View Assigned Only permissions not working properly in 1.8

[MCH]

Hi Sergey,

So I have finally had some time to test this properly on a blank installation and I am confident there is a bug in the way access lists are processed.

Summary: if you want to set Project Managers to "View Assigned Only" on more than one project, permissions break for at least 1 user. I have tested this behavior on 2 installations, 2 servers.

• Brand new CentOS 7 virtual machine, SELinux disabled
  Apache 2.4.6
  PHP 7.0.15 + modules
  MySQL Community 5.7

Environment...

1. Configured base CentOS virtual machine & disabled SELinux
   Add MySQL repository
   yum install httpd mysql-community-server php php-*<standard module list>
   Enable short_open tags in php.ini
   Test phpinfo file to make sure base install looks good
   Configure MySQL server, add "ruko" database and user with full permissions
   Unzip rukovoditel_1.8.zip to /var/www/html/
   Configure permissions...
   - chown root /var/www/html -Rf
   - chgrp apache /var/www/html -Rf
   - chmod 774 /var/www/html -Rf
   Browse to http://myserver/ - permissions check is OK
   Proceed with database installation, all OK
   Log in to Rukovoditel as admin user
   Unzip rukovoditel_ext_1.4.zip to /var/www/html/plugins/
   Install plugin from http://myserver/ > Rukovoditel > Extension > Install

That is my base installation installed and ready to go.

Steps to reproduce...

1. As Admin...
   Create 2 Manager users: User 1 and User 2
   Create 2 Projects: Project 1 and Project 2
   Go to Application Structure > Entities List > Projects > Access > Access Configuration
   Change Manager to "View Assigned Only" - so that managers can only maintain there own projects, not all projects.
   Go to Projects and Edit Project 1 & Project 2
   Assign both User 1 & User 2 to both projects
   Open a new browser window incognito
   Log in as "User 1"
   Both projects are visible, if you attempt to view the project you receive error "Access Forbidden - Sorry, you don't have access to this page"
   Log out of User 1, log in as "User 2"
   Both projects are visible, both projects can be viewed

If you change who has access to certain projects, it can break in various circumstances...

Project 1 - User 1, User 2
Project 2 - nobody
Results P1: User 1 OK, User 2 OK
Results P2: N/A

Project 1 - User 1, User 2
Project 2 - User 1, User 2
Results P1: User 1 forbidden, User 2 OK
Results P2: User 1 forbidden, User 2 OK

Project 1 - User 2
Project 2 - User 1, User 2
Results P1: N/A, User 2 OK
Results P2: User 1 forbidden, User 2 OK

Project 1 - nobody
Project 2 - User 1, User 2
Results P1: N/A
Results P2: User 1 OK, User 2 OK

[MCH]

Create 2 new "Developer" users called Dev 1 & Dev 2
Assign User 1, User 2, Dev 1, Dev 2 to Project 1 & Project 2
Results P1: User 1 and Dev 1 are forbidden, User 2 and Dev 2 are OK
Results P2: User 1 and Dev 1 are forbidden, User 2 and Dev 2 are OK

So it appears to be the first user of each user group that breaks.

[support]

Hi

I already tested it once you report about this issue. And I tested on Windows and Linux servers and I can't reproduce it. Also nobody else report about this issue and I think this can be issue with server configuration where data not saved properly and that is why you have this issue.

Is it possible to send me ftp to folder where you installed Ruko?
I need to debug code in your server since I can't reproduce it on my servers.
If it's possible send me ftp by email or private message.

[MCH]

Hi,

If you start with a base installation of 1.8 + extension 1.4 and follow my steps to reproduce, I am confident that it will fault.

Otherwise, I could give you remote access to my test server. It is not Internet facing so you would need to remote assist a workstation on my network first.

[support]

If you start with a base installation of 1.8 + extension 1.4 and follow my steps to reproduce, I am confident that it will fault.

Already done, and works ok.

Otherwise, I could give you remote access to my test server. It is not Internet facing so you would need to remote assist a workstation on my network first.

Do you have shared hosting? because just have access to ftp is not enough, I have to test how it looks in browser.

Also can you try reproduce the same issue in public demo?
https://www.rukovoditel.net/demo.php
Maybe I'm doing something wrong.

[MCH]

I could not fault on your public demo. Is that made from the same 1.8 and ext 1.4 zip files that are currently on your download pages?

My server is private and not internet facing. I will do 1 more test on a LAMP spinup tomorrow, see if I can fault it there, if I can I will look at either putting my server on the internet or asking if you can dial in with TeamViewer.

[support]

I could not fault on your public demo. Is that made from the same 1.8 and ext 1.4 zip files that are currently on your download pages?

Yes, 1.8 and ext 1.4 installed on demo

I will do 1 more test on a LAMP spinup tomorrow

yes, please.

I don't have TeamViewer, sorry.

[MCH]

Hi Sergey,

I have just completed my 3rd installation on a blank WAMP setup with Ruko 1.8 (MD5 2ef3ba734432ebff02ef6f422bc68f4e) and Ext 1.4 (MD5 5401134d79696cdadb02930e118c9857), exact same issue as reported above. This time on Windows with PHP 5.6.

Created blank database & db user
Ran through initial Ruko setup - created database tables and added admin user
Logged in as admin
Go to Extensions and installed with license key
Created 2 blank projects
Created 2 manager users (Username: user1, Firstname: 1, Lastname: User) and same again for user2
Assigned both manager users to team of both projects
Go to Application Structure > Entities List > Projects > Access > Access Configuration
Change Manager from View to View Assigned Only
Log out
Log in as user1 and attempt to view both projects, receive error "Access Forbidden"

I would really like to arrange a remote desktop session so that you can see that I am not crazy.

[MCH]

I have just noticed there is now v1.8.1, where are the changes notes for this release?

[MCH]

OK I have just completed a 4th test with Rukovoditel 1.8.1 and extension 1.4.1, same results.

I am going to contact you via email to arrange remote access so that we can get this sorted.