Welcome to my first blog post! I recently presented a lab called "JavaScripting Techniques in ServiceNow" at the Knowledge 12 conference. In both sessions, the attendees asked excellent questions, made thought provoking comments, and offerred up ingenious ideas. I will attempt to answer the questions and share the comments and ideas over my next few blog posts.
The first question I'd like to answer is: how do you disable or restrict the JavaScript Executor?
NOTE: We discovered in the lab that the standard key combination did not always work. Here is what we discovered:
- Key combination: CTRL+SHIFT+J
- Works on OS X with browsers Chrome, Safari, and Firefox
- Key combination: CTRL+ALT+SHIFT+J
- Works on Windows with browsers Chrome, IE, and Firefox
The OOB script that checks for the key combination is looking for CTRL+SHIFT+J; however, it seems on Windows that if you additionally hold down ALT, you prevent the browser from reacting to the key combination - the OOB script ignores the ALT and 'sees' it as CTRL+SHIFT+J.
If you are having trouble launching the JavaScript Executor, try both combinations. Also, another trick is to make sure a field in the main window is in focus first. Clicking inside any input field usually does the trick.
My recommended solution is to add an Access Control Rule:
Object type.....: Access Control Rule
Type............: ui_page
Operation.......: read
Active..........: checked
Admin overrides.: checked
Name............: javascript_executor
Description.....: Only allow admins to run JavaScript Executor
Condition.......: <none>
Script..........: answer = false;
Roles...........: <none>
When a user without the admin role presses CTRL+SHIFT+J, they will see this because the Access Control Rule is preventing them from loading the UI Page:
I recommend only using the Access Control Rule; however, if you'd like to prevent the above dialog window when a non-admin attempts to invoke the JavaScript Executor, you can add a Global UI Script in addition to the Access Control Rule - do not rely on this UI Script by itself. This is an advanced technique because we are replacing an OOB script with a custom script. The custom script checks that "checkForClientKeystroke" exists and is a function and it checks that "orig_checkForClientKeystroke" does not exist. If the OOB function name were to ever change or if our custom function name were to be introduced as a new OOB function, this script would simply stop working and users would get the above error dialog.
Object type.: UI Script
Name........: Override checkForClientKeystroke
Active......: checked
Global......: checked
Description.: Intercept key combination CTRL+SHIFT+J, do not run if non-admin
if (typeof checkForClientKeystroke == 'function' && typeof u_checkForClientKeystroke == 'undefined') {
// Run once on first keydown - stop observing OOB checkForClientKeystroke function on keyup
Event.observe(document,'keydown',function() {
Event.stopObserving(document,'keyup',checkForClientKeystroke);
Event.stopObserving(document,'keydown',arguments.callee);
});
// Add custom wrapper function on keyup
var u_checkForClientKeystroke = function(evt) {
if (evt && evt.shiftKey && evt.ctrlKey && evt.keyCode == 74 && !getTopWindow().g_user.hasRole('admin')) {
// If you desire, you could add an alert here to let the user know this function has been disabled
return;
} else {
checkForClientKeystroke(evt);
}
};
Event.observe(document,'keyup',u_checkForClientKeystroke);
}
If you have any questions, comments, or improvements, please let me know!
4 Comments
