- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-05-2017 12:17 PM
The OOB Service Portal approvals page doesn't apparently check permissions. If an EOS user has the link to a specific approval page (such as "sp?id=approval&table=sysapproval_approver&sys_id=${sys_id}") from somebody sharing an email or link with them, then that EOS user, who is NOT the designated approver can approve requests. Has anybody else run into this? This is a major flaw, in my opinion.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-14-2017 11:44 AM
You can use $sp.canReadRecord(gr) to check whether user has permissions to read the record. If the user does not have access then the method witll return false. Based on this value hide the Approve & Reject buttons
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-06-2017 07:45 AM
I think we can fix it pretty quick
In the server code, just add a check to see if the user has the required role. If yes, only then do a gr.update().
i will try it out today and see how it goes. Will let u know
~@$#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-14-2017 11:44 AM
You can use $sp.canReadRecord(gr) to check whether user has permissions to read the record. If the user does not have access then the method witll return false. Based on this value hide the Approve & Reject buttons
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-02-2017 05:06 PM
Hi ashwinkumar.patil@wipro.com,
Did u find solution for this issue. Can you please tell me how are you hiding the approval buttons ? Requestor will have to read the approval record ,we need to hide the buttons isn't it ? $sp.canReadRecord(gr) checks if user has read access.HOw about hiding the buttons?
Regards,
Karthik
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-06-2017 10:17 AM
Hello Meghan
Here is the secure Approval Info widget. Just added the approval role check. It is an xml file.
Import it into Widget form.
Then go to Service Portal page editor, open page "approval".
Drag and drop my widget just above/below the existing Approval Info widget.
Delete the existing Approval Info widget on the left of the page.
approval_info_secure_widget.xml - Google Drive
Let me know if you need any additional help.
If you think this is helpful and correct, then please mark it so.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-14-2017 11:26 AM
Did my widget work as expected?
