Announcement

Collapse
No announcement yet.

Tasks Role Permission Conflict

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Tasks Role Permission Conflict

    Hi EspoCRM Team!

    We have been using EspoCRM to asign tasks between users and it works GREAT. Each department can ONLY see their own assigned tasks.

    Here is the conflict (NOT EspoCRM issue):
    • When a user creates a task assigned to a person of another department, the system shows "Error 403: You don't have an access to this area".
    • We know this is because the task has been assigned to the user and the task's creator isn't supposed to see it any more.
    However, it would be nice if the users can also see the tasks that have been created/assigned by them for follow up purpose.

    Is there any "flexible" permission setup or maybe a workflow we can use?

    Thanks a lot.
    Tags: None
  • #2
    Hi Pablo,

    I couldn't come up with any appropriate solution for your case but customizing a bit.

    Two files to be created.

    custom/Espo/Custom/SelectManagers/Task.php
    PHP Code:
    <?php

    namespace Espo\Custom\SelectManagers;

    class     Task extends \Espo\Modules\Crm\SelectManagers\Task
    {    
        protected function     accessOnlyOwn(&$result)
        {        
                  $result['whereClause'][] = [
                    'OR' => [
                        'assignedUserId' => $this->getUser()->id,
                        'createdById' => $this->getUser()->id
                    ]
             ];
        }
    }

    custom/Espo/Custom/Acl/Task.php
    PHP Code:
    <?php

    namespace Espo\Custom\Acl;

    use     \Espo\Entities\User;
    use     \Espo\ORM\Entity;

    class     Task extends \Espo\Core\Acl\Base
    {
        public function     checkEntityRead(User $userEntity $entity$data)
        {
            if (    $this->checkEntity($user$entity$data'read')) {
                return     true;
            }
            
            if (    $user->id === $entity->get('createdById')) {
                return     true;
            }
            
            return     false;
        }
    }

    Note, I didn't check whether the code is running. There can be mistakes.
    Last edited by yuri; 03-05-2018, 12:28 PM.

    Comment

    • #3
      Hi yuri ,

      Thanks for the help and sorry for the late response.

      We created the files but a "Bad server response" error appears. We looked at the logs and found:

      [2018-03-03 16:53:42] Espo.ERROR: API [GET]:/:controller/:id, Params:Array ( [controller] => Task [id] => 5a9ad3168effbaf88 ) , InputData: - [] []
      [2018-03-03 16:53:42] Espo.ERROR: Display Error: , Code: 403 URL: /backoffice9alliance/api/v1/Task/5a9ad3168effbaf88 [] []

      Any corrections we need to make to the new files?

      Thanks a lot.

      Comment

      • #4
        Hello,
        change the line with retutn true; to return true;

        Comment

        • #5
          Hi tanya ,

          Thanks for the help. We tested and it doesn't show the "Error 403: You don't have an access to this area" when a user creates a task for another user (that's PERFECT).

          However, when we look at the task list, the task is not shown (the user still can only view their own tasks).

          Is there any way the user can ALSO see the tasks created by him/her at the task list?

          Thanks a lot.

          Comment

          • #6
            Do you use only roles for prohibiting or do you use Filter Only My?
            I think you need to override one more method in Select Manager boolFilterOnlyMy

            custom/Espo/Custom/SelectManagers/Task.php

            PHP Code:
            <?php

            namespace Espo\Custom\SelectManagers;

            class             Task extends \Espo\Modules\Crm\SelectManagers\Task
            {    
                protected function             accessOnlyOwn(&$result)
                {        
                                  $result['whereClause'][] = [
                                    'OR' => [
                                        'assignedUserId' => $this->getUser()->id,
                                        'createdById' => $this->getUser()->id
                                    ]
                     ];
                }

                protected function             boolFilterOnlyMy(&$result)
                {
                    if (!            $this->checkIsPortal()) {
                        if (            $this->hasAssignedUserField()) {
                                        $result['whereClause'][] = [
                                            'OR' => [
                                                 'assignedUserId' => $this->getUser()->id,
                                                 'createdById' => $this->getUser()->id
                                              ]
                            ];
                        } else {
                                        $result['whereClause'][] = array(
                                            'createdById' => $this->getUser()->id
                                        );
                        }
                    } else {
                                    $result['whereClause'][] = array(
                                        'createdById' => $this->getUser()->id
                                    );
                    }
                }


            }

            Comment

            • #7
              Hi tanya ,

              We only use roles for prohibiting.

              Does your last message with script overrides the roles permitions?

              Thanks again.

              Comment

              • #8
                Acl - for permissions,
                SelectManagers - for flitering


                In your Acl file (custom/Espo/Custom/Acl/Task.php) add the method

                PHP Code:
                  public function checkIsOwner(User $userEntity $entity)
                    {
                        if (                $entity->hasAttribute('assignedUserId')) {
                            if (                $entity->has('assignedUserId')) {
                                if (                $user->id === $entity->get('assignedUserId')) {
                                    return                 true;
                                }
                            }
                        }
                        if (                $entity->hasAttribute('createdById')) {
                            if (                $entity->has('createdById')) {
                                if (                $user->id === $entity->get('createdById')) {
                                    return                 true;
                                }
                            }
                        }

                        if (                $entity->hasAttribute('assignedUsersIds') && $entity->hasRelation('assignedUsers')) {
                            if (                $entity->hasLinkMultipleId('assignedUsers'$user->id)) {
                                return                 true;
                            }
                        }

                        return                 false;
                    } 

                Need to check

                Comment

                • #9
                  Hi tanya ,

                  We added the method but no success.

                  Our Task.php file at the Acl folder looks like this:

                  PHP Code:
                  <?php

                  namespace Espo\Custom\Acl;

                  use                   \Espo\Entities\User;
                  use                   \Espo\ORM\Entity;

                  class                   Task extends \Espo\Core\Acl\Base
                  {
                      public function                   checkEntityRead(User $userEntity $entity$data)
                      {
                          if (                  $this->checkEntity($user$entity$data'read')) {
                              return                   true;
                          }
                          
                          if (                  $user->id === $entity->get('createdById')) {
                              return                   true;
                          }
                          
                          return                   false;
                      }
                      
                      public function                   checkIsOwner(User $userEntity $entity)
                      {
                          if (                  $entity->hasAttribute('assignedUserId')) {
                              if (                  $entity->has('assignedUserId')) {
                                  if (                  $user->id === $entity->get('assignedUserId')) {
                                      return                   true;
                                  }
                              }
                          }
                          if (                  $entity->hasAttribute('createdById')) {
                              if (                  $entity->has('createdById')) {
                                  if (                  $user->id === $entity->get('createdById')) {
                                      return                   true;
                                  }
                              }
                          }

                          if (                  $entity->hasAttribute('assignedUsersIds') && $entity->hasRelation('assignedUsers')) {
                              if (                  $entity->hasLinkMultipleId('assignedUsers'$user->id)) {
                                  return                   true;
                              }
                          }

                          return                   false;
                      }
                      
                  }
                  Are we missing something?

                  Thanks a lot.

                  Comment

                  • #10
                    Hi,

                    You need to create a custom SelectManager class for sure. The only way.

                    Comment

                    • #11
                      Hi yuri ,

                      Besides the new file at custom/Espo/Custom/SelectManagers , is there anything else missing?

                      Thanks.

                      Comment

                      Previous template Next
                      Working...
                      X