starred/SuiteCRM-SuiteCRM
1
0
Fork 0
mirror of https://github.com/SuiteCRM/SuiteCRM.git synced 2026-03-02 19:16:58 -05:00
Code Issues 1.2k Projects Packages Wiki Activity

Elasticsearch: ACLs are not respected in search results #3519

New issue
Open
opened 2026-02-20 16:06:26 -05:00 by deekerman · 2 comments
deekerman commented 2026-02-20 16:06:26 -05:00
Owner
Copy link

Originally created by @dawid-zaroda on GitHub (Jan 22, 2019).

Issue

When user haven't access to record, it will be still visible in search results from Elasticsearch, with all data shown on results list.

Expected Behavior

Displaying search result should respect ACLs and filter results if user shouldn't access them.

Actual Behavior

System doesn't filter results.

Steps to Reproduce

  1. Create role with Owner on all possible rights for Accounts module (or Unset if Owner is no present)
  2. Create new standard user and assign him created role
  3. Create few accounts related to admin and to new user
  4. Login as new user
  5. Type name of account related to admin in global search box

Your Environment

  • SuiteCRM Version used: 7.11.0
  • Browser name and version: Google Chrome 71.0.3578.98 64-bit
  • Environment name and version: PHP 7.1, Elasticsearch 5.6.13
  • Operating System and version: Ubuntu 16.04.4
Originally created by @dawid-zaroda on GitHub (Jan 22, 2019). <!--- Provide a general summary of the issue in the **Title** above --> <!--- Before you open an issue, please check if a similar issue already exists or has been closed before. ---> <!--- If you have discovered a security risk please report it by emailing security@suitecrm.com. This will be delivered to the product team who handle security issues. Please don't disclose security bugs publicly until they have been handled by the security team. ---> #### Issue When user haven't access to record, it will be still visible in search results from Elasticsearch, with all data shown on results list. #### Expected Behavior Displaying search result should respect ACLs and filter results if user shouldn't access them. #### Actual Behavior System doesn't filter results. #### Steps to Reproduce 1. Create role with *Owner* on all possible rights for Accounts module (or Unset if Owner is no present) 2. Create new standard user and assign him created role 3. Create few accounts related to admin and to new user 4. Login as new user 5. Type name of account related to admin in global search box #### Your Environment <!--- Include as many relevant details about the environment you experienced the bug in --> * SuiteCRM Version used: 7.11.0 * Browser name and version: Google Chrome 71.0.3578.98 64-bit * Environment name and version: PHP 7.1, Elasticsearch 5.6.13 * Operating System and version: Ubuntu 16.04.4
deekerman commented 2026-02-20 16:06:27 -05:00
Author
Owner
Copy link

@pgorod commented on GitHub (Jan 22, 2019):

It seems the same thing happens on Advanced Search:

https://suitecrm.com/suitecrm/forum/developer-help/21561-document-revisions-still-showing-in-global-search-although-documents-module-is-restricted

@pgorod commented on GitHub (Jan 22, 2019): It seems the same thing happens on Advanced Search: https://suitecrm.com/suitecrm/forum/developer-help/21561-document-revisions-still-showing-in-global-search-although-documents-module-is-restricted
deekerman commented 2026-02-20 16:06:27 -05:00
Author
Owner
Copy link

@fosullivan-usam commented on GitHub (Apr 29, 2020):

I can confirm that this issue happens with ElasticSearch, even in SuiteCRM 7.11.13. It does NOT happen with Basic or Advanced searches.

Users in a Security Group with limited access to records can see all the ListView columns of all Accounts, Contacts, Opportunities, and Notes records. When they click on the name of any record, they are (correctly) presented with a page that says, "You do not have access to this area. Contact your site administrator to obtain access. Redirect to Home in 3 seconds"

I have had to turn-off ElasticSearch until this issue is fixed.

