Help with script to hide attachments section in header on form

Marcel H_ · ‎12-17-2024

I have a requirement to hide the attachments in the header of a form, as well as the attachment icon (paperclip) when the form loads, and the user isn't a member of a specific group. I already have the group membership portion working to hide form sections and related lists but haven't been able to get the actual attachments to hide. I created a new script just for to see if I can hide the attachments, but still no luck.

Here is what I have currently, which is hiding the paperclip icon as expected, but the actual attachments are still shown. Isolate script in unchecked.

function onLoad() {

g_form.disableAttachments();
document.getElementById('header_attachment').style.display = 'none';
document.getElementById('header_attachment_line').style.display = 'none';

}

When loading form attachments are still displayed, but paperclip is hidden:

Sandeep Rajput · ‎12-17-2024

@Marcel H_ Instead of hiding the attachments macro/control via a client script, you should create read and create ACLs on the sys_attachment table. These ACLs should check for table in conditions and grant access only if the user has correct role. This way the entire macro will be hidden from the user.

Marcel H_ · ‎12-18-2024

@Sandeep Rajput Currently I'm controlling visibility of form sections using the following client script. The script gets the grpMem value from a business rule that does the following:

BR:

g_scratchpad.grpMem = gs.getUser().isMemberOf(current.getValue('owner_team')) || (current.getValue('owner_team') == '') || mem == true;

Client Script:

function onLoad() {

    // Check if the form is not a new record AND a custom scratchpad value 'grpMem' is not set.
    if (!g_form.isNewRecord() && !g_scratchpad.grpMem) {

        // Retrieve all editable fields on the form
        var fields = g_form.getEditableFields();

        // Loop through each editable field
        for (var x = 0; x < fields.length; x++) {
            // Set the field as not mandatory
            g_form.setMandatory(fields[x], false);
            // Make the field read-only
            g_form.setReadOnly(fields[x], true);
        }

        g_form.setSectionDisplay("address_information", false); // Hide the 'Address Information' section
        g_form.setSectionDisplay("audit_history", false); // Hide the 'Audit History' section
        g_form.setSectionDisplay("contact_information", false); // Hide the 'Contact Information' section
        g_form.setSectionDisplay("description", false); // Hide the 'Description' section
        g_form.setSectionDisplay("files", false); // Hide the 'Files' section
        g_form.setSectionDisplay("history", false); // Hide the 'History' section
        g_form.setSectionDisplay("important_dates", false); // Hide the 'Important Dates' section
        g_form.setSectionDisplay("milestones", false); // Hide the 'Milestones' section

        // Hide all related lists on the form
        g_form.hideRelatedLists();

        /*
        Uncomment the following lines if you want to selectively hide specific related lists:
        g_form.hideRelatedList("REL:4fbc203f1b53e15069fecddf034bcba5");
        g_form.hideRelatedList("REL:320ff1e01b4fe95086015573604bcb22");
         */
    }
}

Could an ACL check the value of grpMem in the scratchpad and hide the attachments if the user isn't a member, but then show if they are?

Marcel H_ · ‎12-18-2024

I ended up doing the following: Created an extended script include:

Script Include:

var ExtendedAttachmentSecurity = Class.create();
ExtendedAttachmentSecurity.prototype = Object.extendsObject(AttachmentSecurity, {
    canRead: function(current, grpMem) {
        // Custom logic for 'x_waem2_crm_contacts' table
        if (current.table_name == 'x_waem2_crm_contacts' && 
            current.sys_id && // Ensure the record is not new
            !grpMem && 
            gs.getSession().isInteractive()) {
            return false;
        }
        
        // Call the base class logic
        return AttachmentSecurity.prototype.canRead.call(this, current);
    },

    type: 'ExtendedAttachmentSecurity'
});

Then created a new Read ACL on the sys_attachment table and call the new script include in the ACL script:

(function executeRule(current) {
    // Retrieve the value from g_scratchpad on the client-side
    var grpMem = g_scratchpad.grpMem;

    // Call the script include with the scratchpad value
    var attachmentSecurity = new ExtendedAttachmentSecurity();
    answer = attachmentSecurity.canRead(current, grpMem);
})(current);

Now this works as expected in my development environment that was recently upgraded to Xanadu, but when moving the new records to my test environment (Washington DC version) via update set it no longer works. I'm not sure why that's the case unless something fundamental changed with ACLs in Xanadu.

Sandeep Rajput · ‎12-18-2024

@Marcel H_ This is expected as ACLs on the Xanadu release has some additional fields which Washington doesn't. I recommend you to build these ACLs from scratch on the test instance (which may not be inline with your DevOps policies).

As a best practice, we keep all our instances on the same release to avoid such compatibility issues.