User with no permissions to edit is till able to add records in sub panels

I am trying to set up user accounts for an internal web development project with a bunch of custom modules. For that, there will be user accounts with different permissions needed.

Therefore I have created a role of which users are not able to edit, delete and import. Users of this role are however indeed able to Access, Export, List and View.

When I log in with a user of this role, everything works like a charm up until the point where I enter a custom module in which sub panels are present. For some reason, the “Create” option of the sub panel is gone but on the other hand I am still able to add an entry onto the sub panel permanently. I also tried to refresh and re-log. The relationship between the two entities is indeed established afterwards.

For my purpose, this should not be possible. Yet, I do want those users to enter the details of the record from the list view. I just don’t want the user to add something in the sub panel.

Is there some option I have missed?

Is there some way to handle this dynamically? Maybe to hook into the corresponding event and check the user role prior to establishing the connection between two entities? Or maybe to just disable the button at all when a user is browsing through without the necessary permissions?

Thanks in advance!

There is one side of the Security Groups scheme that people often neglect - assigning security groups to the records (like an Account or Contact), not just assign users to groups.

Have you been doing that?

If so, then we would first need to determine if this is a bug in SuiteCRM. Can you reproduce this behaviour without custom fields? And does it happen in the live demo?

This one allows Admin access:
https://www.softaculous.com/demos/SuiteCRM

I am not really sure whether that answers my question.

Even if I created certain Security Groups, assigned Records, User and Roles to those: the question how I actually make it impossible for users without edit rights to add records into subpanels remains.

Up until this point I am able to restrict the rights of users in such a way that they will not able to alter fields of a record such as text fields/areas, floats, relate fields, dates etc. They are also even incapable of creating new records in a sub panel. Only the fact that they can add (“select”-button) already existing records in subpanels in x-to-many-relationships is yet to be tackled. Everything else works as intended.

I know there is a possibility to manage this dynamically with custom code by adding a .php for the layoutdefs but I would have to do it for every single module I want the “read only”-user to be able to look into. I’d rather not do that.

I will try to reproduce what I am trying to achieve in your demo, however it seems that it takes a bit of time for everything.

Security settings are somewhat complicated. I am just trying to establish if your configuration is correct (I am a bit experienced with this and I still make mistakes and misunderstand parts of it).

If it is correct, then I would say this is a bug. If security is telling SuiteCRM not to let users edit, then there shouldn’t be any holes in this (via subpanels or any other way).

You might get a better response than mine if you ask here:

https://store.suitecrm.com/support/securitysuite

The developer who contributed this valuable module to SuiteCRM will answer you, and I am sure he will be grateful for your report, if this is in fact a bug.