We are running suitecrm on 7.7.6 version.We have few users which have “show on employees” checkbox unchecked,also we have enabled employees module in the global search.
Now when we search an user it results employee record as well from the global search even though show on employees checkbox is unchecked.
Could anyone guide me to stop resulting employees when the “show on employees” is unchecked at users module.
I managed to achieve this customising the standard file however this is not upgrade safe ,
Below is my solution, hope if this helps anyone.
modified the below code at modules/Home/UnifiedSearchAdvanced.php around 324 line
commented below standard code
if (count($where_clauses) > 0)
{
$where = '(('. implode(' ) OR ( ', $where_clauses) . '))';
}
and updated as below
if (count($where_clauses) > 0)
{
//custom code for listing only employees with user kind as employee at the global search
if($moduleName!='Employees'){
$where = '(('. implode(' ) OR ( ', $where_clauses) . '))';
}
else{
$where_additional = "and users.show_on_employees = 1'";
$where = '(('. implode(' ) OR ( ', $where_clauses) . '))'.$where_additional;
}
//end -custom code for listing only employees with user kind as employee at the global search
}
And then in modules/Home/UnifiedSearchAdvanced.php around line 324 you would check the searchdefs and add the value there if it exists.
So this would be a great addition, allowing for generic where clauses to be added to Global search, for any module, based on a simple parameter in a definitions file.
and you still want to check for the additional where clause?
Is there elsewhere in the code a place where the WHERE clause is set to NULL or something else?
Two more suggestions:
. since the standard code wraps each WHERE clause within parentheses, I would do the same for the additional WHERE clause.
. the modified code uses AND, while the standard uses OR: in both cases it is not possible to customise OR or AND. (a lot more complex to implement though)
@amariussi you are right that to handle this, the query construction needs to be a bit better designed, although I don’t think it needs to be very complicated in order to be useful.
I think that joining with OR is the correct thing here, because it adds to the results; then you can use AND inside your clauses if you need.
You can use AND or OR as you prefer, inside the clause itself. The clause can contain sub-clauses, no problem.
The string {1} will get replaced by the query string (whatever the user searched for). This is useful so that you can add more results to the search in specific modules. In my example (in the comment on top of that commit) will let you search for phone numbers by prefix, typing just 337 and it will search for (337)%
I think that it could be useful but at the same time it would open a security issue since you are actually allowing to enter some code that, instead of being limited to its purpose, could go well beyond and potentially do anything to the system.
This would also require some little documentation (not complicated though).
If you mean the clause itself, anybody with access to searchdefs.php, or any PHP file that gets included, is already owner of the system. It’s game over for the good guys, at that point.
So I don’t think this is different from this kind of thing:
But you are right that more care would need to be taken for the trick with the “{1}” argument. That is user input and would need to be sanitized, basically throwing away anything that isn’t a simple string, or that has trick-characters (quotes, brackets, etc). We have a function called “quote” in our DBManager classes that does that, I believe.
But that is not finished code, for now I am just asking about if this is practical and works, I can tighten up security when I make a PR.