[Dolibarr 20.0.3] Sales users see all third parties via “List” (Eldy menu), even if not assigned

Hi everyone,
I’m using Dolibarr version 20.0.3 and I’ve found an inconsistency in how third parties are filtered for users with restricted access.

Here’s the setup:

  • I’m using the Eldy menu layout for both internal and external users.
  • I have several sales reps (non-admin users) with proper permission settings: they should only see third parties assigned to them.
  • Each third party has its assigned sales representative.
  • All external modules are disabled, and no custom code was applied.

Here’s the issue:

  • When a sales rep clicks on “Third parties” from the main (central) menu, they correctly see only their own clients — or none, if not assigned.
  • But when they use the left sidebar → “List”, they can see the full list of all third parties and contacts, even those not assigned to them.
  • However, if they click on any third party they’re not allowed to see, access is correctly denied (permission error).

So permissions are working when opening a record, but the list itself is not filtered properly in the “List” view (most likely societe/list.php).

Has anyone experienced this? Is this a bug in how the Eldy menu loads that view? Or is there a known workaround to force the list to respect user permissions?

Thanks a lot in advance for your help!

— Graziano

Did you set the proper user permissions?

If you enable to “Extend access to all third parties”, any user will be able to see “all third parties”.

Hi, thanks for your reply!

Yes, I double-checked that setting.
The option “Extend access to all third parties” is not enabled, and the permissions are set correctly.

In fact, users cannot open third parties that are not assigned to them — they get a “Permission denied” error, which is expected.

The issue happens only in the “List” view (left sidebar) using the Eldy menu: it displays all third parties, even though the user can’t access them.

So it seems the list view doesn’t filter based on user permissions, but the individual record view does.

Thanks again for your input — any other ideas are welcome!

I asked a similar question here: Hide client to commercial, not a full solution so far.

I am also using Eldy as default, but the behavior is different here. The users can’t see other users assigned third parties.

The workaround I used was to create a specific third-party for specific users. This way, even if the user shares something in common with the third party, they can’t see each other work.

It is madness if we have a lot of third parties. Hopefully, it is not my case.

I don’t know if this clue may help you. Sorry for not being more useful.

has an issue been filed at github?

Just to update: in the end, I resolved the issue by upgrading to the latest version of Dolibarr (v21).
Now the list view correctly respects user permissions, and sales users only see their assigned third parties — even from the left sidebar “List” link.

Unfortunately, I lost some functionalities from third-party add-ons that are not (yet) compatible with version 21, but the permission behavior is now working as expected.

Hope this helps others with a similar issue!

— Graziano

Not that I know. I haven’t. Should I?

Good to know there’s a solution!
There are 2 releases for Version 21, which one you used?
Thanks!

I think with the solution then it has been fixed, so no need for another issue on github

1 Like

21.0.1

21.0.1