Restricting the requested for in the portal request method

Kenton Dover
Mega Guru

‎06-13-2022 07:58 AM

Hey all,

So I have a requirement to restrict the request for drop down in the portal request method "request".find_real_file.pngfind_real_file.png

We want to be able to restrict this so that only managers and above can change this (we have management level on the user profile). After digging through the portal checkout widget I found this line in the widget "sc-checkout"

data.disable_req_for = sn_sc.CartJS.canViewRF();

This line looks like it controls the request for dropdown in the first picture. However, when you go to the docs page for CartJS the documentation does not specify what role enables or disables this functionality. find_real_file.png

My question is has anyone ever worked with this CartJS function? And if so do you know the role that disables access? If not we can make our own logic to restrict access but I want to stay as close to out of the box as possible. 

 

Thanks!

Kenton

Labels:
Preview file
70 KB
Preview file
19 KB
Preview file
20 KB
0 Helpfuls
  • 1,315 Views
4 REPLIES 4

Allen Andreas
Administrator
Administrator

‎06-13-2022 08:14 AM

Hello,

I believe it checks the ACLs for that table to see if the user has permission to write to the requested for field. In most ServiceNow permission checks, that's how it's done. It simply verifies from an ACL perspective if they can actually do 'x'. 

Which per the ACLs, would be if they have the catalog_admin role OR...the cart is the current user's cart, which almost always is true, thus they can edit the requested for.

So you could create an ACL for the requested for field (currently the ACL allows the entire record to be written to - but creating an ACL at the table.field level would override it for this specific field).

Please mark reply as Helpful/Correct, if applicable. Thanks!


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Kenton Dover
Mega Guru
In response to Allen Andreas

‎06-13-2022 08:17 AM

Thanks Allen great idea. I'll give that a shot and report back if it works

0 Helpfuls

Kenton Dover
Mega Guru
In response to Allen Andreas

‎06-27-2022 11:25 AM

Hey Allen that was a good idea but it did not work. I think we are going to move forward and proceed without this functionality. 

0 Helpfuls

Sebastian R_
Kilo Sage

‎08-31-2022 12:05 AM

@Kenton Dover 

There are two system properties which restrict the access to the "Requested For" field and therefore the cartJS.canViewRF() method.

glide.sc.req_for.roles
List of roles (comma-separated) that can update the "Requested for" widget in the service catalog. Blank means all users.
If the user does not have privilege to change requested for, they will not have ability to get other user address details

glide.sc.req_for.roles.default
This property defines a default behavior when there are no roles given in property "glide.sc.req_for.roles". When the value is "allow" and the value of glide.sc.req_for.roles is empty, then any user can request items for other users. While the value is "deny" and the value of glide.sc.req_for.roles is empty then no user can request items for other users.