ACL check in UI Action condition

Leonel Sandroni · ‎06-28-2023

Hi there,

I'm working with an UI Action for demand records and I need to accomplish this requirement: any role that don't have write permissions not be able to see the button.

So...I need the UI Action conditions checks ACL permission (I have modified some demand ACLs) but I don't know how to make it.

I don't have much experience working with curren.canWrite() and this kind of functions

Any suggestions?

jMarshal · ‎06-28-2023

This isn't comparing to an AC...this is only checking for the demand_manager role, which is also what an AC does...this condition will only make sure the demand is in an "in progress" state and that the person who is logged in has the "demand_manager" role (you can check this via related list on sys_user table).

adjusting "can write" AC is not going to do anything with this UI Action besides (perhaps) making it seem like they can use it, when they don't have an AC to allow it (depending on what the action is doing, that is).

To accomplish your goal, you need to use the "canWrite" attribute instead of "hasRole" -- and don't specify/pass anything in the "canWrite" function...just "gs.canWrite() && current.state == 2"

^^ unless you want them to have write ac AND demand_manager role specifically, then add the "&& gs.canWrite()" to the end of what you already had.

Leonel Sandroni · ‎06-28-2023

Your last 2 paragraphs are what I'm asking about but it doesn't work 😞 the button is not showing for any role including roles with write permissons. I'm changed the statement to "current.canWrite()" but again it does not work.

In the ACL the script condition to write is 'belong to the assignment group'. Maybe I can try directly adding a condition for members groups in the UI Action, but I don't know how to write the correct statement to do it.

jMarshal · ‎06-29-2023

hmmm - you definitely want gs.canWrite(), not "current". Current refers to the record for which the UI Action is showing (or not, based on the condition).

I think you are on the right track here - I would recommend a "strict" and "easy to evaluate" write AC on the table (also this needs to be for the table that the UI Action is for -- not sure if that part is clear) - and test it that way.

Perhaps one that restricts write to an obscure role (with no other conditions or scripts) - essentially should restrict anyone - just for testing purposes. Then add that obscure role to a control user, to see if it shows.

Also, make sure it is a table-level AC (table_name) as opposed to field-level (table_name.*) or (table_name.field_name)...and you may need to check for other write ACs associated with that table, as the LEAST restrictive AC will rule the UI Action condition.

...so if you have a write AC for "table_name" role=obscure_test_role and another for "table_name.*" role=itil, users may see the UI Action after "canWrite" evaluates for them, if they have "itil" role, but not "obscure_test_role".

I hope this helps!

Siddhesh Gawade · ‎06-28-2023

Hello @Leonel Sandroni

As per screenshot your condition syntax looks correct, the UI action will be visible only if user has demand_manager role state == 2. So could you please explain what is not working?

Thank you!