<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Uma,<div class=""><br class=""></div><div class="">The CEO in my case is also the admin.</div><div class=""><br class=""><div class="">
<div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div>Best Regards,<br class="">Sukhdev Mohan<br class="">———————————</div><div>Cel. (+39) 320 7020345<br class=""><a href="mailto:s.mohan@myti.it" class="">Email s.mohan@myti.it</a></div><div class=""><br class=""></div></div><br class="Apple-interchange-newline"><br class="Apple-interchange-newline">
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">Il giorno 21 mag 2020, alle ore 08:45, Uma S <<a href="mailto:uma.s@vtiger.com" class="">uma.s@vtiger.com</a>> ha scritto:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Hi Sukhdev,<div class=""><br class=""></div><div class="">Thanks! for the detailed explanation of the issue.</div><div class=""><br class=""></div><div class="">I analyzed this case by creating a ceo user with non-admin privilege and another user say test as SalesManager role.</div><div class=""><br class=""></div><div class="">Now creating the filter in Contacts module as ceo and sharing with SalesManager, I found that both SalesManager and Ceo has access to the filter.</div><div class=""><br class=""></div><div class="">Because when he login as ceo user, it enters the ($action != 'ChangeStatus') loop in isPermittedCustomView() api of CustomView.php and Satisfies the condition ($userid == $current_user->id). So it returns the permission as yes.</div><div class=""><br class=""></div><div class="">Please do let me know if my case scenario was right or not?</div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, May 16, 2020 at 2:19 AM Sukhdev Mohan <<a href="mailto:s.mohan@myti.it" class="">s.mohan@myti.it</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;" class="">Hi Uma,<div class=""><br class=""></div><div class="">Since the problem still persists, I’m here again. I’ll try to explain the problem as clearly as possible.</div><div class=""><br class=""></div><div class="">In one of the installation we have, they are facing multiple problems with custom views: The CEO created a custom view and shared it with one of the users, but the latter can’t access it.</div><div class="">The problem seems in CustomView.php in the function <span style="color:rgb(167,95,0);font-family:Menlo;background-color:rgb(255,255,255)" class="">isPermittedCustomView</span><font class=""><span style="background-color:rgb(255,255,255)" class=""> </span><span style="background-color:rgba(255,255,255,0)" class="">specifically in the query:</span></font></div><div class=""><font face="Menlo" class=""><span style="background-color:rgba(255,255,255,0)" class=""><br class=""></span></font></div><div class=""><font face="Menlo" style="background-color:rgb(216,185,255)" class=""><div class="">SELECT</div><div class=""> <a href="http://vtiger_users.id/" target="_blank" class="">vtiger_users.id</a></div><div class="">FROM</div><div class=""> vtiger_customview</div><div class="">INNER JOIN vtiger_users WHERE vtiger_customview.cvid = ? AND vtiger_customview.userid IN(</div><div class=""> SELECT</div><div class=""> vtiger_user2role.userid</div><div class=""> FROM</div><div class=""> vtiger_user2role</div><div class=""> INNER JOIN vtiger_users ON <a href="http://vtiger_users.id/" target="_blank" class="">vtiger_users.id</a> = vtiger_user2role.userid</div><div class=""> INNER JOIN vtiger_role ON vtiger_role.roleid = vtiger_user2role.roleid</div><div class=""> WHERE</div><div class=""> vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq . "::%'</div><div class="">)</div></font></div><div class=""><br class=""></div><div class="">Debugging lead me to find that </div><div class=""><span style="font-family: Menlo; background-color: rgb(216, 185, 255);" class=""><br class=""></span></div><div class=""><span style="font-family: Menlo; background-color: rgb(216, 185, 255);" class="">WHERE </span><span style="background-color:rgb(216,185,255)" class=""><font face="Menlo" class=""><span class="">vtiger_role.parentrole LIKE '%" . $current_user_parent_role_seq . "::%’</span></font></span></div><div class=""><br class=""><div class="">Leada to an empty set. Why? Because $current_user_parent_role for the user who can’t access is H1::H2::H10 while the parent role of CEO is H1::H2. Since it’s checking the parent role for the current user and NOT the parent user role of the creator, this results in check for the roles that are less and equal than the current one, which makes the scenario where a higher role shares a custom view with someone with lower rank</div><div class=""><br class=""></div><div class="">If this is the intended way to work how this query is supposed to check for groups? </div><div class=""><br class=""></div><div class="">I’m trying to modify it to something like this</div><div class=""><br class=""></div><div class=""><pre style="background-color:rgb(255,255,255)" class=""><font color="#9b70b1" face="Menlo" class=""><span class="">$permittedUsers = $adb->pquery("
SELECT userid
FROM vtiger_cv2users
WHERE cvid = ? AND userid = ?
", [$record_id, $current_user->id]);
$permittedRoles = $adb->pquery("
SELECT roleid
FROM `vtiger_user2role`
WHERE userid = ? and roleid in (
select roleid
from vtiger_cv2role
where cvid = ?
UNION
select rsid
from vtiger_cv2rs
where cvid = ?
)
", [$current_user->id, $record_id, $record_id]);
$permission = ($adb->num_rows($permittedUsers)) ? 'yes' : 'no';</span></font></pre><div class="">For groups I’m thinking of a clever way to check… Any suggestions?</div></div><div class=""><br class=""></div><div class="">
<div dir="auto" style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none;" class=""><div class="">Best Regards,<br class="">Sukhdev Mohan<br class="">———————————</div><div class="">Cel. (+39) 320 7020345<br class=""><a href="mailto:s.mohan@myti.it" target="_blank" class="">Email s.mohan@myti.it</a></div></div></div><br class=""></div></div>_______________________________________________<br class="">
<a href="http://www.vtiger.com/" rel="noreferrer" target="_blank" class="">http://www.vtiger.com/</a></blockquote></div><br clear="all" class=""><div class=""><br class=""></div>-- <br class=""><div dir="ltr" class="gmail_signature"><div dir="ltr" class="">With<br class="">Best Regards<br class="">Uma.S<br class=""><div class="">Vtiger Team</div></div></div>
_______________________________________________<br class=""><a href="http://www.vtiger.com/" class="">http://www.vtiger.com/</a></div></blockquote></div><br class=""></div></body></html>