ACL not working for Itil user

ABC6
Tera Contributor

‎11-28-2024 02:17 AM

Hi All,
I have a requirement where an itil user cannot be able to edit property field for which i have created a write ACL with below code and its not working, please help me to get this issue resolved

var checkRoles = gs.getSession().getRoles();
var userRole = current.getDisplayValue('u_property.u_company_roles');
var currentLoggedInUser = gs.getUser().hasRole('itil');
if (!current.isNewRecord()) {
     if (currentLoggedInUser && checkRoles.indexOf(userRole) == -1) {
        gs.log("razTest: Role " + userRole + " is not in session roles.");
        answer = false;
    }
    else if(checkRoles.indexOf(userRole) !== -1 ){
        answer=true
    }
}
0 Helpfuls
  • 587 Views
6 REPLIES 6

Simon Christens
Kilo Sage

‎11-28-2024 02:28 AM

Hi,

Try checking if you get what you expect in

var userRole = current.getDisplayValue('u_property.u_company_roles');

Do you expect company_roles to be 1 or several roles ? - because if its x,y,z then the exact order of the roles also comes into consideration. - Maybe you need to loop through each of the roles for additional checks

try using a background script to make some initial tests with your own user so that you can check whats going on regarding userRole and checkRoles

0 Helpfuls

ABC6
Tera Contributor
In response to Simon Christens

‎11-28-2024 02:30 AM

yes,

var userRole = current.getDisplayValue('u_property.u_company_roles');


it is giving us expected results

0 Helpfuls

Simon Christens
Kilo Sage
In response to ABC6

‎11-28-2024 02:47 AM

Its a bit hard to me to confirm that this works but try it out

Also remember to set answer if its a new record

var checkRoles = gs.getSession().getRoles();
var userRole = current.getDisplayValue('u_property.u_company_roles').split(',');
var currentLoggedInUser = gs.getUser().hasRole('itil');
var answer;
if (!current.isNewRecord()) {
	//if more roles in u_company_roles we need to go through each of them
    for (var i = 0; i < userRole.length; i++) {

        if (currentLoggedInUser && checkRoles.indexOf(userRole[i]) == -1) {
			//if answer becomes true then the user do have a company_role not being an itil user so we stop
			if(answer == true){
				break;
			}
            gs.log("razTest: Role " + userRole[i] + " is not in session roles.");
            answer = false;
        } else if (checkRoles.indexOf(userRole[i]) !== -1) {
            answer = true;
        }
    }
}
//What if its a new record ? then you need to set answer to either true or false
gs.info(answer);
0 Helpfuls

ABC6
Tera Contributor
In response to Simon Christens

‎11-28-2024 06:24 AM

it is also giving access to itil user , which i don't want, i have made a dynamic solution to handle company property so i made a list type field and gave the user_adv_admin role on that field and checked if those restricted properties have role, if its user_adv_admin user then all field should be editable and if it is itil then property field is grayed out for existing record

0 Helpfuls