<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Uma,<div class=""><br class=""></div><div class="">Since the problem still persists, I’m here again. I’ll try to explain the problem as clearly as possible.</div><div class=""><br class=""></div><div class="">In one of the installation we have, they are facing multiple problems with custom views: The CEO created a custom view and shared it with one of the users, but the latter can’t access it.</div><div class="">The problem seems in CustomView.php in the function <span style="color: rgb(167, 95, 0); font-family: Menlo; background-color: rgb(255, 255, 255);" class="">isPermittedCustomView</span><font color="#000000" class=""><span style="background-color: rgb(255, 255, 255);" class=""> </span><span style="background-color: rgba(255, 255, 255, 0);" class="">specifically in the query:</span></font></div><div class=""><font color="#000000" face="Menlo" class=""><span style="background-color: rgba(255, 255, 255, 0);" class=""><br class=""></span></font></div><div class=""><font color="#000000" face="Menlo" style="background-color: rgb(216, 185, 255);" class=""><div class="">SELECT</div><div class=""> <a href="http://vtiger_users.id" class="">vtiger_users.id</a></div><div class="">FROM</div><div class=""> vtiger_customview</div><div class="">INNER JOIN vtiger_users WHERE vtiger_customview.cvid = ? AND vtiger_customview.userid IN(</div><div class=""> SELECT</div><div class=""> vtiger_user2role.userid</div><div class=""> FROM</div><div class=""> vtiger_user2role</div><div class=""> INNER JOIN vtiger_users ON <a href="http://vtiger_users.id" class="">vtiger_users.id</a> = vtiger_user2role.userid</div><div class=""> INNER JOIN vtiger_role ON vtiger_role.roleid = vtiger_user2role.roleid</div><div class=""> WHERE</div><div class=""> vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq . "::%'</div><div class="">)</div></font></div><div class=""><br class=""></div><div class="">Debugging lead me to find that </div><div class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Menlo; background-color: rgb(216, 185, 255);" class=""><br class=""></span></div><div class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Menlo; background-color: rgb(216, 185, 255);" class="">WHERE </span><span style="background-color: rgb(216, 185, 255);" class=""><font color="#000000" face="Menlo" class=""><span style="caret-color: rgb(0, 0, 0);" class="">vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq . "::%’</span></font></span></div><div class=""><br class=""><div class="">Leada to an empty set. Why? Because $current_user_parent_role for the user who can’t access is H1::H2::H10 while the parent role of CEO is H1::H2. Since it’s checking the parent role for the current user and NOT the parent user role of the creator, this results in check for the roles that are less and equal than the current one, which makes the scenario where a higher role shares a custom view with someone with lower rank</div><div class=""><br class=""></div><div class="">If this is the intended way to work how this query is supposed to check for groups? </div><div class=""><br class="webkit-block-placeholder"></div><div class="">I’m trying to modify it to something like this</div><div class=""><br class=""></div><div class=""><pre style="background-color: rgb(255, 255, 255);" class=""><font color="#9b70b1" face="Menlo" class=""><span style="caret-color: rgb(155, 112, 177);" class="">$permittedUsers = $adb->pquery("
SELECT userid
FROM vtiger_cv2users
WHERE cvid = ? AND userid = ?
", [$record_id, $current_user->id]);
$permittedRoles = $adb->pquery("
SELECT roleid
FROM `vtiger_user2role`
WHERE userid = ? and roleid in (
select roleid
from vtiger_cv2role
where cvid = ?
UNION
select rsid
from vtiger_cv2rs
where cvid = ?
)
", [$current_user->id, $record_id, $record_id]);
$permission = ($adb->num_rows($permittedUsers)) ? 'yes' : 'no';</span></font></pre><div class="">For groups I’m thinking of a clever way to check… Any suggestions?</div></div><div class=""><br class=""></div><div class="">
<div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div>Best Regards,<br class="">Sukhdev Mohan<br class="">———————————</div><div>Cel. (+39) 320 7020345<br class=""><a href="mailto:s.mohan@myti.it" class="">Email s.mohan@myti.it</a></div></div></div><br class=""></div></body></html>