ACL help: On sc_req_item table, allow READ if current user is an approver

apjohn2 · ‎03-20-2020

Hi community,

Got an ACL script that I'm trying to augment to allow the current user to read a requested item if s/he is one of the approver(s) of that requested item. I'm pretty green at creating and calling functions and I think that may be where I've made an error. Having a hard time finding examples to help me fix it though, especially from within an ACL.

The ACL script before I got to it was

(note: line breaks added here for readability... hopefully it's not confusing)

current.isNewRecord() || current.opened_by == gs.getUserID() ||
current.request.requested_for == gs.getUserID() ||
gs.hasRole('itil,sn_request_write') ||
current.watch_list.indexOf(gs.getUserID()) > -1;

and it worked fine. In fact if I add the 'itli' role (one of the conditions above) to my test user I have verified he can read the record in question.

If possible, I need one more OR condition to determine if the current user is one of the approvers of the current record, and if so, allow him to read it / if not disallow reading.

This is the modified script I came up with but isn't working

current.isNewRecord() || current.opened_by == gs.getUserID() ||
current.request.requested_for == gs.getUserID() ||
gs.hasRole('itil,sn_request_write') ||
current.watch_list.indexOf(gs.getUserID()) > -1 ||
isApprover(gs.getUserID());

function isApprover(cu) {
	var sa = new GlideRecord('sysapproval_approver');
	sa.addQuery('sysapproval',current.sys_id);
	sa.addQuery('approver',cu);
	sa.query();
	if (sa.next()) {
		return true;
	}
	else {
		return false;
	}
}

I did a little testing by taking the GlideRecord query bit, used it in a background script, modified slightly to pass a specific sc_req_item sys_id, changed 'cu' in line 6-ish to gs.getUserID(), and it did give me the right result back.

If any other details would help let me know please and thanks in advance for anything you can offer!

apjohn2 · ‎03-21-2020

I figured it out and you were right @MB it does work! The issue was a 2nd Read ACL on the same table that needed the same script adjustment.

I think w/out you pushing me to keep at it I'd not have thought to check other areas so I appreciate it very much!

Cheers,

-Aaron

View solution in original post

The Machine · ‎03-20-2020

cu.toString() ?

Your current function should work lol.

The Machine · ‎03-20-2020

Oh the watchlist.indexof. Can you move your approver function up a couple of notches.

If the approver isn't on the watchlist, the result is no and the ACL stops processing. At least I think.

apjohn2 · ‎03-21-2020

Thanks for the encouragement MB. Tried converting to string; no luck.

Specifically I tried this (this is all lines)

current.isNewRecord() || current.opened_by == gs.getUserID() || current.request.requested_for == gs.getUserID() || gs.hasRole('itil,sn_request_write') || current.watch_list.indexOf(gs.getUserID()) > -1 || isApprover(gs.getUserID());

function isApprover(cu) {
	var sa = new GlideRecord('sysapproval_approver');
	// try converting the user sys_id to string
	var cusid = cu.toString();
	sa.addQuery('sysapproval',current.sys_id);
	sa.addQuery('approver',cusid);
	sa.query();
	if (sa.next()) {
		// return true;
		answer = true;
	}
}

Also tried declaring a new variable at the top set to gs.getUserID(), then passing that variable to the function, but that didn't change anything.

Again thanks for the attempted help!

apjohn2 · ‎03-21-2020

I figured it out and you were right @MB it does work! The issue was a 2nd Read ACL on the same table that needed the same script adjustment.

I think w/out you pushing me to keep at it I'd not have thought to check other areas so I appreciate it very much!

Cheers,

-Aaron

The Machine · ‎03-21-2020

Those are the worst 🙂

Glad you got it sorted out.