Group Permission: Users View Allow - not show LDAP synced user

[voklav]

Edit: only users with granted: Global: Super User can see LDAP synced users.

Debug mode

• [X] I have enabled debug mode
• [X] I have read checked the Common Issues page

Describe the bug

In the process of implementing the software, at the beginning, I created 5 - 6 users. after a month or two we implemented LDAP. Everything works as we expect. We use a tag to allow login for certain people and everything works fine.

But when I create a group with permission: Users View Allow. And adds a user to it. I log in with it and I can't see the ldap synced users. Only see these 5-6 users that I created outside of LDAP...

can anyone confirm if this is a known issue or if is it some special case with our configuration?

I tried to bypass the groups by creating the same permissions for the user without being in a group: the result is the same

Reproduction steps

1. Sync user with Ldap from global/any admin.
2. create a test group with permission Users View Allow
3. Assing test user to test group. Set up Allow login to that user.
4. Login with the test user and try to view users. ...

Expected behavior

to see the LDAP sync users

Screenshots

No response

Snipe-IT Version

Version v6.2.4-pre - build 12343 (master)

Operating System

Ubuntu 22.04.3 LTS

Web Server

Apache

PHP Version

PHP 8.1.2-1ubuntu2.14

Operating System

No response

Browser

No response

Version

No response

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

No response

Additional context

No response

Edit: only users with granted: Global: Super User can see LDAP synced users.

[Godmartinz]

Hmm I followed your steps and I'm not able to reproduce this issue. I can see all the synced users. 🤔

[voklav]

Well, I spent some time and found the problem. But not a solution.

More explanations are needed...

The problem is that the query that retrieves the users on the webUI: checks the company_id and is related to inheriting it.

select `users`.`activated`, `users`.`created_by`, `users`.`address`, `users`.`avatar`, `users`.`city`, `users`.`company_id`, ` users`.`country`, `users`.`created_at`, `users`.`deleted_at`, `users`.`department_id`, `users`.`email`, `users`.`employee_num`, `users` .`first_name`, `users`.`id`, `users`.`jobtitle`, `users`.`last_login`, `users`.`last_name`, `users`.`locale`, `users`.` location_id`, `users`.`manager_id`, `users`.`notes`, `users`.`permissions`, `users`.`phone`, `users`.`state`, `users`.`two_factor_enrolled` , `users`.`two_factor_optin`, `users`.`updated_at`, `users`.`username`, `users`.`zip`, `users`.`remote`, `users`.`ldap_import`, ` users`.`start_date`, `users`.`end_date`, `users`.`vip`, `users`.`autoassign_licenses`, (select count(*) from `assets` where `users`.`id` = `assets`.`assigned_to` and `assets`.`assigned_type` = 'App\Models\User' and `assets`.`company_id` = 1) as `assets_count`, (select count(*) from `licenses` inner join `license_seats` on `licenses`.`id` = `license_seats`.`license_id` where `users`.`id` = `license_seats`.`assigned_to` and `licenses`.`deleted_at` is null and `licenses` .`company_id` = 1) as `licenses_count`, (select count(*) from `accessories` inner join `accessories_users` on `accessories`.`id` = `accessories_users`.`accessory_id` where `users`.`id ` = `accessories_users`.`assigned_to` and `accessories`.`company_id` = 1) as `accessories_count`, (select count(*) from `consumables` inner join `consumables_users` on `consumables`.`id` = ` consumables_users`.`consumable_id` where `users`.`id` = `consumables_users`.`assigned_to` and `consumables`.`company_id` = 1) as `consumables_count` from `users` where `users`.`company_id` = 1 and `users`.`deleted_at` is null order by `first_name` asc limit 20 offset 0`

So this test user and 4-5 manually added users in the beginning have the same company_id. The others don't have any company_id. And the company_id is not obtained from LDAP. All LDAP users that sync come without a company_id. If I fix them manually later, they remember the company_id and on the next sync, the company_id remains saved. On the other hand: In the ADserver, the "Company" field is entered in all users, but I think it is not involved in the synchronization. (this can be checked later, but is not important)

The super user doesn't depend on company_id inheriting. The super user can see all company_id's

the simple solution I can think of is to allow defined users (AND GROUPS!) to be able to participate in two or more companies. So that they can see everything that depends on company_id. It doesn't sound very logical, but company_id is also not used in the right way.

But why two or more companies in the first place? The problem I was trying to solve is that: We have an asset that is ours, but we proved to a different company to use them for support purposes. These are tablets that have specific software. So I assigned a specific user from the support department who should be able to manage these devices and only see them. Because restriction in the level of department_id is not working as we expect...

And now we need to add a user who can see all users and assets - of all "companies" - The auditors in this case. But without being able to touch them. I.e. only with read rights.

And in this situation, there is no way to add it in both "companies"...

Side issue: (1 blue arrow) The test user, even though he doesn't have the right to export and even though he only sees 5(8?) users - because they are from the same company - ... when he clicks the "Export" button in the people tab - it exports all users ... ?! ...?! ... Yes.. all users are visible in the file.

[voklav]

Are there plans to fix permissions in version 7?

-_- for now "Full Multiple Companies Support" is disabled and we hope the support guy doesn't mess things up...