Portal users cannot access emails

**victor** · 08-06-2025, 03:39 PM

Try to put the current account "Urząd Gminy Gruszkowo" as Parent in these emails, and not the entry of Case "Ikona przesunęła się", as in your screenshot.

**jacao** · 08-06-2025, 04:03 PM

Changing parent to Account on email record changes... nothing. I've mention it

**victor** · 08-06-2025, 06:27 PM

Does the Portal User have the same email address in the Email field as the Account or Contact in their Contact or Account profile?

**jacao** · 08-07-2025, 05:31 AM

Yes, it does. Portal users is created on Contact and has the same email and Account assignement. As I wrote all others Access roles works properly except Account level. Portal user see list of emails (all emails connected with account) but cannot see body of it (only own).

**jacao** · 08-07-2025, 08:41 AM

We tested our case on Espo versions 9.1.7 and 8.4.2, and the behavior is exactly the same. The logs indicate a lack of access:

Code:

[2025-08-07 08:27:45] DEBUG: API (403) No 'read' access.; GET /678e414d0e24731ff/Email/68835e8b8e20514d4; Route pattern: /{portalId}/{controller}/{id}; Route params: Array (     [controller] => Email     [action] => read     [id] => 68835e8b8e20514d4     [portalId] => 678e414d0e24731ff )
[2025-08-07 08:27:45] NOTICE: (403) No 'read' access. :: GET /678e414d0e24731ff/Email/68835e8b8e20514d4 :: /var/www/html/application/Espo/Core/Record/Service.php(276)
[2025-08-07 08:27:49] DEBUG: BPM: processPendingFlows (all)
[2025-08-07 08:27:49] DEBUG: BPM: processTriggeredSignals
[2025-08-07 08:27:53] DEBUG: API (403) No 'read' access.; GET /678e414d0e24731ff/Email/689367621ca17b39a; Route pattern: /{portalId}/{controller}/{id}; Route params: Array (     [controller] => Email     [action] => read     [id] => 689367621ca17b39a     [portalId] => 678e414d0e24731ff )
[2025-08-07 08:27:53] NOTICE: (403) No 'read' access. :: GET /678e414d0e24731ff/Email/689367621ca17b39a :: /var/www/html/application/Espo/Core/Record/Service.php(276)

Please note that the issue affects only the Email entity and only when the permission level is set to Account. Moreover, changing the permission level from Contact to Account correctly exposes the list of emails related to the organization (as expected), but access to the email content itself is still denied.

In my opinion, this is a system bug. yuri , I kindly ask you to take a look and share your thoughts on this issue.

**arturkulik** · 08-11-2025, 08:46 AM

Originally posted by jacao

We tested our case on Espo versions 9.1.7 and 8.4.2, and the behavior is exactly the same. The logs indicate a lack of access:

Code:

[2025-08-07 08:27:45] DEBUG: API (403) No 'read' access.; GET /678e414d0e24731ff/Email/68835e8b8e20514d4; Route pattern: /{portalId}/{controller}/{id}; Route params: Array ( [controller] => Email [action] => read [id] => 68835e8b8e20514d4 [portalId] => 678e414d0e24731ff )
[2025-08-07 08:27:45] NOTICE: (403) No 'read' access. :: GET /678e414d0e24731ff/Email/68835e8b8e20514d4 :: /var/www/html/application/Espo/Core/Record/Service.php(276)
[2025-08-07 08:27:49] DEBUG: BPM: processPendingFlows (all)
[2025-08-07 08:27:49] DEBUG: BPM: processTriggeredSignals
[2025-08-07 08:27:53] DEBUG: API (403) No 'read' access.; GET /678e414d0e24731ff/Email/689367621ca17b39a; Route pattern: /{portalId}/{controller}/{id}; Route params: Array ( [controller] => Email [action] => read [id] => 689367621ca17b39a [portalId] => 678e414d0e24731ff )
[2025-08-07 08:27:53] NOTICE: (403) No 'read' access. :: GET /678e414d0e24731ff/Email/689367621ca17b39a :: /var/www/html/application/Espo/Core/Record/Service.php(276)

Please note that the issue affects only the Email entity and only when the permission level is set to Account. Moreover, changing the permission level from Contact to Account correctly exposes the list of emails related to the organization (as expected), but access to the email content itself is still denied.

