Strict Rights check makes generic roles useless and generates inconsistencies


Enabling the “strict rights” check in the security suite configuration causes an inconsistency that causes generic roles to not work as expected.

How to reproduce the issue?

  1. Check the “strict rights” check in security suite configuration
    2)You need 2 users, both of them with the same role and the same security group, assigned both directly to the users.
  2. Assign the “Group” permission to all columns and rows in the role
  3. You create a Contact with the first user
  4. Then log in with the second user
  5. On the Contact list view you can see the contact created, but you can not edit or view the detail

That is an inconsistency since all of them have the same permission: Group.

In the documentation we found a rather cryptic statement:

“Another key setting is “Strict Rights”. In the scenario above the default settings will cause the links on the List View for the team Leads to show with no link for records that are assigned to your group. In many cases you will want to uncheck “Strict Rights” so that you can assign groups in the manner described in this doc.”
whereas at SuiteCRM security suite configuration we can read under “strict rights”
" If a user is a member of several groups only the respective rights from the group assigned to the current record are used"

In our understanding, having strict rights checked should not make fail generic roles. In fact, having another check at the configuration “User Role Precedence” seems to reinforce our understanding.

If our understanding is correct, function groupHasAccess in SecurityGroup.php should be patched when securitysuite_strict_rights is true.

Any insights will be appreciated.


It would be great if we could get a comment from Jason (@eggsurplus) on this.

Yes, it would be great if we can have some insights from Jason ( @eggsurplus ).