How can I restrict a user's ability to insert images into the db_images table?

HugoFirst · ‎09-28-2015

I need to restrict users from inserting images into the db_images table.

The use case is this: Users need to insert images into an HTML text field in an incident form. I want to force them to attach the images to the incident and not upload them to the library ( db_image ).

What's I've tried:

I modified the ACL to require special roles, but that didn't do the trick.

I even coded the script to always set answer to false. See image below.

People can STILL upload images to db_image whether they have the role or not.

It appears that I cannot restrict write access to this table.

Can anyone tell me how to do this?

Here's how my ACL is currently setup:

uluerje · ‎09-29-2015

--------------- Solution Follows ------------------

You need 2 ACL's on the db_image table, one for create and one for write. Put the image_admin role in each and you are good to go.

View solution in original post

manikorada · ‎09-28-2015

Steve,

Are the users actually are able to upload the images? Like though the icon is visible to them may be they will not be able to upload.

uluerje · ‎09-28-2015

There should be a 'Create' ACL on the db_image table that restricts users from inserting images unless they have the image_admin role. If they don't have that role and they try to insert an image into the html field, the 'New' button next to the image field will not be visible, and they will then either have to search for an existing image (if they have the permissions) or upload it as an attachment which then it would be connected to the incident as an attachment. I'd check the Create ACL on the db_image table.

Without role:

With role:

HugoFirst · ‎09-29-2015

Jessica, I really like your solution, but it doesn't seem sufficient for me.

I created a create ACL and I added the image_admin role.

In an attempt to fully disallow new images, I even set the script to answer=false.

But the new button continues to appear and non-licensed people can still add images to the image library at db_images.

Here's the ACL:

Here's the popup with the "New" button (still!).

I turned on debugging of Security Rules, but the output doesn't even show the create rule when viewing an incident record.

I even display the list for "db_image.list" as an unlicensed user, and the ACL isn't mentioned in that list.

While no fields actually are displayed, there is a line per image and the "New" button appears on that list.

I'm not very knowledgeable about debugging the ACL's though I have searched it on the wiki.

Perhaps I can get some pointers?

EDIT: Did I mention that I am on Eureka Patch 11? Don't know if that is significant. But I thought it worth mentioning.

uluerje · ‎09-29-2015

You need to move the ACL to the table level - replace the * with none.