Possible error: Quicksearch do not filter by Security Groups on new Opportunities on field "Assigned to" #5280

New issue

Open

opened 2026-02-20 16:32:20 -05:00 by deekerman · 0 comments

deekerman commented

2026-02-20 16:32:20 -05:00

Owner

Originally created by @cautbur on GitHub (Nov 26, 2024).

Issue

When we create a new Opportunity. When we want to change the field "assigned to", quick search will provide us the complete list of users without filtering by Security Groups.

After deep inside the code, I can see that, this is beacuse javascript will launch a request in wich some parameters will not change. You can see it on file: jssource/src_files/include/javascript/quicksearch.js on lines 162-168.

              ...
              var out = SUGAR.util.paramsToUrl({
                to_pdf: 'true',
                module: 'Home',
                action: 'quicksearchQuery',
                data: YAHOO.lang.JSON.stringify(this.sqs),
                query: decodeURIComponent(sQuery)
              });
              ...

This request will be proccesed by the file: modules/Home/quicksearchQuery.php, wich will load the file: modules/Home/QuickSearch.php and instantiate the class quicksearchQuery (I am speaking on a fresh install, if you have customized this file and class this may or not may ouccur ...). Finally in the code the method "get_user_array" will be called, this one will call to method getUserResults and this one will call to method getUserArray and this one depending on your configuration will call to getUserArrayFromFullName wich is ok or get_user_array wich will be no ok, this two function are in include/utils.php and are global.

Why get_user_list fails, if yo check the code of these two funcions ther are an if condition wich will check if the query have to be filtered by Security Groups, but in get_user_list, there are a more conditions, one is that the ajax parameter module have to be not equal to 'Home' and this is the reason because this check will fail everytime and will get us the complete list of users.

Sin I cannot understand how the javascript variable sqs_objects is defined, and there are indexes used by the data wich will fill the call of the code showed above, I cannot asevere that this will occurs everytime but I suspect that it will occurs in other places.

Also I don't know if this beahviour is the desired one or is really an error.

PS: I'm not an English native speaker, please take in account if text is not well expressed.

Possible Fix

Since I don't consider me an expert on SuiteCRM, I will list possible solutions to open a discussion that could be answered by an expert.

Change the module on javascript file mentioned above.
Comment the condition that check the module parameter is equal to 'Home', you can view that in the other funcion, getUserArrayFromFullName, is not used.
In my case, meanwhile, since quicksearchQuery can be extended as is shown in file modules/Home/quicksearchQuery.php I wiill extend it emporally, is a matter to add a new method called getUserArray to handle this. If yuo want the source I can give you, but this is something temporal while this is resolved.

Steps to Reproduce the Issue

1. Go to Opportunities.
2. Create a new one.
3. Change the "Assigned to" field by typing, the autocompletion/quicksearch will give you user that are not in your security group.

Context

I was triing to add a new Opportunity but assigning it to other user of the same security group.

Version

Tested on 7.11.18, 7.14.13 and 8.x of demo https://suite8demo.suiteondemand.com/

What browser are you currently using?

Chrome

Browser Version

No response

Environment Information

As far as I know, as I exposed, the problem is not conditioned by the system PHP version or mysql.

Operating System and Version

Ubuntu 22.04

Originally created by @cautbur on GitHub (Nov 26, 2024). ### Issue When we create a new Opportunity. When we want to change the field "assigned to", quick search will provide us the complete list of users without filtering by Security Groups. After deep inside the code, I can see that, this is beacuse javascript will launch a request in wich some parameters will not change. You can see it on file: jssource/src_files/include/javascript/quicksearch.js on lines 162-168. ``` ... var out = SUGAR.util.paramsToUrl({ to_pdf: 'true', module: 'Home', action: 'quicksearchQuery', data: YAHOO.lang.JSON.stringify(this.sqs), query: decodeURIComponent(sQuery) }); ... ``` This request will be proccesed by the file: modules/Home/quicksearchQuery.php, wich will load the file: modules/Home/QuickSearch.php and instantiate the class quicksearchQuery (I am speaking on a fresh install, if you have customized this file and class this may or not may ouccur ...). Finally in the code the method "get_user_array" will be called, this one will call to method getUserResults and this one will call to method getUserArray and this one depending on your configuration will call to getUserArrayFromFullName wich is ok or get_user_array wich will be no ok, this two function are in include/utils.php and are global. Why get_user_list fails, if yo check the code of these two funcions ther are an if condition wich will check if the query have to be filtered by Security Groups, but in get_user_list, there are a more conditions, one is that the ajax parameter module have to be not equal to 'Home' and this is the reason because this check will fail everytime and will get us the complete list of users. Sin I cannot understand how the javascript variable sqs_objects is defined, and there are indexes used by the data wich will fill the call of the code showed above, I cannot asevere that this will occurs everytime but I suspect that it will occurs in other places. Also I don't know if this beahviour is the desired one or is really an error. PS: I'm not an English native speaker, please take in account if text is not well expressed. ### Possible Fix Since I don't consider me an expert on SuiteCRM, I will list possible solutions to open a discussion that could be answered by an expert. 1. Change the module on javascript file mentioned above. 2. Comment the condition that check the module parameter is equal to 'Home', you can view that in the other funcion, getUserArrayFromFullName, is not used. 3. In my case, meanwhile, since quicksearchQuery can be extended as is shown in file modules/Home/quicksearchQuery.php I wiill extend it emporally, is a matter to add a new method called getUserArray to handle this. If yuo want the source I can give you, but this is something temporal while this is resolved. ### Steps to Reproduce the Issue ```bash 1. Go to Opportunities. 2. Create a new one. 3. Change the "Assigned to" field by typing, the autocompletion/quicksearch will give you user that are not in your security group. ``` ### Context I was triing to add a new Opportunity but assigning it to other user of the same security group. ### Version Tested on 7.11.18, 7.14.13 and 8.x of demo https://suite8demo.suiteondemand.com/ ### What browser are you currently using? Chrome ### Browser Version _No response_ ### Environment Information As far as I know, as I exposed, the problem is not conditioned by the system PHP version or mysql. ### Operating System and Version Ubuntu 22.04