Announcement

Collapse
No announcement yet.

Create buttons visible even though role does not permit it

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Create buttons visible even though role does not permit it

    If a user belongs to a role that does not permit them to create records of a custom module, the record create button is still visible to them in list view and in the record view subpanels of a different but related module.

    This is the list view of the custom entity:
    Click image for larger version

Name:	image.png
Views:	289
Size:	18.2 KB
ID:	92713

    This is the subpanel of a related module, you can see the + button on the right:
    Click image for larger version

Name:	image.png
Views:	153
Size:	4.3 KB
ID:	92716

    This is what is shown when you open permissions view of the user:
    Click image for larger version

Name:	image.png
Views:	149
Size:	10.5 KB
ID:	92715
    Steps to reproduce:
    1. Create new entity via entity manager
    2. Create role that does not allow create-access to that entity
    3. Assign a non-admin user this role
    4. E.g. in list views and record views of related modules you can see create buttons. A click opens the create view and the user will only see 403 error after clicking save.

    Thank you for looking into this!
    Attached Files

  • #2
    i have gone through the same steps and everything is working fine, create is not shown on list and also on panels. i am sure you have missed something make sure that the user doesn't belong to a team with a role that has permission to create the entity.

    Comment


    • #3
      Hi jeff11,

      I also cannot reproduce your error. Please tell me which version of EspoCRM are you using? Have you tried disabling all third party extensions, refreshing the page and trying again?

      Comment


      • #4
        Hi jeff11
        could it be that the user is in a team that has a role with the permission to create records in your custom entity?

        I think this may be the case.

        Comment


        • #5
          Thanks everyone! At last I figured it out myself. I had created an extension of ACL metadata in the past and a bug there caused the incorrect behavior. Case closed.

          Comment

          Working...
          X