How can I restrict Read access to records via ACL, based on a User's Location?

Community Alums · ‎11-16-2018

Hey All,

I'm trying to build an ACL structure for a scoped application, and one of my requirements is that my users should only be able to see/read records in an Inventory that are assigned to their location. My thoughts are to use an Advanced Script in my Table.None Read ACL:

var user = gs.getUser();
if (user.location == current.location) {
	answer = true;
}
else answer = false;

But despite verifying that the User's Location (Location 5150) reference was equivalent to the Records' Location (Again, Location 5150), the script returns false every time (and to my frustration, I have no way to log it - gs.info, warn, etc. statements don't output anything, and I can't use gs.log() because scoped app).

I've also tried cut+pasting the script into my Table.* Read ACL, and it ends up only blocking Read access to the Location reference field, which is even stranger to me.

The overall structure that I have in place isn't too crazy or complex - I only have one other Read ACL in the system, without any scripts or conditions, and it's unrelated to the role I'm trying to restrict. I should also mention - the Locations referenced are from the cmn_location table, and the ACL I'm running is for a custom table within my scoped application.

So, here I am now - wondering if I'm even approaching this problem the right way haha. Could you folks help me out? Is it just because the GlideRecord object I refer to in the script isn't for each specific record, or..? For that matter, why am I not able to use logs for this issue?

Much appreciated,

Vellv

Community Alums · ‎11-19-2018

Got it!

This ended up being my final code:

//If the user is trying to read a record that doesn't relate to their store, the system should reject it. 
var user = gs.getUserID();
var gr = new GlideRecord('sys_user');
gr.get('sys_id', user);
gs.addInfoMessage('gr.location = '+gr.location+'; current.store_location: '+current.store_location);

if (gr.location == current.store_location || current.store_location == '') {
	answer = true;
}
else answer = false;

My initial issue was that I wasn't accessing the current user properly, and thus whenever I tried to compare the user.location to the current.store_location, I always failed (because undefined != sys_id). So, thanks to Nitesh, I was able to fix that, and get the initial script working.

Then, with my user able to read existing records, and the list properly sorted...I couldn't see the form for a new Record. My if statement was just reliant on gr.location == current.store_location, and was missing a clause for a blank record, aka current.store_location == ''. Again, I got confused with some syntax and was trying to check for store_location == undefined (or null), and nothing was working. A blank string, however, solved my final problem.

Thanks to everyone that helped me out!

View solution in original post

Nitesh Balusu · ‎11-16-2018

I think you need to use this to get the current location.

var location = gs.getUser().getLocation();

Also check if gs.getUser() is giving what you need, you might have to use gs.getUserID() sometimes.

both user table and your custom table have a reference field to location table?

Community Alums · ‎11-16-2018

Hey Nitesh,

How do I check to see if gs.getUser() is giving me the right values? One of my issues that led to the creation of this question is that I haven't been able to get any logs to show up from my ACL scripts. Is there a workaround for that?

Nitesh Balusu · ‎11-16-2018

just run a background script:

var a=gs.getUser();

gs.print(a);

if it doesn't work try gs.getUserID();

Community Alums · ‎11-19-2018

Got it, I was able to fix up the script for the most part thanks to that :). Only one problem left, and that's not being able to get into the 'New' form for tables. Everything else, I have access to...