How are sys_attachment entries created through Catalog Variables related to a Parent Request Item?

tahnalos
Kilo Sage

‎09-11-2024 09:48 PM

We have discovered that any time we have a catalog variable of Type attachment, any attachment attached to that variable is sent to sys_attachment table with the table_name of ZZ_YYsc_cart_item after the Request Item is submitted.  This attachment is not visible to non-admin users, and thus anyone trying to open this attachment from the parent Request Item gets a read error.

 

To get around the limitation for non-admin users, we modified the ACL to make those attachments readable when the table_name is ZZ_YYsc_cart_item.  While this solves the access issue, it was pointed out that this gives blanket access to all attachments saved to catalog variables.  Thus the client's security team is asking if there is a way to limit access based on the information on the attachment entry.  Unfortunately, none of the sys_ids present on the table_sys_id field on the sys_attachment form matches with any entry on either the sc_req_item or sc_task form. 

Does anyone have an idea how this sys_attachment entry is linked to the parent request item?

 

Thanks

0 Helpfuls
  • 829 Views
8 REPLIES 8

Paul Curwen
Giga Sage

‎09-12-2024 02:54 AM

Table sc_item_option_mtom table stores the association between all variable types and their parent record

***If Correct/Helpful please take time mark as Correct/Helpful. It is much appreciated.***

Regards

Paul
0 Helpfuls

tahnalos
Kilo Sage
In response to Paul Curwen

‎09-12-2024 08:04 AM

No, this isn't correct.  While the sc_item_option_mtom table does handle the association between all variable types and the parent record, there is no link between the parent record and the attachment which is what I'm looking for.

0 Helpfuls

Mani A
Tera Guru

‎09-12-2024 04:59 AM - edited ‎09-12-2024 08:55 AM

var gr = new GlideRecord('sys_attachment');
gr.addQuery('table_name', 'ZZ_YYsc_cart_item');
gr.query();
while (gr.next())
{
var parentSysId = gr.table_sys_id
var parentGr = new GlideRecord('sc_req_item'); // or 'sc_task'
if (parentGr.get(parentSysId)) {
gr.table_name = parentGr.getTableName();
gr.update();
}
}

 

Read ACL on attachment table : Example ACL Script:

var parentSysId = curent.table_sys_id;
var parentGr = new GlideRecord('sc_req_item'); // or 'sc_task'
if (parentGr.get(parentSysId))
{
if (parentGr.hasAccess() || gs.getUser().hasRole('admin'))
{
return true
}
return false;
0 Helpfuls

tahnalos
Kilo Sage
In response to Mani A

‎09-12-2024 08:06 AM

Do appreciate the scripting however, this is assuming that we want to move the attachments from the catalog variable to the parent sc_task or sc_req_item.

 

I just confirmed that this is defintely NOT the case.  Due to requirements, they want to keep the variable attachments where they are as it is generally understood that attachments that are to be sent back to the requester will be attached to the sc_task or sc_req_item.

0 Helpfuls