Announcement

Collapse
No announcement yet.

Inadvertent change to user access and permissions

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Inadvertent change to user access and permissions

    After setting up a general sales team and general sales role with limited assignment, scope and field level permissions, on several occasions the access/permissions for one or more users assigned to this team and role have changed to having full assignment and scope-level permissions. The change in user access occurs without any purposeful change to the user's team or role assignment. This glitch or bug seems to occur randomly when mass updates are made to Accounts, Opportunities and/or Leads, but I'm not sure exactly what is causing this to happen. The attached screen shots show the general sale team and role user settings, the general sales team settings, the general sales role scope and field level settings, and the user's access settings after this glitch occurs.
    Attached Files
    Last edited by krisk; 04-19-2016, 07:03 PM.

  • #2
    Also, this problem has occurred on two, separate instances of EspoCRM, one upgraded to 4.0.4 from 3.9.2 and the other upgraded to 4.0.4 from 4.0.2.

    Comment


    • #3
      Thank you for report. We will investigate.
      Last edited by yuri; 04-25-2016, 12:04 PM.

      Comment


      • #4
        Does it happen to the user that made mass update?

        Comment


        • #5
          Unfortunately I could not reproduce but I will try more. Could try to do small change, maybe it will solve:


          application/Espo/Core/AclManager.php

          change $key = spl_object_hash($user);
          to
          $key = $user->id;

          Thanks

          Comment


          • #6
            I think it has occurred only when a user with administrative status makes the mass updates. Again, I'm not sure the mass updates are causing this problem to occur. I made your suggested modification to application/Espo/Core/AclManager.php in one of my instances and will let you know if this problem recurs.

            Thanks.

            Comment


            • #7
              Does it affect on real users permissions so that user can do not permitted actions? Or it just displays wrong permissions? When issue occurs how it gets reset to proper permissions? After clear cache?

              Thanks

              Comment


              • #8
                It effects real user permissions as well as the display showing the wrong user permissions. For example, after the change occurs, the non-admin user assigned to the General Sales Team and General Sales Role can make team and user assignments and can see Opportunity/Sales Amount. Clearing the cache doesn't correct the problem. I have to edit the settings for that user (while I'm logged in as an administrator), first by deleting the team and role settings and saving and then re-editing the user's settings to add back the team and role settings. Once I've done that, the problem is corrected.
                Last edited by krisk; 04-26-2016, 11:23 PM.

                Comment


                • #9
                  hmm, the fact that clear cache doesn't help is surprising. BTW what PHP version do you have? Is it linux apache server?

                  Comment


                  • #10
                    PHP Version 5.5.9-1ubuntu4.14. Ubuntu apache server.

                    Comment


                    • #11
                      Please let me know if the issue still occurs after the change. Thanks.

                      Comment


                      • #12
                        The issue has occurred twice since implementing the change. However, I have not been able to replicate it consistently or pinpoint the cause. I'm going to reinstall 4.0.4 and start from scratch, in case I've done something that's causing this problem. Anyway, I don't think the modification you suggested has had any effect, so would not recommend incorporating this change into the next release.

                        Comment


                        • #13
                          I don't think re-install will help unless you did some manual changes in core files.
                          Last edited by yuri; 05-03-2016, 06:18 AM.

                          Comment


                          • #14
                            I haven't made any manual changes inside the /application/Espo/Core/ directory, except for the change you suggested above, which I have undone.

                            Thanks.

                            Comment


                            • #15
                              Temporary fix, but not final:

                              application/Espo/Core/Acl/Table.php

                              Change method getRoleList to
                              PHP Code:
                                  protected function getRoleList()
                                  {
                                      
                              $roleList = [];

                                      
                              $userRoleList $this->getUser()->get('roles');
                                      if (!(
                              is_array($userRoleList) || $userRoleList instanceof \Traversable)) {
                                          throw new 
                              Error();
                                      }
                                      foreach (
                              $userRoleList as $role) {
                                          
                              $roleList[] = $role;
                                      }

                                      
                              $teamList $this->getUser()->get('teams');
                                      if (!(
                              is_array($teamList) || $teamList instanceof \Traversable)) {
                                          throw new 
                              Error();
                                      }
                                      foreach (
                              $teamList as $team) {
                                          
                              $teamRoleList $team->get('roles');
                                          foreach (
                              $teamRoleList as $role) {
                                              
                              $roleList[] = $role;
                                          }
                                      }

                                      return 
                              $roleList;
                                  } 
                              Last edited by yuri; 05-04-2016, 12:51 PM.

                              Comment

                              Working...
                              X