Getting "Not authorized" message when clicking New button from Incident List view

reginabautista · ‎07-07-2017

Hi guys,

I have introduced a new role called "3rd_party_suppliers" to allow 3rd party users to create and manage their own incidents. I did not give users the itil role.

There's a weird behaviour when I was trying to create an incident using the New button from the list view. I am getting the error "Not authorized". I'm pretty sure it's not ACL issue as the "Create New" button on the module menu is working. Has anyone come across this issue? Thanks

When I inspected the URL this is what I am getting. Where did the com.glideapp.servicecatalog_cat_item_view come from??

https://mydev.service-now.com/com.glideapp.servicecatalog_cat_item_view.do?sysparm_id=3f1dd0320a0a0b...

When I impersonated a user with ITIL role this is the URL that I am getting:

https://mydev.service-now.com/nav_to.do?uri=incident.do?sys_id=8a908779373bfa00a15e19a543990e34

Shahed Shah1 · ‎07-07-2017

It's in the code of the New button (UI Action) to do this.

Here's the script from an OOB Instance:

if (gs.hasRole('itil')) {

var uri = action.getGlideURI();

var path = uri.getFileFromPath() + '';

path = path.substring(0, path.length - 5) + '.do';



uri.set('sys_id', '-1');

path = checkWizard(uri, path);

if (path)

action.setRedirectURL(uri.toString(path));



action.setNoPop(true);

}

else

action.setRedirectURL("com.glideapp.servicecatalog_cat_item_view.do?sysparm_id=3f1dd0320a0a0b99000a53f7604a2ef9");



function checkWizard(uri, path) {

var already = uri.get('WIZARD:action');

if (already == 'follow')

return null;



var wizID = new GlideappWizardIntercept(path).get();

if (!wizID)

return path;



uri.set('sysparm_parent', wizID);

uri.deleteParmameter('sysparm_referring_url');

uri.deleteMatchingParameter('sysparm_list_');

uri.deleteMatchingParameter('sysparm_record_');

uri.deleteParmameter('sys_is_list');

uri.deleteParmameter('sys_is_related_list');

uri.deleteParmameter('sys_submitted');

uri.deleteParmameter('sysparm_checked_items');

uri.deleteParmameter('sysparm_ref_list_query');

uri.deleteParmameter('sysparm_current_row');



uri.set('sysparm_referring_url', uri.toString());

uri.deleteMatchingParameter('fancy.');

uri.deleteMatchingParameter('sys_rownum');

uri.deleteMatchingParameter('sysparm_encoded');

uri.deleteMatchingParameter('sysparm_query_encoded');

uri.deleteParmameter('sysparm_refer');


return 'wizard_view.do';

}

So it checks if you're an ITIL User and redirects you as normal. Otherwise, you get redirected. That sys_id is for the "Create a New Incident" Record Producer: /sc_cat_item_producer.do?sys_id=3f1dd0320a0a0b99000a53f7604a2ef9

But, now I'm starting to this of that interceptor code. Wondering if it's worth checking that Record Producer first and, failing that, move onto the interceptor part of the code

View solution in original post

reginabautista · ‎07-07-2017

Also why I am being directed to a Record Producer? It should open the Incident form...

Shahed Shah1 · ‎07-07-2017

It's in the code of the New button (UI Action) to do this.

Here's the script from an OOB Instance:

if (gs.hasRole('itil')) {

var uri = action.getGlideURI();

var path = uri.getFileFromPath() + '';

path = path.substring(0, path.length - 5) + '.do';



uri.set('sys_id', '-1');

path = checkWizard(uri, path);

if (path)

action.setRedirectURL(uri.toString(path));



action.setNoPop(true);

}

else

action.setRedirectURL("com.glideapp.servicecatalog_cat_item_view.do?sysparm_id=3f1dd0320a0a0b99000a53f7604a2ef9");



function checkWizard(uri, path) {

var already = uri.get('WIZARD:action');

if (already == 'follow')

return null;



var wizID = new GlideappWizardIntercept(path).get();

if (!wizID)

return path;



uri.set('sysparm_parent', wizID);

uri.deleteParmameter('sysparm_referring_url');

uri.deleteMatchingParameter('sysparm_list_');

uri.deleteMatchingParameter('sysparm_record_');

uri.deleteParmameter('sys_is_list');

uri.deleteParmameter('sys_is_related_list');

uri.deleteParmameter('sys_submitted');

uri.deleteParmameter('sysparm_checked_items');

uri.deleteParmameter('sysparm_ref_list_query');

uri.deleteParmameter('sysparm_current_row');



uri.set('sysparm_referring_url', uri.toString());

uri.deleteMatchingParameter('fancy.');

uri.deleteMatchingParameter('sys_rownum');

uri.deleteMatchingParameter('sysparm_encoded');

uri.deleteMatchingParameter('sysparm_query_encoded');

uri.deleteParmameter('sysparm_refer');


return 'wizard_view.do';

}

So it checks if you're an ITIL User and redirects you as normal. Otherwise, you get redirected. That sys_id is for the "Create a New Incident" Record Producer: /sc_cat_item_producer.do?sys_id=3f1dd0320a0a0b99000a53f7604a2ef9

But, now I'm starting to this of that interceptor code. Wondering if it's worth checking that Record Producer first and, failing that, move onto the interceptor part of the code

reginabautista · ‎07-07-2017

Thanks Shahid, there is indeed a record producer that is involved in the New button within our instance that's causing this issue and that RP is disabled.