In my opinion, this is a system bug. yuri , I kindly ask you to take a look and share your thoughts on this issue.

Even though portal user role has access to Accounts Emails,

user can read only account's emails created by himself, and see the list of all emails related, but read is restricted to own

**victor** · 08-11-2025, 10:31 AM

Why this could happen:

- It seems that initially you created a certain Contact A and/or Account B with the email address 1@.test.com.
- You corresponded and all emails were relayed to Contact A and/or Account B with the email address 1@.test.com.
- Then from this Contact A you created a Portal User C with the email address 1@.test.com and emails in the "History" of Portal User C also started to appear.
- The problem is that until the email address 1@.test.com was specified in the Portal User C profile, he did not/does not/will not have access to emails where he was added to the Assigned User or Assigned Users field. The display of these fields is configured in Administration > Entity Manager > Email > Layouts > Side Panel Fields.

How to avoid 403 error with old emails:

- Add Portal User C to each problematic email as an Assigned User.
- This needs to be done for each individual email, or create an email or workflow that will change the Assigned User field to Portal User C. Please note that for old emails in this context, the Assigned User field is required, not Assigned Users.

How to avoid 403 error with new emails:

1. Add the email address 1@.test.com Portal User C to the Email field in his user profile.
2. Now every new email in the Assigned Users field will automatically include Portal User C.

**jacao** · 2025-08-22T12:44:55+00:00

Thank you, Victor, for your creative approach and suggested workaround. It may be sufficient as a temporary fix, but I can’t accept that this is how it’s supposed to work in the long run.

As for the use case and reproduction steps, here’s what it looks like:

I create a new organization “Account B” in EspoCRM.
I add two contacts to this organization: Contact No. 1 with email contact_1@ and Contact No. 2 with email contact_2@.
I then create corresponding portal users linked to these contacts and using the same email addresses.

Next, I send emails to a group mailbox linked with Cases. New cases are created as expected. The emails are correctly linked to Account B, and the user is also added to Assigned Users.

At this point, I believe that with portal user permissions set to Email → Read [Account], the emails should be visible to both portal users No. 1 and No. 2. This works correctly for the email list, but not for the email content itself.

I’d like to highlight that for other entities (e.g., Contact or custom entities), Read [Account] permissions work properly and intuitively. It really looks like this issue occurs only with the Email entity. In fact, in /espo/application/Espo/Classes/AclPortal/ there are dedicated files handling permissions for four entities, including Email (as well as Attachment, Note, Notification, and Email).

I’ve tested this across multiple fresh EspoCRM installations and I’m convinced this is a bug in the core code. Unfortunately, my programming skills are limited, and even with AI assistance I wasn’t able to find a fix. I experimented with modifying the ACL files and even tried custom implementations, but without success.

I’m a bit surprised that no one else has commented on this yet — it seems as if the feature of sharing emails across portal users within the same organization isn’t being used by others? Or maybe it just hasn’t caught much attention.

I was also hoping for some confirmation from the Espo developers that this is indeed a bug in the core. It’s not a critical one, but I think it’s worth noting and hopefully could be addressed in one of the upcoming releases.

TGIF & regards, Jacek

**jacao** · 2025-08-22T14:20:54+00:00

It's just example to show the problem. Giving more Accounts and users do not solve it

We have over 5000 accounts and preparing to run portal for more than 50 000 users (5-15 users for account). So it is a problem...

**jacao** · 2025-08-22T20:04:45+00:00

I’ll go ahead and do that, although I still strongly believe that what I need here is not a new feature for EspoCRM, but rather a fix for an existing issue in how portal user permissions are validated at the Account level for the Email entity.

That’s why it’s very important for me to hear yuri perspective on whether what I’ve described is the system’s intended behavior.

Portal users cannot access emails

Portal users cannot access emails

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment