ACL to allow anyone to create records

Wayne Richmond · ‎06-27-2017

Hi. I have created a custom table called 'u_stolen_items' that I want to allow anyone to be able to create records on. However, because I have the High Security Settings enabled, I believe this is preventing me from having a 'blank' ACL to allow this. I have created an ACL rule for 'create' where there are no conditions, however, this doesn't work (I assume because of the aforementioned High Security Settings). I have tried using 'true;' in the Script but that also didn't work. I tried adding the 'public' rule but this also doesn't work. Does anyone have any ideas?

Dave Smith1 · ‎06-28-2017

You'll need to add similar controls to the u_shoplifting_reports table.

For what it's worth, moving the filter (that restricts visibility to owners) from the ACL into an afterQuery business rule will hide that "Security Constraints" message. It's a bit more convoluted, but in the interests of information disclosure, considered better for security.

Wayne Richmond · ‎06-28-2017

Thanks Dave but I don't think that's the case. If I change the read and write rules to 'Requires role: public' on the u_stolen_items table, the user can create the rows on the u_shoplifting_reports form:

Dave Smith1 · ‎06-28-2017

Okay.. isn't that what you wanted? Or are you saying that you want the related list read-only when appearing on this form, but read-write elsewhere?

Wayne Richmond · ‎06-28-2017

I still want the records to only be accessible to the user that opened them. When I put this rule in (see below) it stops working on the form, even though the rule works on the table directly.

gs.hasRole("u_shoplifting_reports_user") || current.sys_created_by == gs.getUserName() || current.isNewRecord();

Dave Smith1 · ‎07-10-2017

What happens if the records are created by unauthenticated users?

Logged in I can only see mine, but logged out I can view all anonymous records. Is this right?