ssossossosso

Forums

Covering OroCRM topics, including community updates and company announcements.  Subscribe

This topic contains 1 reply, has 1 voice, and was last updated by  shreyas 3 months, 2 weeks ago.

  • Creator
    Topic
  • #35050

    shreyas
    Participant

    Hi Team,

    i have implemented search for a custom entity called UserAssignment using search.yml.In Search field present in navigation block i am able to get search text result as expected.This custom entity has access only by Admin.When any other user other than Admin login he will not be able to access that entity But issue is when i try searching for some data which exist in Custom entity also those result would also be displayed to the user who dont have access to that entity But when he tries to click the result’s link url then it would give u dont have permission to view message which is correct as view operation for that Custom Entity has been restricted only to Admin.
    I Think i am missing some ACL that has to be declared in search.yml of Custom Entity so that the whole custom entity data should not be available to users other than Admin in search suggestion & result . I tried looking for other search.yml files implementation but could not get any clue from them to solve this issue.

    search.yml file for UserAssignment Custom Entity given below:

    Please need some help on how to overcome with this issue.

    Thanks & Regards,
    Shreyas S

Viewing 1 replies (of 1 total)
  • Author
    Replies
  • #35074

    shreyas
    Participant

    Hi Team,

    i was able to restrict the Entity access with some modifications in Code as shown below:

    In vendor\oro\platform\src\Oro\Bundle\SearchBundle\Provider\ResultStatisticsProvider.php

    In function getGroupedResults() done some modification to check for Entity Access with help of securityProvider.

    Also done respective changes in services.yml for oro_search.provider.result_statistics_provider as below:

    Now the Custom entity Search result is not shown other than for ADMIN Role.

    But i am facing similar issue related to Entity’s Record level Access, where in ACL might not be working properly.
    Ex:
    i have a User who has created an Account record. This account’s record should not be visible to other user other than created user as the ownership is also registered in ACL of Account Entity.But this is not working fine with Search Result wherein it is listing many records that are not applicable to him or Business Units
    under him whereas on the Account Entity index page it displays only records applicable to that user. When i try clicking on some of those search result’s records it says no permission to view record.

    i observed that SearchAclHelper is being used in vendor\oro\platform\src\Oro\Bundle\SearchBundle\Engine\Indexer.php in prepareQuery() method but not working as expected.Please find code snippet for reference:

    I tried commenting $this->searchAclHelper->apply($query); from above function. Then when i searched for particular search text under Account Entity from Different Users . Then number of records fetched were the same. So once after uncommenting it under each User the search result is varying but there are some Records which user does not have access to also being displayed.This is the same problem for other entities search result also.
    Kindly need help in how to solve this Record Level Access Restriction of Entities to users.

    • This reply was modified 3 months, 2 weeks ago by  shreyas.
Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.