I made a slight change to the modules which allows Company allow/deny rules to affect projects, contacts, etc. You won't want to use this universally (such as calendar), but in other areas it helps to greatly reduce the clutter that happens.

The modification is pretty much the same for most modules, so I'll just use the projects for the example.

1. Open up index.php in the /modules/projects/ folder
2. Search for "deny", you should find:

$obj = new CProject();
$deny = $obj->getDeniedRecords( $AppUI->user_id );

3. Add the following line directly after it:

$Companyobj = new CCompany();
$Companydeny = $Companyobj->getDeniedRecords( $AppUI->user_id );

4. Search for "deny" again, you should find:

.(count($deny) > 0 ? "\nAND project_id NOT IN (" . implode( ',', $deny ) . ')' : '')

5. Add the following line directly after it:

.(count($Companydeny) > 0 ? 'and company_id not in (' . implode( ',', $Companydeny ) . ')' : '')

That's it! Pretty simple cut and paste coding, but you get the general idea.

I hope that in the next version (since permissions appear to be on the work table), that some sort of inheritance is incorporated. For example, if I deny someone from "CompanyA", they shouldn't be able to see ANYTHING from company A, with the only exception as I noted above, in regards to the calendar. Furthermore, if I disallow someone from a particular Project, they shouldn't be able to see Tasks with in it.

Hopefully this helps some others out there that were frustrated with permissions as I was.

I believe that permissions are supposed to be inherited.

I've run into some of the same things.

For example, my wife is denied access to my company and I to hers. Somehow, we both see all of each other's projects and can view all of the tasks.

Arg.

That would make sense that it would be implemented in that way, but in practice (and in the code I've look through), that isn't the case. It actually only checks for permissions to do things in a few areas - some sections (such as the task list) take a bit more work to get them to understand/use the permission...

NewMedia42

You small hack is great. It works like a champ for project permissions. I don't write in PHP, but I wanted to point out to you if you deny a user to all projects from companies which they are not a part of, I can still see the tasks from all those companies by going to Tasks then choosing "All Companies" and "All Tasks". Is it possible to change this by using the same code you posted earlier; after changing some variable names of course. I'd like to allow users to create their own tasks, which means they need read-write access, but I'd like to deny them from seeing all the other companies tasks.

Any help is appreciated.
Cheers,
PJT

To be able to add tasks, the user needs read/write access to the project.

This is due to the fact that the addition/modification/removal of a task has a direct impact on the characteristics of the project.

In the new permissions ( latest CVS) if I put a deny permissions for a company to a user he is also not able to see the projects. But I have a problem here becuase the whole permission system is on denial basis rather than allow basis, so everytime I add a company/project I need to put a deny to every user otherwise everybody will have the permissions.
Can somebody will help me on this if I am making any mistakes here.
Thanks