#97 Task assigned-to can not update task - permission problem
Consider the following Scenario:
Account Manager creates a Case, creates a Task associated to the Case
Account Manager assigns the task to a Sales Rep ("Calendar attendee")
(Customized) Sales Rep security permissions include:
[CRMSFA_ACTS_VIEW] Access to the Activities function of the application.
[CRMSFA_ACT_CREATE] Create a new Activity: Event or Task.
[CRMSFA_ACT_UPDATE] Update an existing Activity: Event or Task.
[CRMSFA_ACT_VIEW] View an Activity: Event or Task.
[CRMSFA_CASES_VIEW] Access to the Cases function of the application.
[CRMSFA_CASE_CREATE] Create a new Case.
[CRMSFA_CASE_UPDATE] Update an existing Case.
Now Sales Rep can see the task in her calendar, can finish it, but not update it (permission denied); although it would be particularly useful to update the description field.
In contrast Sales Rep can update the Case.
With this set of permissions the Sales Rep can create new activities and update them. The problem then lies with activities created by a third party.
In my view [CRMSFA_ACT_UPDATE] should give the right to update an activity created by a third party whereto one is assigned.
Logged In: YES
user_id=908761
Originator: NO
I don't disagree with what you're saying. Could you post the log with the error messages so we could track down why this is happening?
Logged In: YES
user_id=1808441
Originator: YES
Si,
attached is the log for the call to the page crmsfa/control/updateTaskForm?workEffortId=...
resulting in a "Sorry, you do not have permission to perform this action."
File Added: ofbiz.log
Logged In: YES
user_id=908761
Originator: NO
Are there any accounts related to the activity? If so, I *think* the problem is that your sales rep might not have permissions related to the account. In this case then I think the system is doing the right thing, and you should add that permission to your sales rep.
If not, and if the activity is only related to the case, then it might not be checking the case correctly. To allow us to test and fix it, please create an entity engine XML file with the security permissions and group settings and a couple of unique user logins and then tell us exactly the steps to follow (which user creates the case, activity, which user tries to update it, etc.)
Logged In: YES
user_id=1808441
Originator: YES
OK. I prepared a test case on demo1.opentaps.org
Created new user:
----
"Tech Guy": login name=techguy, password=techguy, id=10021, role=Customer Service Rep
Member of DemoSalesTeam1
Amongst others, has permission [CRMSFA_ACT_UPDATE] Update an existing Activity: Event or Task, part of the security profile SALES_REP_LIMITED (which I left untouched)
Relationship "Security Sales Rep with ability to view only."
Now:
----
Customer account = DemoAccount1
Case = DemoCase1
Created new Activity: 10005, assigned 10021
Log in as Tech Guy:
The task shows up in Calendar. Good.
Can view the Task 10005. Good.
Can not edit the Task 1005. Not Good!
The use case:
----
Support guy asking a Tech guy to do an investigation in relation to a Case.
Tech guy should be able to comment on the task (=editing the "description" field)
before finishing it.
We don't need/want the Tech guy to have permissions to update Customer Accounts.
Logged In: YES
user_id=1808441
Originator: YES
I did a SVN update, tested again and it now seems to work like I suggested it should. (rev. 4557)
Thanks.