search

Dolibarr / dolibarr

Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
https://www.dolibarr.org
GNU General Public License v3.0
5.29k stars 2.74k forks source link

Bug: user permissions page blank #8160

Closed paulchui123 closed 4 years ago

paulchui123 commented 6 years ago

Instructions

when i upgraded from dolibarr 4.0 to 6.0.5, i found that one of my user account (user2)(non-admin) couldn't access anything about supplier incld. price, invoice. but admin account was normal.

i soon checked out on the permissions setting at User& group and found it's blank.

i checked the database and allocated all rights related to supplier to user2, but not working.

Environment

PHP: 5.6.33 Server: LiteSpeed OS: Linux 3.10.0-714.10.2.lve1.4.79.el7.x86_64 #1 SMP Thu Jan 4 13:30:50 EST 2018 x86_64 UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Firefox/58.0

Requested URL: /product/fournisseurs.php?id=607 Referer: /product/card.php?id=607

debug log

2018-02-09 05:51:17 DEBUG - This is an already logged session. _SESSION['dol_login']=pestaff007 _SESSION['dol_entity']=1 2018-02-09 05:51:17 DEBUG sql=SELECT u.rowid, u.lastname, u.firstname, u.employee, u.gender, u.email, u.job, u.skype, u.signature, u.office_phone, u.office_fax, u.user_mobile, u.address, u.zip, u.town, u.fk_state as state_id, u.fk_country as country_id, u.admin, u.login, u.note, u.pass, u.pass_crypted, u.pass_temp, u.api_key, u.fk_soc, u.fk_socpeople, u.fk_member, u.fk_user, u.ldap_sid, u.statut, u.lang, u.entity, u.datec as datec, u.tms as datem, u.datelastlogin as datel, u.datepreviouslogin as datep, u.photo as photo, u.openid as openid, u.accountancy_code, u.thm, u.tjm, u.salary, u.salaryextra, u.weeklyhours, u.color, u.dateemployment, u.ref_int, u.ref_ext, c.code as country_code, c.label as country, d.code_departement as state_code, d.nom as state FROM llx3a_user as u LEFT JOIN llx3a_c_country as c ON u.fk_country = c.rowid LEFT JOIN llx3a_c_departements as d ON u.fk_state = d.rowid WHERE u.entity IN (0, 1) AND u.login = 'pestaff007' ORDER BY u.entity ASC 2018-02-09 05:51:17 INFO fetch_name_optionals_label elementtype=user 2018-02-09 05:51:17 DEBUG sql=SELECT rowid,name,label,type,size,elementtype,fieldunique,fieldrequired,param,pos,alwayseditable,perms,list,ishidden,fielddefault,fieldcomputed FROM llx3a_extrafields WHERE entity IN (0,1) AND elementtype = 'user' ORDER BY pos 2018-02-09 05:51:17 DEBUG sql=SELECT param, value FROM llx3a_user_param WHERE fk_user = 2 AND entity = 1 2018-02-09 05:51:17 DEBUG sql=SELECT rowid, entity, type, page, param, value FROM llx3a_default_values WHERE entity IN (1,1) AND user_id IN (0, 2) 2018-02-09 05:51:17 DEBUG sql=SELECT r.module, r.perms, r.subperms FROM llx3a_user_rights as ur, llx3a_rights_def as r WHERE r.id = ur.fk_id AND ur.entity = 1 AND ur.fk_user= 2 AND r.perms IS NOT NULL 2018-02-09 05:51:17 DEBUG sql=SELECT r.module, r.perms, r.subperms FROM llx3a_usergroup_rights as gr, llx3a_usergroup_user as gu, llx3a_rights_def as r WHERE r.id = gr.fk_id AND gr.entity = 1 AND r.entity = 1 AND gr.fk_usergroup = gu.fk_usergroup AND gu.fk_user = 2 AND r.perms IS NOT NULL 2018-02-09 05:51:17 INFO --- Access to /product/card.php - action=, massaction= 2018-02-09 05:51:17 DEBUG sql=SELECT transkey, transvalue FROM llx3a_overwrite_trans where lang='zh_CN' 2018-02-09 05:51:17 DEBUG Menubase::menuLoad mymainmenu=commercial myleftmenu=orders_suppliers type_user=0 menu_handler=eldy tabMenu size=0 2018-02-09 05:51:17 DEBUG sql=SELECT m.rowid, m.type, m.module, m.fk_menu, m.fk_mainmenu, m.fk_leftmenu, m.url, m.titre, m.langs, m.perms, m.enabled, m.target, m.mainmenu, m.leftmenu, m.position FROM llx3a_menu as m WHERE m.entity IN (0,1) AND m.menu_handler IN ('eldy','all') AND m.usertype IN (0,2) ORDER BY m.position, m.rowid 2018-02-09 05:51:17 INFO fetch_name_optionals_label elementtype=product 2018-02-09 05:51:17 DEBUG sql=SELECT rowid,name,label,type,size,elementtype,fieldunique,fieldrequired,param,pos,alwayseditable,perms,list,ishidden,fielddefault,fieldcomputed FROM llx3a_extrafields WHERE entity IN (0,1) AND elementtype = 'product' ORDER BY pos 2018-02-09 05:51:17 INFO Product::fetch id=607 ref= ref_ext= 2018-02-09 05:51:17 DEBUG sql=SELECT rowid, ref, ref_ext, label, description, url, note as note_private, customcode, fk_country, price, price_ttc, price_min, price_min_ttc, price_base_type, cost_price, default_vat_code, tva_tx, recuperableonly as tva_npr, localtax1_tx, localtax2_tx, localtax1_type, localtax2_type, tosell, tobuy, fk_product_type, duration, seuil_stock_alerte, canvas, weight, weight_units, length, length_units, width, width_units, height, height_units, surface, surface_units, volume, volume_units, barcode, fk_barcode_type, finished, accountancy_code_buy, accountancy_code_sell, stock, pmp, datec, tms, import_key, entity, desiredstock, tobatch, fk_unit, fk_price_expression, price_autogen FROM llx3a_product WHERE rowid = 607 2018-02-09 05:51:17 INFO fetch_name_optionals_label elementtype=product 2018-02-09 05:51:17 DEBUG sql=SELECT rowid,name,label,type,size,elementtype,fieldunique,fieldrequired,param,pos,alwayseditable,perms,list,ishidden,fielddefault,fieldcomputed FROM llx3a_extrafields WHERE entity IN (0,1) AND elementtype = 'product' ORDER BY pos 2018-02-09 05:51:17 DEBUG sql=SELECT dbt.rowid FROM llx3a_product as dbt WHERE dbt.rowid = 607 AND dbt.entity IN (1) 2018-02-09 05:51:17 DEBUG sql=SELECT dbt.rowid FROM llx3a_product as dbt WHERE dbt.rowid = 607 AND dbt.entity IN (1) 2018-02-09 05:51:17 INFO files.lib.php::dol_dir_list path=/home/realisti/lycorcatsuitdata/produit/152592655509-1 types=files recursive=0 filter= excludefilter="(\.meta|_preview.\.png)$" 2018-02-09 05:51:17 DEBUG sql=SELECT COUNT(rowid) as nb FROM llx3a_links WHERE objecttype = 'product' AND objectid = 607 AND entity = 1 2018-02-09 05:51:17 DEBUG sql=SELECT MAX(te.ref) FROM llx3a_product as te WHERE te.ref < '152592655509-1' AND fk_product_type = 0 AND te.entity IN (1) 2018-02-09 05:51:18 DEBUG sql=SELECT MIN(te.ref) FROM llx3a_product as te WHERE te.ref > '152592655509-1' AND fk_product_type = 0 AND te.entity IN (1) 2018-02-09 05:51:18 DEBUG sql=SELECT ct.fk_categorie, c.label, c.rowid FROM llx3a_categorie_product as ct, llx3a_categorie as c WHERE ct.fk_categorie = c.rowid AND ct.fk_product = 607 AND c.type = 0 AND c.entity IN (1) 2018-02-09 05:51:18 DEBUG sql=SELECT COUNT() as nb from llx3a_supplier_proposaldet WHERE fk_product = 607 2018-02-09 05:51:18 DEBUG sql=SELECT COUNT() as nb from llx3a_propaldet WHERE fk_product = 607 2018-02-09 05:51:18 DEBUG sql=SELECT COUNT() as nb from llx3a_commandedet WHERE fk_product = 607 2018-02-09 05:51:18 DEBUG /core/lib/function2.lib.php::getListOfModels 2018-02-09 05:51:18 DEBUG sql=SELECT nom as id, nom as lib, libelle as label, description as description FROM llx3a_document_model WHERE type = 'product' AND entity IN (0,1) ORDER BY description DESC 2018-02-09 05:51:18 INFO files.lib.php::dol_dir_list path=/home/realisti/lycorcatsuitdata/produit/152592655509-1 types=files recursive=0 filter= excludefilter="(\.meta|_preview..\.png)$" 2018-02-09 05:51:18 DEBUG Link::fetchAll 2018-02-09 05:51:18 DEBUG sql=SELECT rowid, entity, datea, url, label, objecttype, objectid FROM llx3a_links WHERE objecttype = 'product' AND objectid = 607 AND entity = 1 2018-02-09 05:51:18 DEBUG Link::fetchAll 0records 2018-02-09 05:51:18 INFO --- End access to /product/card.php 2018-02-09 05:51:22 DEBUG - This is an already logged session. _SESSION['dol_login']=pestaff007 _SESSION['dol_entity']=1 2018-02-09 05:51:22 DEBUG sql=SELECT u.rowid, u.lastname, u.firstname, u.employee, u.gender, u.email, u.job, u.skype, u.signature, u.office_phone, u.office_fax, u.user_mobile, u.address, u.zip, u.town, u.fk_state as state_id, u.fk_country as country_id, u.admin, u.login, u.note, u.pass, u.pass_crypted, u.pass_temp, u.api_key, u.fk_soc, u.fk_socpeople, u.fk_member, u.fk_user, u.ldap_sid, u.statut, u.lang, u.entity, u.datec as datec, u.tms as datem, u.datelastlogin as datel, u.datepreviouslogin as datep, u.photo as photo, u.openid as openid, u.accountancy_code, u.thm, u.tjm, u.salary, u.salaryextra, u.weeklyhours, u.color, u.dateemployment, u.ref_int, u.ref_ext, c.code as country_code, c.label as country, d.code_departement as state_code, d.nom as state FROM llx3a_user as u LEFT JOIN llx3a_c_country as c ON u.fk_country = c.rowid LEFT JOIN llx3a_c_departements as d ON u.fk_state = d.rowid WHERE u.entity IN (0, 1) AND u.login = 'pestaff007' ORDER BY u.entity ASC 2018-02-09 05:51:22 INFO fetch_name_optionals_label elementtype=user 2018-02-09 05:51:22 DEBUG sql=SELECT rowid,name,label,type,size,elementtype,fieldunique,fieldrequired,param,pos,alwayseditable,perms,list,ishidden,fielddefault,fieldcomputed FROM llx3a_extrafields WHERE entity IN (0,1) AND elementtype = 'user' ORDER BY pos 2018-02-09 05:51:22 DEBUG sql=SELECT param, value FROM llx3a_user_param WHERE fk_user = 2 AND entity = 1 2018-02-09 05:51:22 DEBUG sql=SELECT rowid, entity, type, page, param, value FROM llx3a_default_values WHERE entity IN (1,1) AND user_id IN (0, 2) 2018-02-09 05:51:22 DEBUG sql=SELECT r.module, r.perms, r.subperms FROM llx3a_user_rights as ur, llx3a_rights_def as r WHERE r.id = ur.fk_id AND ur.entity = 1 AND ur.fk_user= 2 AND r.perms IS NOT NULL 2018-02-09 05:51:22 DEBUG sql=SELECT r.module, r.perms, r.subperms FROM llx3a_usergroup_rights as gr, llx3a_usergroup_user as gu, llx3a_rights_def as r WHERE r.id = gr.fk_id AND gr.entity = 1 AND r.entity = 1 AND gr.fk_usergroup = gu.fk_usergroup AND gu.fk_user = 2 AND r.perms IS NOT NULL 2018-02-09 05:51:22 INFO --- Access to /product/fournisseurs.php - action=, massaction= 2018-02-09 05:51:22 DEBUG sql=SELECT transkey, transvalue FROM llx3a_overwrite_trans where lang='zh_CN' 2018-02-09 05:51:22 DEBUG Menubase::menuLoad mymainmenu=commercial myleftmenu=orders_suppliers type_user=0 menu_handler=eldy tabMenu size=0 2018-02-09 05:51:22 DEBUG sql=SELECT m.rowid, m.type, m.module, m.fk_menu, m.fk_mainmenu, m.fk_leftmenu, m.url, m.titre, m.langs, m.perms, m.enabled, m.target, m.mainmenu, m.leftmenu, m.position FROM llx3a_menu as m WHERE m.entity IN (0,1) AND m.menu_handler IN ('eldy','all') AND m.usertype IN (0,2) ORDER BY m.position, m.rowid 2018-02-09 05:51:22 DEBUG sql=SELECT dbt.rowid FROM llx3a_product as dbt WHERE dbt.rowid = 607 AND dbt.entity IN (1) 2018-02-09 05:51:22 ERR Error url=/product/fournisseurs.php?id=607, query_string=id=607, msg=Param dbt_keyfield is required but not defined 2018-02-09 05:51:22 DEBUG sql=SELECT sc.fk_soc FROM llx3a_product as dbt, llx3a_societe as s, llx3a_societe_commerciaux as sc WHERE dbt.rowid = 607 AND sc.fk_soc = dbt. AND dbt. = s.rowid AND dbt.entity IN (1) AND sc.fk_user = 2 2018-02-09 05:51:22 ERR DoliDBMysqli::query SQL Error message: DB_ERROR_SYNTAX You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'AND dbt. = s.rowid AND dbt.entity IN (1) AND sc.fk_user = 2' at line 1 2018-02-09 05:51:22 INFO --- End access to /product/fournisseurs.php

Steps to reproduce the behavior

[Verbose description]

Attached files (Screenshots, screencasts, dolibarr.log, debugging informations…)

[Files] 2018-02-09 2 07 00 2018-02-09 2 00 53

paulchui123 commented 6 years ago

this SQL query shown error when i check the log file

SELECT sc.fk_soc FROM llx3a_product as dbt, llx3a_societe as s, llx3a_societe_commerciaux as sc WHERE dbt.rowid = 607 AND sc.fk_soc = dbt. AND dbt. = s.rowid AND dbt.entity IN (1) AND sc.fk_user = 2

hregis commented 6 years ago

@paulchui123 this is a dolibarr user linked to customer contact ? ... llx3a_societe_commerciaux as sc ...

paulchui123 commented 6 years ago

no, this user was prohibited browsing customer information

paulchui123 commented 6 years ago

it shows error when this user try to access below page 2018-02-09 05:51:22 Error url=/product/fournisseurs.php?id=607,

hregis commented 6 years ago

@paulchui123 and the apache error log ?

hregis commented 6 years ago

@paulchui123 ok i see the problem

hregis commented 6 years ago

@paulchui123

see https://github.com/Dolibarr/dolibarr/pull/8164

paulchui123 commented 6 years ago

yes, user2 can access the supplier now, but user permission page still blank

hregis commented 6 years ago

@paulchui123 can you check apache error log and dolibarr log when this problem appear ?

paulchui123 commented 6 years ago

this program runs on sharehosting, check apache error log is not possible

inoveaconseil commented 6 years ago

Have you not 2 sames modules in your Dolibarr ?

paulchui123 commented 5 years ago

upgraded to version 8.01 this error still not been fixed

github-actions[bot] commented 4 years ago

This issue is stale because it has been open 1 year with no activity. If this is a bug, please comment to confirm it is still present on latest stable version. if this is a feature request, please comment to notify the request is still relevant and not yet covered by latest stable version. Without comment, this issue will be closed automatically by stale bot in 15 days.