizeof(<span style="color:rgb(155,112,177)">$user_array</span>) > <span style="color:rgb(93,151,196)">0</span>) {<br> <span style="color:rgb(242,137,49)">if </span>(!in_array(<span style="color:rgb(155,112,177)">$current_user</span>-><span style="color:rgb(155,112,177)">id</span><span style="color:rgb(242,137,49)">, </span><span style="color:rgb(155,112,177)">$user_array</span>))<br> <span style="color:rgb(155,112,177)">$permission </span>= <span style="color:rgb(166,202,145)">"no"</span><span style="color:rgb(242,137,49)">;<br></span><span style="color:rgb(242,137,49)"> else<br></span><span style="color:rgb(242,137,49)"> </span><span style="color:rgb(155,112,177)">$permission </span>= <span style="color:rgb(166,202,145)">"yes"</span><span style="color:rgb(242,137,49)">;<br></span><span style="color:rgb(242,137,49)"> </span>}<br> <span style="color:rgb(242,137,49)">else<br></span><span style="color:rgb(242,137,49)"> </span><span style="color:rgb(155,112,177)">$permission </span>= <span style="color:rgb(166,202,145)">"no"</span><span style="color:rgb(242,137,49)">;</span></pre><div><br></div></div><div>The problem seems the query in this part:</div><div><pre style="background-color:rgb(255,255,255);color:rgb(74,92,110);font-family:Menlo"><span style="color:rgb(166,202,145)">where vtiger_role.parentrole like '%" </span>. <span style="color:rgb(155,112,177)">$current_user_parent_role_seq </span>. <span style="color:rgb(166,202,145)">"::%')</span></pre><div>So when it compiles for my user it becomes this:</div></div><div><br></div><div><br></div><div><div>SELECT</div><div> <a href="http://vtiger_users.id/" target="_blank">vtiger_users.id</a></div><div>FROM</div><div> vtiger_customview</div><div>INNER JOIN vtiger_users WHERE vtiger_customview.cvid = '207' AND vtiger_customview.userid IN(</div><div> SELECT</div><div> vtiger_user2role.userid</div><div> FROM</div><div> vtiger_user2role</div><div> INNER JOIN vtiger_users ON <a href="http://vtiger_users.id/" target="_blank">vtiger_users.id</a> = vtiger_user2role.userid</div><div> INNER JOIN vtiger_role ON vtiger_role.roleid = vtiger_user2role.roleid</div><div> WHERE</div><div> vtiger_role.parentrole LIKE '%H1::H2::%'</div><div>)</div></div><div><br></div><div><br></div><div>The last ::% makes the query return empty set. I think before appending “::%” you should consider if it’s a specific role or a set of roles and sub. I’ve tried sharing with just role CEO still nothing changes… Also in past I’ve had problem updating list which used custom fields in column list or condition, error was just a json with generic error message.</div><div><br></div><div>Any ideas how I can solve without disabling the whole check?</div><div><br></div><div>P.S. </div><div><div><div>Wouldn’t be more efficient doing check in query directly $current_user->id and $current_user->role instead of doing on PHP side? </div><div><br></div><div>
<div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div>Best Regards,<br>Sukhdev Mohan<br>———————————</div><div>Cel. (+39) 320 7020345<br><a href="mailto:s.mohan@myti.it" target="_blank">Email s.mohan@myti.it</a></div><div><br></div></div><br><br>
</div>
<br></div></div></div></div></blockquote></div><br></div></div>_______________________________________________<br>
<a href="http://www.vtiger.com/" rel="noreferrer" target="_blank">http://www.vtiger.com/</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr">With<br>Best Regards<br>Uma.S<br><div>Vtiger Team</div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr">With<br>Best Regards<br>Uma.S<br><div>Vtiger Team</div></div></div>
_______________________________________________<br><a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a></div></blockquote></div><br></div></div>_______________________________________________<br>
<a href="http://www.vtiger.com/" rel="noreferrer" target="_blank">http://www.vtiger.com/</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">With<br>Best Regards<br>Uma.S<br><div>Vtiger Team</div></div></div>