Roles: can't remove related record from subpanel without "delete" right on related module #3620

New issue

Open

opened 2026-02-20 16:07:46 -05:00 by deekerman · 4 comments

deekerman commented

2026-02-20 16:07:46 -05:00

Owner

Originally created by @Jorilx on GitHub (Mar 13, 2019).

In modules that use subpanels to show related records the "remove" button appears only if you have the "delete" right on the RELATED module, not on the main one.
This looks wrong to me, since I'm looking to remove the RELATION between the records, not the related record itself.

For example: I have a "Marketing" user group that needs to handle Targets Lists, and because of this issue if I want to allow them to remove contacts from a targets list I have to grant them the "delete" right on Contacts. I would prefer that they could just fiddle with targets lists, not delete contacts from our CRM :)

Another example: if my user has a role that can view/edit/delete Accounts but can only view Contacts, in the Accounts module I will see no "edit" or "remove" buttons on the Contacts subpanel. The visibility of the "remove" button should be tied to my rights on Accounts, not Contacts, since I'm trying to remove a relation of Accounts, not deleting a Contact.

I think the related code is inside process_dynamic_listview_rows from include/ListView/ListViewSubPanel.php

SuiteCRM 7.10.12

Originally created by @Jorilx on GitHub (Mar 13, 2019). In modules that use subpanels to show related records the "remove" button appears only if you have the "delete" right on the RELATED module, not on the main one. This looks wrong to me, since I'm looking to remove the RELATION between the records, not the related record itself. For example: I have a "Marketing" user group that needs to handle Targets Lists, and because of this issue if I want to allow them to remove contacts from a targets list I have to grant them the "delete" right on Contacts. I would prefer that they could just fiddle with targets lists, not delete contacts from our CRM :) Another example: if my user has a role that can view/edit/delete Accounts but can only view Contacts, in the Accounts module I will see no "edit" or "remove" buttons on the Contacts subpanel. The visibility of the "remove" button should be tied to my rights on Accounts, not Contacts, since I'm trying to remove a relation of Accounts, not deleting a Contact. I think the related code is inside `process_dynamic_listview_rows` from `include/ListView/ListViewSubPanel.php` SuiteCRM 7.10.12

deekerman added the

Type:Suggestion

label

2026-02-20 16:07:46 -05:00

deekerman commented

2026-02-20 16:07:47 -05:00

Author

Owner

@Jorilx commented on GitHub (Mar 13, 2019):

Suggested patch:

--- include/ListView/ListViewSubPanel.php
+++ include/ListView/ListViewSubPanel.php
@@ -386,7 +386,7 @@
                 $field_acl['DetailView'] = $aItem->ACLAccess('DetailView', $aclaccess_is_owner, $aclaccess_in_group);
                 $field_acl['ListView'] = $aItem->ACLAccess('ListView', $aclaccess_is_owner, $aclaccess_in_group);
                 $field_acl['EditView'] = $aItem->ACLAccess('EditView', $aclaccess_is_owner, $aclaccess_in_group);
-                $field_acl['Delete'] = $aItem->ACLAccess('Delete', $aclaccess_is_owner, $aclaccess_in_group);
+                $field_acl['Delete'] = BeanFactory::newBean($this->source_module)->ACLAccess('Delete');
                 /* END - SECURITY GROUPS */
                 foreach ($thepanel->get_list_fields() as $field_name => $list_field) {
                     //add linked field attribute to the array.

@Jorilx commented on GitHub (Mar 13, 2019): Suggested patch: ``` --- include/ListView/ListViewSubPanel.php +++ include/ListView/ListViewSubPanel.php @@ -386,7 +386,7 @@ $field_acl['DetailView'] = $aItem->ACLAccess('DetailView', $aclaccess_is_owner, $aclaccess_in_group); $field_acl['ListView'] = $aItem->ACLAccess('ListView', $aclaccess_is_owner, $aclaccess_in_group); $field_acl['EditView'] = $aItem->ACLAccess('EditView', $aclaccess_is_owner, $aclaccess_in_group); - $field_acl['Delete'] = $aItem->ACLAccess('Delete', $aclaccess_is_owner, $aclaccess_in_group); + $field_acl['Delete'] = BeanFactory::newBean($this->source_module)->ACLAccess('Delete'); /* END - SECURITY GROUPS */ foreach ($thepanel->get_list_fields() as $field_name => $list_field) { //add linked field attribute to the array. ```

deekerman commented

2026-02-20 16:07:47 -05:00

Author

Owner

@gunnicom commented on GitHub (Mar 13, 2019):

I do not know which is the wanted behaviour here, but it should be consistent.
If you are allowed to remove the relation from one side, you should be able to remove the relation from the other side, too.

@gunnicom commented on GitHub (Mar 13, 2019): I do not know which is the wanted behaviour here, but it should be consistent. If you are allowed to remove the relation from one side, you should be able to remove the relation from the other side, too.

deekerman commented

2026-02-20 16:07:47 -05:00

Author

Owner

@willrennie commented on GitHub (Apr 4, 2019):

Marking this as a suggestion for now. We can see the point of view from both arguments for/against this, but would not deem it as a bug currently.

@willrennie commented on GitHub (Apr 4, 2019): Marking this as a suggestion for now. We can see the point of view from both arguments for/against this, but would not deem it as a bug currently.

deekerman commented

2026-02-20 16:07:47 -05:00

Author

Owner

@Jorilx commented on GitHub (Apr 4, 2019):

I agree it's not a bug, more of a security concern :) This issue makes it necessary to grant to a role more rights than needed (and possibly destructive ones)

@Jorilx commented on GitHub (Apr 4, 2019): I agree it's not a bug, more of a security concern :) This issue makes it necessary to grant to a role more rights than needed (and possibly destructive ones)