Users can view and assign non-group users as Sales Owner in Persons, Leads, Organizations, and Quotes #2275
Description
Title
Users can view and assign non-group users as Sales Owner in Persons, Leads, Organizations, and Quotes
Description
In Krayin CRM, users are able to see and assign users from other groups in the Sales Owner dropdown when creating or editing:
- Persons
- Leads
- Organizations
- Quotes
This behavior violates the group-based visibility rule. The selection list should only show users from the same group as the logged-in user.
Preconditions
- Group functionality is enabled in Krayin CRM
- Roles and view permissions are configured properly
Steps to Reproduce
- Create 4 users: User A, User B, User C, and User D
- Assign:
- User A and User B to Group 1
- User C and User D to Group 2
- Assign a role with view permissions to all users
- Login as User A
- Navigate to Settings > Roles
→ User A can only see User B (same group) — ✅ expected - Now go to Persons module and click Edit or Add New Person
- In the Sales Owner dropdown
→ User A is able to see and select User C or User D (from Group 2) — ❌ not expected
Actual Result
Users can see and assign users from other groups in the Sales Owner field.
video link-https://webkul.chatwhizz.com/share/view-recording/6866853a60a49a7d0b6eae90
Expected Result
Only users from the same group should be visible in the Sales Owner dropdown. Cross-group visibility should be restricted.
Impact
This breaks the intended group-based access control and could result in data leaks or unintentional assignments across teams.