@fosullivan-usam commented on GitHub (Apr 29, 2020): I can confirm that this issue happens with ElasticSearch, even in SuiteCRM 7.11.13. It does NOT happen with Basic or Advanced searches. Users in a Security Group with limited access to records can see all the ListView columns of all Accounts, Contacts, Opportunities, and Notes records. When they click on the name of any record, they are (correctly) presented with a page that says, "You do not have access to this area. Contact your site administrator to obtain access. Redirect to Home in 3 seconds" I have had to turn-off ElasticSearch until this issue is fixed.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
hotfix
develop
master
feature/php-8.4-compatibility
hotfix-7.14.x
next
feature/campaigns_revert
v7.15.0
v7.14.8
v7.14.7
v7.14.6
v7.14.5
v7.14.4
v7.14.3
v7.12.14
v7.14.2
v7.14.1
v7.12.13
v7.14.0
v7.14.0-beta
v7.13.4
v7.12.12
v7.12.11
v7.13.3
v7.12.10
v7.13.2
v7.12.9
v7.13.1
v7.13.0
v7.13.0-beta
v7.12.8
v7.12.7
v7.12.6
v7.12.5
v7.12.4
v7.12.3
v7.10.36
v7.12.2
v7.10.35
v7.12.1
v7.10.34
v7.11.23
v7.12.0
v7.12-rc
v7.11.22
v7.10.33
v7.11.21
v7.10.32
v7.11.20
v7.10.31
v7.11.19
v7.10.30
v8.0.0-beta.1
v7.10.29
v7.11.18
v7.11.17
v7.11.16
v7.10.28
v7.11.15
v7.10.27
v7.11.14
v7.10.26
v7.11.13
v7.10.25
v7.11.12
v7.10.24
v7.10.23
v7.11.11
v7.10.22
v7.11.10
v7.10.21
v7.11.9
v7.11.8
v7.10.20
v7.11.7
v7.10.19
v7.8.31
v7.10.18
v7.11.6
v7.11.5
v7.10.17
v7.8.30
v7.11.4
v7.10.16
v7.8.29
v7.11.3
v7.10.15
v7.8.28
v7.11.2
v7.10.14
v7.8.27
v7.11.1
v7.8.26
v7.10.13
v7.11.0
v7.10.12
v7.8.25
v7.11-rc-2
v7.11-rc
v7.10.11
v7.8.24
v7.11-beta
v7.10.10
v7.8.23
v7.10.9
v7.8.22
v7.10.8
v7.8.21
v7.10.7
v7.10.6
v7.8.20
v7.10.5
v7.8.19
v7.10.4
v7.10.3
v7.9.17
v7.8.18
v7.8.17
v7.10.2
v7.9.16
v7.8.16
7.9.15
v7.10.1
v7.10.0
v7.9.14
v7.8.15
v7.8.14
v7.9.13
v7.10-RC-2
v7.8.13
v7.9.12
v.7.9.11
v7.9.11
v7.8.12
v7.9.10
v7.8.11
v7.10-RC
v7.9.9
v7.8.10
v7.10-beta-3
v7.9.8
v7.8.9
v7.10-beta-2
v7.10-beta
v7.9.7
v7.8.8
v7.8.7
7.9.6
v7.9.5
v7.8.6
v7.9.4
v7.9.3
v7.9.2
v7.9.1
v7.8.5
v7.9.0
v7.8.4
v7.9.0-rc
v7.9.0-beta
v7.8.3
v7.8.2
v7.8.1
v7.8.0
v7.8.0-rc
v7.8.0-beta.2
v7.7.9
v7.8.0-beta
v7.7.8
v7.6.10
v7.7.7
v7.6.9
v7.7.6
v7.6.8
v7.7.5
v7.6.7
v7.7.4
v7.7.3
v7.7.2
v7.7.1
v7.7
v7.7-rc2
v7.7-rc
v7.6.6
v7.5.5
v7.6.5
v7.5.4
v7.7-beta2
v7.7-beta1
v7.6.4
v7.6.3
v7.6.2
v7.6.1
v7.6
v7.6-rc
v7.6-beta.2
v7.6-beta-1
v7.5.3
v7.5.2
v7.5.1
v7.5
v7.5-rc
v7.5-beta.2
v7.5-beta
v7.4.3
v7.4.2
v7.4.1
v7.4
v7.3.2
v7.4-rc
v7.4-beta.2
v7.4-beta
v7.3.1
v7.2.4
v7.3
v7.1.8
v7.3beta3
v7.2.3
v7.3-beta
v7.2.2
7.2.2
v7.1.7
7.1.7
v7.1.6
v7.2.1
v7.2
v7.2beta3
v7.1.5
v7.2beta2
v7.2beta
v7.1.4
v7.1.3
v7.1.2
v7.1.1
v7.1
v7.1RC2
v7.1RC
v7.1beta2
v7.1beta
v7.0.2
v7.0.1
Labels
Clear labels   
Area: API

