can we block access to list view of a table

dave_edgar · ‎05-22-2018

the sys_attachments table can be directly accessed by anyone via the navigator by typing in sys_attachment.list or in the /sys_attachment_list.do?

and there are various read ACL's to allow users read the records on the table but can we find the records in the list view without affecting users accessing the attachments via incidents/task records.

I have used a UI script to remove the icon:

Name - disableIcon
Global - checked
(function() {
addAfterPageLoadedEvent(function () {
if(window.location.href.indexOf('sys_attachment') != -1){
hideRefIcons();
}
});
})();
function hideRefIcons(){
$j('a[class="btn btn-icon table-btn-lg icon-info list_popup"').each(function() {
$j(this).css( "display", "none" );
});
}

Jon Barnes · ‎05-22-2018

There should already be an ACL on the sys_attachment table that would mirror the related table's read ACL. If people are able to see attachments for records they otherwise don't have access to, then I suspect there is an issue with your ACLs.

Have your attachment ACLs been customized? I would recommend turning on security debugging, and seeing which ACL gives them read access to the attachment.

dave_edgar · ‎05-23-2018

The best solution I have found is to actually update the sys_attachment list control. By making on the admin role to be able to filter and select links as well as the UI script to remove the icon this effectively takes away the ability for anyone to select any attachment unless they are accessing it via a ticket which they already have access to.

😄

job jobbed

vishurajm · ‎02-22-2019

This works only on first page. If you go to next 100 records then the icon is there

vishurajm · ‎02-22-2019

I was able to hide pagination , but still when i do sort by the refernce icon appears