The Zurich release has arrived! Interested in new features and functionalities? Click here for more

sys_popup view issue

Richard P
Mega Guru

‎12-04-2017 03:04 AM

Hi All,

I found in service portal that if a user clicks on themselves from a reference field, they seem to get the default view of the sys_popup sys_user table.

this includes all fields that aren't ACL locked.

meaning they can update parts of their own user record that I don't want them to.

wasn't an issue before as they don't have access to the users form in SNOW native (unless they got the full URL I suppose).

but even if they did a UI policy sets all fields Read Only.

so I have tried a few different ways to lock this down (short of ACL) which should work, but all have failed.

1. I thought, thats fine Ill create a sys_popup view for the user_sys table and limit visibility.

I did, but seemingly this is still the default table view as any changes I make in this view are there in default view? so a simple removing or setting RO of a field in the sys_popup view reflects in the default view, meaning it affects employee_admin role, which should be able to modify.

2. I thought I would create a UI policy, that !hasRole('employee_admin') would make all fields read only...works perfect in normal SNOW, but portal IGNORES THIS RULE! (thats got to be a security issue).

3. fine I thought,   if they don't work I'll change the reference field on the form to remove the lookup. can't find how to do this, ended up getting lost in a sea of unrelated, but this is a variable and I can't find field attributes to a variable.

and a few other ideas, none fruitful.

whats worse is that from the users view of their record, they can click on other reference fields such as cost centers and change those, its like its a whole back door into records for UNLICENCED users, simply because it ignores all established ui_policies.

0 Helpfuls
  • 3,692 Views
2 REPLIES 2

Gurpreet07
Mega Sage

‎12-04-2017 05:07 AM

We were able to lock it down to self service view for all places in our service portal.


1. For form we just make sure that we are passing the view of current record to the form model and it will render the referenced record in same view. There's a limitation that you could not choose a different view for the popup then the parent record. For our case the solution was straight forward, Same view for parent and referenced record ... i.e. Self Service.




2. For Catalog items we have modified the widget 'SC Catalog Item' to hack the view for popups. Here you could refer sys_popup view as well.


find_real_file.png




3. For Variable editor , you have to modify widget sp-variable-editor


find_real_file.png


Preview file
59 KB
Preview file
51 KB
0 Helpfuls

Richard P
Mega Guru
In response to Gurpreet07

‎12-04-2017 11:48 PM

Thanks, I think were on the same lines. I implemented your above solution, but it didnt seem to do anything. we still seem to be using default.


0 Helpfuls