   
Area: Campaigns

   
Area: Cases

   
Area: Clean Up

   
Area: Clean Up: Performance

   
Area: Dashlets

   
Area: Databases

   
Area: Developer Tools

   
Area: Elasticsearch

   
Area: Elasticsearch

   
Area: Emails

   
Area: Emails:Campaigns

   
Area: Emails:Cases

   
Area: Emails:Compose

   
Area: Emails:Config

   
Area: Emails:Templates

   
Area: Environment

   
Area: Installation

   
Area: Language

   
Area: Mobile

   
Area: Module

   
Area: PDFs

   
Area: PHP8

   
Area: Reports

   
Area: Studio

   
Area: Styling

   
Area: Upgrading

   
Area: Workflow

   
Area:Activity Stream

   
Area:Calls

   
Area:Import

   
Area:Projects

   
Area:Search

   
Area:Surveys

   
Area:Themes

   
Area:Users

   
Branch:Hotfix

   
Good First Issue

   
Hacktoberfest

   
Help Wanted

   
PR:Community Contribution

   
PR:Type:Enhancement

   
Priority:Critical

   
Priority:Important

   
Priority:Moderate

   
Severity: Major

   
Severity: Minor

   
Severity: Moderate

   
Status: Requires Code Review

   
Status: Requires Updates

   
Status: Stale

   
Status: Team Investigating

   
Status:Assessed

   
Status:Fix Proposed

   
Status:Needs Assessed

   
Status:Requires Automated Tests

   
Type: Bug

   
Type:Deprecated

   
Type:Discussion

   
Type:Duplicate

   
Type:Invalid

   
Type:Question

   
Type:Suggestion

   
Type:Suggestion
No labels
Area: API
Area: Campaigns
Area: Cases
Area: Clean Up
Area: Clean Up: Performance
Area: Dashlets
Area: Databases
Area: Developer Tools
Area: Elasticsearch
Area: Elasticsearch
Area: Emails
Area: Emails:Campaigns
Area: Emails:Cases
Area: Emails:Compose
Area: Emails:Config
Area: Emails:Templates
Area: Environment
Area: Installation
Area: Language
Area: Mobile
Area: Module
Area: PDFs
Area: PHP8
Area: Reports
Area: Studio
Area: Styling
Area: Upgrading
Area: Workflow
Area:Activity Stream
Area:Calls
Area:Import
Area:Projects
Area:Search
Area:Surveys
Area:Themes
Area:Users
Branch:Hotfix
Good First Issue
Hacktoberfest
Help Wanted
PR:Community Contribution
PR:Type:Enhancement
Priority:Critical
Priority:Important
Priority:Moderate
Severity: Major
Severity: Minor
Severity: Moderate
Status: Requires Code Review
Status: Requires Updates
Status: Stale
Status: Team Investigating
Status:Assessed
Status:Fix Proposed
Status:Needs Assessed
Status:Requires Automated Tests
Type: Bug
Type:Deprecated
Type:Discussion
Type:Duplicate
Type:Invalid
Type:Question
Type:Suggestion
Type:Suggestion
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/SuiteCRM-SuiteCRM#3519
No description provided.