RCheesley
commented
1 month ago Thanks for the PR @jaroslavhuss - would you be in a position to dig in and see if you can fix it?
Open jaroslavhuss opened 2 months ago
RCheesley
commented
1 month ago Thanks for the PR @jaroslavhuss - would you be in a position to dig in and see if you can fix it?
jaroslavhuss
commented
1 month ago Dear @RCheesley,
I could try dig-in, but I am a nodejs developer (in love with Mautic). @escopecz is the real beast here, should be 5 minutes for him. Btw. Hi Jan, hope ur doing super well.
escopecz
commented
1 month ago @jaroslavhuss can you share your request payload? We have tests confirming that changing an owner works via API.
jaroslavhuss
commented
1 month ago https://github.com/user-attachments/assets/3b947226-9c93-4474-bdbc-1060dc1c6eb4
Dear @escopecz, @RCheesley,
I have created a real quick video where I explain the problem. I think that is the easiest way how to explain myself.
Kind regards
escopecz
commented
1 month ago Now I understand. The view own permissions aren't kicking in via GET /api/contacts. Yep, that is a bug.
jaroslavhuss
commented
1 month ago Just to understand why I am annoying as a fly. I am writing a mobile app connected to (any) Mautic instance (in React Native) so I can share it publicly with anyone (first with our colleagues). And this was a problem I was not able to overcome and will be 100% required by the users :-)
Thank you @escopecz! Hope some Prague meet-up will happen anytime soon.
Jaroslav
escopecz
commented
1 month ago I can't wait to see your app! I cannot fix that due to other priorities but I checked the code quickly and I think it should be related to this condition:
Perhaps it's missing the "own" permission check. Running through that code with Xdebug should help to understand what's going on.
Whoever would like to give Mautic development a try, there is a simple docker setup to start.
abhisekmazumdar
commented
1 month ago I'm looking into this. If anyone has started working on this, please let me know.
abhisekmazumdar
commented
1 month ago I tried recreating this issue locally using a DDEV setup. I'm on the 5.1 branch. Here are the steps I followed:
I created a user with these role permission only:
Then I created the contact with that user and did a GET API request at https://mautic.ddev.site/api/contacts. I see the newly created contact.
I switch the contact owner to admin and hit save. I get an error screen that I don't have access to this page (That's a fix we can do to redirect to the listing page and show access error in a message box).
I see no contact in the listing page and the same over the API request page.
I feel this can be a permission setup error maybe? It will be great if I could know what is the permission the user has?
RCheesley
commented
3 weeks ago @jaroslavhuss can you review the comments above?
Mautic Version
5.0.x series
Way of installing
I'm using a Docker image from https://hub.docker.com/r/mautic/mautic
PHP version
8.0.0
What browsers are you seeing the problem on?
Not relevant
What happened?
If you change contact's owner via Mautic's UI, an original owner still see's it via API GET /contacts. I am using basic auth.
How can we reproduce this issue?
Step 1: Create a contact and assign yourself as a contact's owner Step 2: Call GET api/contacts - > user will be listed in the resposne Step 3: Change owner of the same contact Step 4: Call again GET api/contacts -> user is still listed, but you can not update or delete this contact.
Relevant log output
No response
Code of Conduct
Care about this issue? Want to get it resolved sooner? If you are a member of Mautic, you can add some funds to the Bounties Project so that the person who completes this task can claim those funds once it is merged by a member of the core team! Read the docs here.