Stop scripted REST API from updating fields after certian state (change API)

Janel · ‎01-10-2022

We're trying to implement the OOB scripted REST APIs for change, but we're running into a snag with writable fields.

The OOB API (/api/sn_chg_rest/v1/change), which I'm sure is true of any of the APIs, allows clients to update fields after a change is submitted that shouldn't be updated. For example, Justification can be written to while only in the New state. This can still be written to via APIs even while the state is not New.

There is a UI policy controlling what cannot be updated from the UI, so obviously that won't apply to the APIs.

What is the best method to control when an API can write to a field at a specific state? Field ACLs (which sounds like a nightmare)? Data policies? State model transitions?

The one snag we are running into is that a change_manager should be able to update any field at any state, and I'm guessing that throws the data policy idea right out the window.

Community Alums · ‎01-10-2022

Hi there,

data policy will work for sure. Or you can try with Enforce ACL :

Janel · ‎01-13-2022

We can't use a data policy because change_managers need to be able to edit in any state. Data policies don't have any script capabilities and would enforce against change_managers.

Enforcing with an ACL is just against the scripted rest endpoint. That isn't related to fields that can be edited on the change_request table by a condition. Unless there is more to that than I am aware of.

Community Alums · ‎01-14-2022

The best use SecureGlideRecord in your SRAPI - this will enforce ACLs on the table you are querying. Or you can just do a check state in the same and if state is XXX then dissalow update operations.

Janel · ‎02-08-2022

By default, out of the box already uses GlideRecordSecure.