Announcement

Collapse
No announcement yet.

Tasks Role Permission Conflict

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Tasks Role Permission Conflict

    Hi EspoCRM Team!

    We have been using EspoCRM to asign tasks between users and it works GREAT. Each department can ONLY see their own assigned tasks.

    Here is the conflict (NOT EspoCRM issue):
    • When a user creates a task assigned to a person of another department, the system shows "Error 403: You don't have an access to this area".
    • We know this is because the task has been assigned to the user and the task's creator isn't supposed to see it any more.
    However, it would be nice if the users can also see the tasks that have been created/assigned by them for follow up purpose.

    Is there any "flexible" permission setup or maybe a workflow we can use?

    Thanks a lot.

  • #2
    Hi Pablo,

    I couldn't come up with any appropriate solution for your case but customizing a bit.

    Two files to be created.

    custom/Espo/Custom/SelectManagers/Task.php
    PHP Code:
    <?php

    namespace Espo\Custom\SelectManagers;

    class 
    Task extends \Espo\Modules\Crm\SelectManagers\Task
    {    
        protected function 
    accessOnlyOwn(&$result)
        {        
              
    $result['whereClause'][] = [
                
    'OR' => [
                    
    'assignedUserId' => $this->getUser()->id,
                    
    'createdById' => $this->getUser()->id
                
    ]
             ];
        }
    }

    custom/Espo/Custom/Acl/Task.php
    PHP Code:
    <?php

    namespace Espo\Custom\Acl;

    use 
    \Espo\Entities\User;
    use 
    \Espo\ORM\Entity;

    class 
    Task extends \Espo\Core\Acl\Base
    {
        public function 
    checkEntityRead(User $userEntity $entity$data)
        {
            if (
    $this->checkEntity($user$entity$data'read')) {
                return 
    true;
            }
            
            if (
    $user->id === $entity->get('createdById')) {
                return 
    true;
            }
            
            return 
    false;
        }
    }

    Note, I didn't check whether the code is running. There can be mistakes.
    Last edited by yuri; 03-05-2018, 12:28 PM.

    Comment


    • #3
      Hi yuri ,

      Thanks for the help and sorry for the late response.

      We created the files but a "Bad server response" error appears. We looked at the logs and found:

      [2018-03-03 16:53:42] Espo.ERROR: API [GET]:/:controller/:id, Params:Array ( [controller] => Task [id] => 5a9ad3168effbaf88 ) , InputData: - [] []
      [2018-03-03 16:53:42] Espo.ERROR: Display Error: , Code: 403 URL: /backoffice9alliance/api/v1/Task/5a9ad3168effbaf88 [] []

      Any corrections we need to make to the new files?

      Thanks a lot.

      Comment


      • #4
        Hello,
        change the line with retutn true; to return true;

        Comment


        • #5
          Hi tanya ,

          Thanks for the help. We tested and it doesn't show the "Error 403: You don't have an access to this area" when a user creates a task for another user (that's PERFECT).

          However, when we look at the task list, the task is not shown (the user still can only view their own tasks).

          Is there any way the user can ALSO see the tasks created by him/her at the task list?

          Thanks a lot.

          Comment


          • #6
            Do you use only roles for prohibiting or do you use Filter Only My?
            I think you need to override one more method in Select Manager boolFilterOnlyMy

            custom/Espo/Custom/SelectManagers/Task.php

            PHP Code:
            <?php

            namespace Espo\Custom\SelectManagers;

            class 
            Task extends \Espo\Modules\Crm\SelectManagers\Task
            {    
                protected function 
            accessOnlyOwn(&$result)
                {        
                      
            $result['whereClause'][] = [
                        
            'OR' => [
                            
            'assignedUserId' => $this->getUser()->id,
                            
            'createdById' => $this->getUser()->id
                        
            ]
                     ];
                }

                protected function 
            boolFilterOnlyMy(&$result)
                {
                    if (!
            $this->checkIsPortal()) {
                        if (
            $this->hasAssignedUserField()) {
                            
            $result['whereClause'][] = [
                                
            'OR' => [
                                     
            'assignedUserId' => $this->getUser()->id,
                                     
            'createdById' => $this->getUser()->id
                                  
            ]
                            ];
                        } else {
                            
            $result['whereClause'][] = array(
                                
            'createdById' => $this->getUser()->id
                            
            );
                        }
                    } else {
                        
            $result['whereClause'][] = array(
                            
            'createdById' => $this->getUser()->id
                        
            );
                    }
                }


            }

            Comment


            • #7
              Hi tanya ,

              We only use roles for prohibiting.

              Does your last message with script overrides the roles permitions?

              Thanks again.

              Comment


              • #8
                Acl - for permissions,
                SelectManagers - for flitering


                In your Acl file (custom/Espo/Custom/Acl/Task.php) add the method

                PHP Code:
                  public function checkIsOwner(User $userEntity $entity)
                    {
                        if (
                $entity->hasAttribute('assignedUserId')) {
                            if (
                $entity->has('assignedUserId')) {
                                if (
                $user->id === $entity->get('assignedUserId')) {
                                    return 
                true;
                                }
                            }
                        }
                        if (
                $entity->hasAttribute('createdById')) {
                            if (
                $entity->has('createdById')) {
                                if (
                $user->id === $entity->get('createdById')) {
                                    return 
                true;
                                }
                            }
                        }

                        if (
                $entity->hasAttribute('assignedUsersIds') && $entity->hasRelation('assignedUsers')) {
                            if (
                $entity->hasLinkMultipleId('assignedUsers'$user->id)) {
                                return 
                true;
                            }
                        }

                        return 
                false;
                    } 

                Need to check

                Comment


                • #9
                  Hi tanya ,

                  We added the method but no success.

                  Our Task.php file at the Acl folder looks like this:

                  PHP Code:
                  <?php

                  namespace Espo\Custom\Acl;

                  use 
                  \Espo\Entities\User;
                  use 
                  \Espo\ORM\Entity;

                  class 
                  Task extends \Espo\Core\Acl\Base
                  {
                      public function 
                  checkEntityRead(User $userEntity $entity$data)
                      {
                          if (
                  $this->checkEntity($user$entity$data'read')) {
                              return 
                  true;
                          }
                          
                          if (
                  $user->id === $entity->get('createdById')) {
                              return 
                  true;
                          }
                          
                          return 
                  false;
                      }
                      
                      public function 
                  checkIsOwner(User $userEntity $entity)
                      {
                          if (
                  $entity->hasAttribute('assignedUserId')) {
                              if (
                  $entity->has('assignedUserId')) {
                                  if (
                  $user->id === $entity->get('assignedUserId')) {
                                      return 
                  true;
                                  }
                              }
                          }
                          if (
                  $entity->hasAttribute('createdById')) {
                              if (
                  $entity->has('createdById')) {
                                  if (
                  $user->id === $entity->get('createdById')) {
                                      return 
                  true;
                                  }
                              }
                          }

                          if (
                  $entity->hasAttribute('assignedUsersIds') && $entity->hasRelation('assignedUsers')) {
                              if (
                  $entity->hasLinkMultipleId('assignedUsers'$user->id)) {
                                  return 
                  true;
                              }
                          }

                          return 
                  false;
                      }
                      
                  }
                  Are we missing something?

                  Thanks a lot.

                  Comment


                  • #10
                    Hi,

                    You need to create a custom SelectManager class for sure. The only way.

                    Comment


                    • #11
                      Hi yuri ,

                      Besides the new file at custom/Espo/Custom/SelectManagers , is there anything else missing?

                      Thanks.

                      Comment

                      Working...
                      X