User roles not working as expected

[zandeera]

Hi Sergey,

I have created one User Roles field, named "Roles", in entity Projects and set some roles to define access type to entity Tasks.
Some scenario is not working as expected.

For example:
Access group Staff has one user: The Staff.
This access group has no access at all to entity Tasks.
In field "Roles", I created one role, named "Staff" and set access "View Assigned Only".
I have created one project and two tasks under the project. These tasks are not assigned to any user.
"The Staff" is assigned for the role "Staff". Because the tasks are not assigned to any user and role "Staff" has acess "View Assigned Only", "The Staff" is expected not to be able to view the tasks of the project. However "The Staff" can view both tasks.
One more thing, there is difference to show the accessibility between the listing view (module items/items) and report view (module reports/view). Listing view always refers to user roles configuration, which is expected, because user roles override the basic access. Report view always refers to basic access configuration.

Here are some screenshot that might be able to explain more and better.


Here's the link of the demo where I tested this scenario: https://pdemo.rukovoditel.pro/3.4/index ... mo_id=2828

[zandeera]

[eddydeniro]

Interesting.
I've checked the demo and the by-role access is not applied to each item on listing page, but when you displayed the info page, it's running (meaning that the staff is denied to view the item).

As a workaround, if you dont mind changing the core files, while waiting for the fixing, you can add some additional lines to all files prefixed with "_listing" in folder modules/items/components to make sure the role access implemented in listing page:

Code: Select all

//This is example for file _listing_table.php
//Find the line for fetching the $items_query

$item_count = 0; //additional line
while($item = db_fetch_array($items_query))
{
    //Add these line	
    $current_item_id = $item['id'];
    if(users::has_access('view_assigned') and $app_user['group_id'] > 0 and $current_item_id > 0)
    {
        if(!users::has_access_to_assigned_item($current_entity_id, $current_item_id))
        {
            continue;
        }
    }
    $item_count++;
    //end of lines
    

Also change the next part after fetching the item query:

Code: Select all

//Change this line
//if($listing_split->number_of_rows == 0)
if(!$item_count || $listing_split->number_of_rows == 0)
{
    $html .= '
    <tr>
      <td colspan="100">' . TEXT_NO_RECORDS_FOUND . '</td>
    </tr>
  ';
}

You can try and see if this works for all possible scenarios of user roles.

Hi Sergey,

I have created one User Roles field, named "Roles", in entity Projects and set some roles to define access type to entity Tasks.
Some scenario is not working as expected.

For example:
Access group Staff has one user: The Staff.
This access group has no access at all to entity Tasks.
In field "Roles", I created one role, named "Staff" and set access "View Assigned Only".
I have created one project and two tasks under the project. These tasks are not assigned to any user.
"The Staff" is assigned for the role "Staff". Because the tasks are not assigned to any user and role "Staff" has acess "View Assigned Only", "The Staff" is expected not to be able to view the tasks of the project. However "The Staff" can view both tasks.
One more thing, there is difference to show the accessibility between the listing view (module items/items) and report view (module reports/view). Listing view always refers to user roles configuration, which is expected, because user roles override the basic access. Report view always refers to basic access configuration.

Here are some screenshot that might be able to explain more and better.


Here's the link of the demo where I tested this scenario: https://pdemo.rukovoditel.pro/3.4/index ... mo_id=2828