Restrict attachment deletion

kunal16 · ‎05-03-2016

I want to restrict the removal of attachment from a change request record. If the current logged in user is not Assigned to, OR not Requester, OR not a member of assignment group, THEN the same user should not be able to remove the attachments (using Manage attachment link on the change request form). How this can be achieved?

TrevorK · ‎05-03-2016

I haven't had a chance to debug but does something like this work:

// Check if change_request table

if (current.table_name == "change_request") {

// Look up the particular change request so we can see the assigned to

var gr = new GlideRecord("change_request");

// current.table_sys_id gives us the sys_id of the change request record

gr.addQuery("sys_id",current.table_sys_id);

gr.query();

if (gr.next()) {

// If the person assigned to the change is the user checking the permissions, return true

if (gr.assigned_to == gs.getUserID()) {

return true;

}

else {

return false;

}

else {

return false;

}

You can toss in some gs.log's or something in there too to see where it is getting in the logic. But without testing it, I think the concept like above will work.

View solution in original post

TrevorK · ‎05-03-2016

There may very well be better ways, but you can adjust the ACL (or add a new one). We do this for attachments on a certain table, restricting those who can delete to people with a certain role. This seems like exactly what you are looking for. You can just adjust the logic to whatever you want:

(there is another "}" misisng - I just copied the first bit of the code)

kunal16 · ‎05-03-2016

Hi Trevor, I tried using modifying the Delete acl (sys_attachment table), but it didn't worked out. I guess there's a bit of customization needed on the attachment UI page. Correct me if I'm wrong.

prasanna11 · ‎05-03-2016

ACL should work. Infact we use ACL to restrict such deletion of attachments.

kunal16 · ‎05-03-2016

Hi Prasanna,

Initially I tried to modify the delete ACL only.

Requirement -

On a change request, if the current logged in user is not present in 'Assigned to', then he/she should not be able to select an attachment (using 'Manage Attachment' button on change request form) and delete it.

answer = getAttachmentDeleteAnswer();

function getAttachmentDeleteAnswer() {

   var isMine = current.sys_created_by == gs.getUserName();

   if (current.table_name.nil())

   return isMine;


   var tableName = current.table_name;


   // Handle user_image fields

   if (tableName.startsWith("ZZ_YY"))

   {

             var rec = new GlideRecord(tableName.substring(5)); // strip user image prefix ZZ_YY

             if (!rec.isValid())

             return isMine;


             rec.addQuery("sys_id", current.table_sys_id); // avoid Warning on new record

             rec.query();

             if (!rec.next())

                       return isMine;


   return rec[current.file_name].canWrite(); // current.file_name is the user_image column name

   }


   // Modification done on this part

   if(tableName == 'change_request')

   {

             if (tableName.assigned_to != gs.getUser())

             {

                       return false;

             }

   }


   // Remove prefixes

   if (tableName.startsWith("invisible."))

   tableName = tableName.substring(10);


   var parentRecord = new GlideRecord(tableName);

   if (!parentRecord.isValid())

             return isMine;


   parentRecord.addQuery("sys_id", current.table_sys_id); // avoid Warning on new record

   parentRecord.query();

   if (!parentRecord.next())

             return isMine;


   // outgoing emails created by Email Client

   if (current.table_name == "sys_email" && parentRecord.weight == -1 && parentRecord.type == "send-ignored")

             return true;


   return parentRecord.canWrite();

}

Since the modification needs to to be done on 'Manage Attachment' button, I guess that can be done by modifying the UI page 'attachment'