<div dir="ltr">Hi Sukhdev,<div><br></div><div>Even this works without any issue, Which satisfies the condition ($is_admin) so permission will be returned as yes.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 21, 2020 at 12:49 PM Sukhdev Mohan <<a href="mailto:s.mohan@myti.it">s.mohan@myti.it</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;">Hi Uma,<div><br></div><div>The CEO in my case is also the admin.</div><div><br><div>
<div dir="auto" style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div>Best Regards,<br>Sukhdev Mohan<br>———————————</div><div>Cel. (+39) 320 7020345<br><a href="mailto:s.mohan@myti.it" target="_blank">Email s.mohan@myti.it</a></div><div><br></div></div><br><br>
</div>
<div><br><blockquote type="cite"><div>Il giorno 21 mag 2020, alle ore 08:45, Uma S <<a href="mailto:uma.s@vtiger.com" target="_blank">uma.s@vtiger.com</a>> ha scritto:</div><br><div><div dir="ltr">Hi Sukhdev,<div><br></div><div>Thanks! for the detailed explanation of the issue.</div><div><br></div><div>I analyzed this case by creating a ceo user with non-admin privilege and another user say test as SalesManager role.</div><div><br></div><div>Now creating the filter in Contacts module as ceo and sharing with SalesManager, I found that both SalesManager and Ceo has access to the filter.</div><div><br></div><div>Because when he login as ceo user, it enters the ($action != 'ChangeStatus') loop in isPermittedCustomView() api of CustomView.php and Satisfies the condition ($userid == $current_user->id). So it returns the permission as yes.</div><div><br></div><div>Please do let me know if my case scenario was right or not?</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, May 16, 2020 at 2:19 AM Sukhdev Mohan <<a href="mailto:s.mohan@myti.it" target="_blank">s.mohan@myti.it</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Hi Uma,<div><br></div><div>Since the problem still persists, I’m here again. I’ll try to explain the problem as clearly as possible.</div><div><br></div><div>In one of the installation we have, they are facing multiple problems with custom views: The CEO created a custom view and shared it with one of the users, but the latter can’t access it.</div><div>The problem seems in CustomView.php in the function <span style="color:rgb(167,95,0);font-family:Menlo;background-color:rgb(255,255,255)">isPermittedCustomView</span><font><span style="background-color:rgb(255,255,255)"> </span><span style="background-color:rgba(255,255,255,0)">specifically in the query:</span></font></div><div><font face="Menlo"><span style="background-color:rgba(255,255,255,0)"><br></span></font></div><div><font face="Menlo" style="background-color:rgb(216,185,255)"><div>SELECT</div><div> <a href="http://vtiger_users.id/" target="_blank">vtiger_users.id</a></div><div>FROM</div><div> vtiger_customview</div><div>INNER JOIN vtiger_users WHERE vtiger_customview.cvid = ? AND vtiger_customview.userid IN(</div><div> SELECT</div><div> vtiger_user2role.userid</div><div> FROM</div><div> vtiger_user2role</div><div> INNER JOIN vtiger_users ON <a href="http://vtiger_users.id/" target="_blank">vtiger_users.id</a> = vtiger_user2role.userid</div><div> INNER JOIN vtiger_role ON vtiger_role.roleid = vtiger_user2role.roleid</div><div> WHERE</div><div> vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq . "::%'</div><div>)</div></font></div><div><br></div><div>Debugging lead me to find that </div><div><span style="font-family:Menlo;background-color:rgb(216,185,255)"><br></span></div><div><span style="font-family:Menlo;background-color:rgb(216,185,255)">WHERE </span><span style="background-color:rgb(216,185,255)"><font face="Menlo"><span>vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq . "::%’</span></font></span></div><div><br><div>Leada to an empty set. Why? Because $current_user_parent_role for the user who can’t access is H1::H2::H10 while the parent role of CEO is H1::H2. Since it’s checking the parent role for the current user and NOT the parent user role of the creator, this results in check for the roles that are less and equal than the current one, which makes the scenario where a higher role shares a custom view with someone with lower rank</div><div><br></div><div>If this is the intended way to work how this query is supposed to check for groups? </div><div><br></div><div>I’m trying to modify it to something like this</div><div><br></div><div><pre style="background-color:rgb(255,255,255)"><font color="#9b70b1" face="Menlo"><span>$permittedUsers = $adb->pquery("
SELECT userid
FROM vtiger_cv2users
WHERE cvid = ? AND userid = ?
", [$record_id, $current_user->id]);
$permittedRoles = $adb->pquery("
SELECT roleid
FROM `vtiger_user2role`
WHERE userid = ? and roleid in (
select roleid
from vtiger_cv2role
where cvid = ?
UNION
select rsid
from vtiger_cv2rs
where cvid = ?
)
", [$current_user->id, $record_id, $record_id]);
$permission = ($adb->num_rows($permittedUsers)) ? 'yes' : 'no';</span></font></pre><div>For groups I’m thinking of a clever way to check… Any suggestions?</div></div><div><br></div><div>
<div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div>Best Regards,<br>Sukhdev Mohan<br>———————————</div><div>Cel. (+39) 320 7020345<br><a href="mailto:s.mohan@myti.it" target="_blank">Email s.mohan@myti.it</a></div></div></div><br></div></div>_______________________________________________<br>
<a href="http://www.vtiger.com/" rel="noreferrer" target="_blank">http://www.vtiger.com/</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr">With<br>Best Regards<br>Uma.S<br><div>Vtiger Team</div></div></div>
_______________________________________________<br><a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a></div></blockquote></div><br></div></div>_______________________________________________<br>
<a href="http://www.vtiger.com/" rel="noreferrer" target="_blank">http://www.vtiger.com/</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">With<br>Best Regards<br>Uma.S<br><div>Vtiger Team</div></div></div>