by eggsurplus

Control what your users can access and save time, money, and frustrations. Lock down sensitive data in SuiteCRM to specific groups or teams. Supports unlimited assigned users, unlimited group assignments to records, custom layouts for each group, login/sudo capabilities and much more.

Cancel at any time!
Free Trial

#3704 - Select button in subpanel allows editing of records regardless of user permissions

In Progress Feature created by diegoandsu Verified Purchase a year ago

CURRENT BEHAVIOUR (SUITECRM V7.11.13 and 7.11.14) The select button is always present on subpanels and it allows the user to select a related record regardless of the user permission (on either the selected record or the associated record).

EXPECTED BEHAVIOUR The button should not be present if the user has no edit permission on the selected record OR if present it should generate the "You don't have permissions for" message when pressed.

STEPS TO REPRODUCE 1. Create a role that removes all permissions. 2. Create a group, assign the role from #1 to it and assign the user you are going to test with (I did it with all users) 3. Verify that the user has no access via the "Access" tab in the user profile screen (and by trying to edit/create records, you shouldn't be able to) 4. Create a role/group that gives the user VIEW permissions on the record(s) you are going to test with (In my case accounts and contracts). Verify that the user cannot edit either of the record types. 5. Login as the user and select the record you are going to edit. The subpanel for the other record type will be visible and the "select" button will be too. 6. Click on Select and select a record in the pop up window. 7. The selected record will now show up in the subpanel, the associated record relate-to field will be updated even though the user has no edit permission for either record.

  1. eggsurplus member avatar

    eggsurplus Provider Affiliate

    a year ago

    Hi Diego,

    Unfortunately, this is exactly how SuiteCRM is expected to behave. Select does not equate to Edit. However, we have considered adding a Select column to role configurations like we have with Create as some businesses do want to prevent selecting from subpanels to add to a record. Adding a Select option to roles would give more precise permissions where you want to prevent editing a record and prevent changing the relationships to the record. For example, Select on the Contacts row in the role configuration would mean that if you are viewing an Account then you couldn't select a Contact to add to the Account.

    There are no current timelines to add this, but we could look at scheduling this in if you would use it. This option would likely be added to the Enterprise plan.

    • diegoandsu member avatar

      diegoandsu Verified Purchase

      a year ago

      Having a select option in roles would be great. In our specific case we have several departments which need read but not modify access to some sensitive data like contract details. As it is, any user with read access to the main record (say accounts) can edit the relationship to contracts and inadvertently (or on purpose) re-assign a contract to a different account. If this were to happen (and it will probably happen) things like contract renewals and billing based on contracts (like ours) will be compromised. The only options at the moment are to modify the code (which we don't want to due to resources/time) or create exception reports/workflows (which are easier and faster to do but require perpetual vigilance).

      BTW we have the enterprise subscription.

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      a year ago

      If we do a Select option it would be for all parent modules. For example, if Contact's Select is set to None then on Accounts, Opportunities, etc the Contact subpanel would have no Select option. This seems like the best path forward. We will look into this to see if there is a good path forward.

This case is public. Please leave out any sensitive information such as URLs, passwords, etc.
Saving Comment Saving Comment...
  • "The add-on itself was already a must for my SuiteCRM, which was missing this very important security feature. However, what surprised me the most was ..." - Davint

    Read More Reviews