Stop GlideAggregate from counting records which users cannot read

Go to solution
benm3
Mega Guru

‎07-28-2022 03:05 PM

Hi all,

I have written a script that counts the amount of records based on a state. The value is then shown on the portal. This works great for when an admin is viewing a page. But when a regular users views the page they can see the same count as the admin enough there is ACLs which restrict the user from viewing the records. 

My questions are:

- Have I missed any acls? I have created read and write acls which prevent them from viewing the record, but is there another one I need to create?

- Can GlideAggregates actually support this? 

I have previously added .canRead() into the code to see if that would help but unfortunately it didnt.

Please see below a copy of the code. Thanks for all the help!

 var tiles = [];
  data.fields.state.choices.forEach(function(e){
    var count = new GlideAggregate('x_bskyb_sgl_guest_list');
    count.addQuery('state', e.value);
    count.addAggregate('COUNT', 'state');
    count.query();
    while(count.next()){
      var typeStats = [];
      data.fields.type.choices.forEach(function(t){
        if(t.value != ''){
          var guestType = new GlideRecord('x_bskyb_sgl_guest_list');
          guestType.addQuery('state', e.value);
          guestType.addQuery('type', t.value);
          guestType.query();
          var rowCount = guestType.getRowCount();
          var percentage = rowCount/count.getAggregate('COUNT', 'state')*100; 
          typeStats.push({label: t.label, amount: rowCount, percentage: percentage});
        }
      });
      tiles.push({label:e.label, value: count.getAggregate('COUNT', 'state'), type:typeStats});
    }
  });
  return tiles;
0 Helpfuls
  • 878 Views
1 ACCEPTED SOLUTION

Go to solution
Tudor
Tera Guru

‎07-28-2022 03:16 PM

Hello,

Have you ever looked at a list with a non admin user and saw "

Number of rows removed from this list by Security constraints: 100

"

In order to fix this, you'll have to add some query business rules, because unfortunately, the GlideAggregate will return the total number of records even if the user is not allowed to see them.

Now the reason why I'm saying this is because this also applied to your case.

A query Business Rule will run whenever the user tries to query data and return only what he's allowed to see. -  more info here and here

A workaround would be to use GlideRecordSecure, but I'm sure that this defeats the purpose.

So, my suggestion would be to create a query BR on your table x_bskyb_sgl_guest_list to overlap with the ACLs.

Hope this helps!

 Tudor

 

View solution in original post

3 REPLIES 3

Go to solution
Tudor
Tera Guru

‎07-28-2022 03:16 PM

Hello,

Have you ever looked at a list with a non admin user and saw "

Number of rows removed from this list by Security constraints: 100

"

In order to fix this, you'll have to add some query business rules, because unfortunately, the GlideAggregate will return the total number of records even if the user is not allowed to see them.

Now the reason why I'm saying this is because this also applied to your case.

A query Business Rule will run whenever the user tries to query data and return only what he's allowed to see. -  more info here and here

A workaround would be to use GlideRecordSecure, but I'm sure that this defeats the purpose.

So, my suggestion would be to create a query BR on your table x_bskyb_sgl_guest_list to overlap with the ACLs.

Hope this helps!

 Tudor

 

Go to solution
benm3
Mega Guru
In response to Tudor

‎07-29-2022 05:12 AM

Hi,

Thanks for your reply. Creating a query BR resolved my issue!

 

Thanks,

Ben

0 Helpfuls

Go to solution
Mark Manders
Mega Patron

‎07-28-2022 11:11 PM

What's the purpose of this? Do you want to show on the portal how many records there are by state (to show how busy the SD is or something like that)? Then you're done, I think, because everyone sees that number. And of course clicking on it will only show you the records you are supposed to see. It would be strange you could bypass all security around tickets by just clicking the number.

I can't see a use case for the other way around (show the number of records that you have access to).

If my answer helped you in any way, please then mark it as helpful.

Mark


Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark