Inadvertent change to user access and permissions

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • krisk
    Member
    • Dec 2015
    • 44

    Inadvertent change to user access and permissions

    After setting up a general sales team and general sales role with limited assignment, scope and field level permissions, on several occasions the access/permissions for one or more users assigned to this team and role have changed to having full assignment and scope-level permissions. The change in user access occurs without any purposeful change to the user's team or role assignment. This glitch or bug seems to occur randomly when mass updates are made to Accounts, Opportunities and/or Leads, but I'm not sure exactly what is causing this to happen. The attached screen shots show the general sale team and role user settings, the general sales team settings, the general sales role scope and field level settings, and the user's access settings after this glitch occurs.
    Attached Files
    Last edited by krisk; 04-19-2016, 07:03 PM.
  • krisk
    Member
    • Dec 2015
    • 44

    #2
    Also, this problem has occurred on two, separate instances of EspoCRM, one upgraded to 4.0.4 from 3.9.2 and the other upgraded to 4.0.4 from 4.0.2.

    Comment

    • yuri
      Member
      • Mar 2014
      • 8440

      #3
      Thank you for report. We will investigate.
      Last edited by yuri; 04-25-2016, 12:04 PM.
      If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

      Comment

      • yuri
        Member
        • Mar 2014
        • 8440

        #4
        Does it happen to the user that made mass update?
        If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

        Comment

        • yuri
          Member
          • Mar 2014
          • 8440

          #5
          Unfortunately I could not reproduce but I will try more. Could try to do small change, maybe it will solve:


          application/Espo/Core/AclManager.php

          change $key = spl_object_hash($user);
          to
          $key = $user->id;

          Thanks
          If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

          Comment

          • krisk
            Member
            • Dec 2015
            • 44

            #6
            I think it has occurred only when a user with administrative status makes the mass updates. Again, I'm not sure the mass updates are causing this problem to occur. I made your suggested modification to application/Espo/Core/AclManager.php in one of my instances and will let you know if this problem recurs.

            Thanks.

            Comment

            • yuri
              Member
              • Mar 2014
              • 8440

              #7
              Does it affect on real users permissions so that user can do not permitted actions? Or it just displays wrong permissions? When issue occurs how it gets reset to proper permissions? After clear cache?

              Thanks
              If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

              Comment

              • krisk
                Member
                • Dec 2015
                • 44

                #8
                It effects real user permissions as well as the display showing the wrong user permissions. For example, after the change occurs, the non-admin user assigned to the General Sales Team and General Sales Role can make team and user assignments and can see Opportunity/Sales Amount. Clearing the cache doesn't correct the problem. I have to edit the settings for that user (while I'm logged in as an administrator), first by deleting the team and role settings and saving and then re-editing the user's settings to add back the team and role settings. Once I've done that, the problem is corrected.
                Last edited by krisk; 04-26-2016, 11:23 PM.

                Comment

                • yuri
                  Member
                  • Mar 2014
                  • 8440

                  #9
                  hmm, the fact that clear cache doesn't help is surprising. BTW what PHP version do you have? Is it linux apache server?
                  If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

                  Comment

                  • krisk
                    Member
                    • Dec 2015
                    • 44

                    #10
                    PHP Version 5.5.9-1ubuntu4.14. Ubuntu apache server.

                    Comment

                    • yuri
                      Member
                      • Mar 2014
                      • 8440

                      #11
                      Please let me know if the issue still occurs after the change. Thanks.
                      If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

                      Comment

                      • krisk
                        Member
                        • Dec 2015
                        • 44

                        #12
                        The issue has occurred twice since implementing the change. However, I have not been able to replicate it consistently or pinpoint the cause. I'm going to reinstall 4.0.4 and start from scratch, in case I've done something that's causing this problem. Anyway, I don't think the modification you suggested has had any effect, so would not recommend incorporating this change into the next release.

                        Comment

                        • yuri
                          Member
                          • Mar 2014
                          • 8440

                          #13
                          I don't think re-install will help unless you did some manual changes in core files.
                          Last edited by yuri; 05-03-2016, 06:18 AM.
                          If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

                          Comment

                          • krisk
                            Member
                            • Dec 2015
                            • 44

                            #14
                            I haven't made any manual changes inside the /application/Espo/Core/ directory, except for the change you suggested above, which I have undone.

                            Thanks.

                            Comment

                            • yuri
                              Member
                              • Mar 2014
                              • 8440

                              #15
                              Temporary fix, but not final:

                              application/Espo/Core/Acl/Table.php

                              Change method getRoleList to
                              PHP Code:
                                  protected function getRoleList()
                                  {
                                      $roleList = [];
                              
                                      $userRoleList = $this->getUser()->get('roles');
                                      if (!(is_array($userRoleList) || $userRoleList instanceof \Traversable)) {
                                          throw new Error();
                                      }
                                      foreach ($userRoleList as $role) {
                                          $roleList[] = $role;
                                      }
                              
                                      $teamList = $this->getUser()->get('teams');
                                      if (!(is_array($teamList) || $teamList instanceof \Traversable)) {
                                          throw new Error();
                                      }
                                      foreach ($teamList as $team) {
                                          $teamRoleList = $team->get('roles');
                                          foreach ($teamRoleList as $role) {
                                              $roleList[] = $role;
                                          }
                                      }
                              
                                      return $roleList;
                                  } 
                              
                              Last edited by yuri; 05-04-2016, 12:51 PM.
                              If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

                              Comment

                              Working...