Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NEW - See the documents of my subordinates #28318

Merged
merged 10 commits into from
Mar 7, 2024
Merged

NEW - See the documents of my subordinates #28318

merged 10 commits into from
Mar 7, 2024

Conversation

BB2A-Anthony
Copy link
Contributor

NEW|New [*See the documents of my subordinates *]

[This function is essential in my opinion]

proposal following comment from PR #24035

@eldy if good for you i change for propal invoice and thirdparty in other PR

@eldy
Copy link
Member

eldy commented Feb 21, 2024

This will generate a lot of trouble in permission systems and data view will not be consistent between screen, but this is not a pb as long as it remains a hidden option.
However what is your definition of "order of subordinates" ?

  • Order that are on thirdparties with one contact that is an external users that is among subordinates ?
  • Or order that has a sale representative that is among subordinates ?

@BB2A-Anthony
Copy link
Contributor Author

This will generate a lot of trouble in permission systems and data view will not be consistent between screen, but this is not a pb as long as it remains a hidden option. However what is your definition of "order of subordinates" ?

* Order that are on thirdparties with one contact that is an external users that is among subordinates ?

* Or order that has a sale representative that is among subordinates ?

for me it's no longer this case "order that has a sale representative that is among subordinates"

What do you mean by
"This will generate a lot of trouble in permission systems and data view will not be consistent between screen"
Can you give me more details?

@eldy
Copy link
Member

eldy commented Feb 21, 2024
edited
Loading

This will generate a lot of trouble in permission systems and data view will not be consistent between screen, but this is not a pb as long as it remains a hidden option. However what is your definition of "order of subordinates" ?

* Order that are on thirdparties with one contact that is an external users that is among subordinates ?

* Or order that has a sale representative that is among subordinates ?

for me it's no longer this case "order that has a sale representative that is among subordinates"

What do you mean by "This will generate a lot of trouble in permission systems and data view will not be consistent between screen" Can you give me more details?

100% of the code is base in this rule:

  • Permission on HR modules are based on perm + subordinates
  • Permission on project/tasks are based on perm + who is assigned
  • Permission on all the rest is based on perm only
    Here you introduce a rule that is a mix of A and C, so this will generate troubles. User will surely not understand why sometimes he can see and sometimes he can not see some data.

If your definition is "order that has a sale representative that is among subordinates", the modification must not be done by changing the sql at each place by by forcing the search_salerepresentative to the list of id of sale representative that are subordinates.

So the code that you have removed

if (!$user->hasRight('societe', 'client', 'voir')) {
	$search_sale = $user->id;
}

should not be removed, but replaced with

if (!$user->hasRight('societe', 'client', 'voir')) {
	$search_sale = list of allowed id,...,...,...
}

So we force the filter at begin of code in the head/security section.

then in sql instead of doing a filter on search_sale, it must be a filter on IN ($db->sanitize($search_sale))

@eldy eldy added the Discussion Some questions or discussions are opened and wait answers of author or other people to be processed label Feb 21, 2024
@BB2A-Anthony
Copy link
Contributor Author

BB2A-Anthony commented Feb 22, 2024
edited
Loading

This will generate a lot of trouble in permission systems and data view will not be consistent between screen, but this is not a pb as long as it remains a hidden option. However what is your definition of "order of subordinates" ?

* Order that are on thirdparties with one contact that is an external users that is among subordinates ?

* Or order that has a sale representative that is among subordinates ?

for me it's no longer this case "order that has a sale representative that is among subordinates"
What do you mean by "This will generate a lot of trouble in permission systems and data view will not be consistent between screen" Can you give me more details?

100% of the code is base in this rule:

* Permission on HR modules are based on perm + subordinates

* Permission on project/tasks are based on perm + who is assigned

* Permission on all the rest is based on perm only
  Here you introduce a rule that is a mix of A and C, so this will generate troubles. User will surely not understand why sometimes he can see and sometimes he can not see some data.

If your definition is "order that has a sale representative that is among subordinates", the modification must not be done by changing the sql at each place by by forcing the search_salerepresentative to the list of id of sale representative that are subordinates.

So the code that you have removed

if (!$user->hasRight('societe', 'client', 'voir')) {
	$search_sale = $user->id;
}

should not be removed, but replaced with

if (!$user->hasRight('societe', 'client', 'voir')) {
	$search_sale = list of allowed id,...,...,...
}

So we force the filter at begin of code in the head/security section.

then in sql instead of doing a filter on search_sale, it must be a filter on IN ($db->sanitize($search_sale))

I understand. for me it doesn't make sense to mix research with security.

$search_sale lives up to its name and is made for search.

If I display the orders of my subordinates, how can I filter them to one of them or myself. Since the field is preselected with my name.

The goal is to have this behavior on all views and the user will not be lost since he knows that he is the supervisor. It is normal for a supervisor to see the work of his subordinates.

I agree that this should be an option to keep the initial behavior by default.

There is also a security problem because if you clear the filters it displays the complete list without restriction.

It is necessary that

if (!$user->hasRight('societe', 'client', 'voir')) {
	$search_sale = $user->id;
}

Or lower.

@BB2A-Anthony
Copy link
Contributor Author

@eldy I rewrote the code to be simpler and optimized on the principles of holidays like in your example.

eldy
eldy reviewed Feb 22, 2024
View reviewed changes
htdocs/commande/list.php Outdated
@@ -879,6 +883,16 @@
if ($socid > 0) {
$sql .= ' AND s.rowid = '.((int) $socid);
}

// Restriction on sale representative
if (!$permissiontoreadallthirdparty && !$socid) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why
if (!$permissiontoreadallthirdparty && !$socid) {
and not
if (!$permissiontoreadallthirdparty) {

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also the condition on MAIN_SEE_SUBORDINATES must appears.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok it's done

eldy
eldy reviewed Mar 4, 2024
View reviewed changes
htdocs/commande/list.php
@@ -223,15 +227,16 @@
//$arrayfields['anotherfield'] = array('type'=>'integer', 'label'=>'AnotherField', 'checked'=>1, 'enabled'=>1, 'position'=>90, 'csslist'=>'right');
$arrayfields = dol_sort_array($arrayfields, 'position');

if (!$user->hasRight('societe', 'client', 'voir')) {
$search_sale = $user->id;
Copy link
Member

@eldy eldy Mar 4, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems we loose this protection when we are in default mode:
If MAIN_SEE_SUBORDINATES not set and user has no permission to read all, this was used to restrict list on $search_sale at line 1011 (in old code file)
So you should restore a restriction into the select. For example in your addition line 888
if (!$permissiontoreadallthirdparty && getDolGlobalInt('MAIN_SEE_SUBORDINATES')) {
you can do

if (!$permissiontoreadallthirdparty) {
 if (getDolGlobalInt('MAIN_SEE_SUBORDINATES')) {
      // restrict on list in userschilds
} else {
   // default mode, restrict on user->id  only.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes I see I did

@eldy eldy added PR to fix - See feedback in comments PR needs to be fixed to be integrated (some comments should describes the fix to do) and removed Discussion Some questions or discussions are opened and wait answers of author or other people to be processed labels Mar 4, 2024
@eldy eldy merged commit ff03f86 into Dolibarr:develop Mar 7, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eldy eldy eldy left review comments

Assignees
No one assigned
Labels
PR to fix - See feedback in comments PR needs to be fixed to be integrated (some comments should describes the fix to do)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@BB2A-Anthony @eldy