Hi everyone,
I’m using Dolibarr version 20.0.3 and I’ve found an inconsistency in how third parties are filtered for users with restricted access.
Here’s the setup:
I’m using the Eldy menu layout for both internal and external users.
I have several sales reps (non-admin users) with proper permission settings: they should only see third parties assigned to them.
Each third party has its assigned sales representative.
All external modules are disabled, and no custom code was applied.
Here’s the issue:
When a sales rep clicks on “Third parties” from the main (central) menu, they correctly see only their own clients — or none, if not assigned.
But when they use the left sidebar → “List”, they can see the full list of all third parties and contacts, even those not assigned to them.
However, if they click on any third party they’re not allowed to see, access is correctly denied (permission error).
So permissions are working when opening a record, but the list itself is not filtered properly in the “List” view (most likely societe/list.php).
Has anyone experienced this? Is this a bug in how the Eldy menu loads that view? Or is there a known workaround to force the list to respect user permissions?
I am also using Eldy as default, but the behavior is different here. The users can’t see other users assigned third parties.
The workaround I used was to create a specific third-party for specific users. This way, even if the user shares something in common with the third party, they can’t see each other work.
It is madness if we have a lot of third parties. Hopefully, it is not my case.
I don’t know if this clue may help you. Sorry for not being more useful.
Just to update: in the end, I resolved the issue by upgrading to the latest version of Dolibarr (v21).
Now the list view correctly respects user permissions, and sales users only see their assigned third parties — even from the left sidebar “List” link.
Unfortunately, I lost some functionalities from third-party add-ons that are not (yet) compatible with version 21, but the permission behavior is now working as expected.