- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2017 12:17 PM
The OOB Service Portal approvals page doesn't apparently check permissions. If an EOS user has the link to a specific approval page (such as "sp?id=approval&table=sysapproval_approver&sys_id=${sys_id}") from somebody sharing an email or link with them, then that EOS user, who is NOT the designated approver can approve requests. Has anybody else run into this? This is a major flaw, in my opinion.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-14-2017 11:44 AM
You can use $sp.canReadRecord(gr) to check whether user has permissions to read the record. If the user does not have access then the method witll return false. Based on this value hide the Approve & Reject buttons
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2017 05:59 AM
Hi Ashwinkumar,
I think you misunderstood - just checking if they have a role wasn't going to do it for us- we want them to have permission to read the specific record, rather than just some nebulous 'approval' role that let anybody see/approve anybody else's approvals. Working with Crossfuze, we did something along the lines of what dvp recommended below, using the canReadRecord to check before generating the widget.
Thanks for taking a stab at it, though!
Sincerely,
Meghan Smith
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2017 02:08 PM
Ok great!. Pls mark dvp's answer as correct so that the thread closes.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2017 05:10 PM
Hi Meghan,
Can you please tell me the solution for this issue ?
Regards,
Karthik
