GlideImpersonate - User can still insert records, bypassing ACLs

Go to solution
mauricio_paloma
Tera Expert

‎04-13-2018 11:12 AM

Hi Folks

I am trying to create an Automated Test ( ATF ) to validate a negative assertion by writing a script. As a means to test this out first and simplify it, I am creating a Fix Script first before I move onto the ATF part.

Here's the general logic:

Table: u_mauricio_palomar

ACL ( Write / Create / Delete 😞 u_mauricio_palomar_user

Here's the fix script:

var impUser = new GlideImpersonate();
impUser.impersonate('abel.tuter');

var gr = new GlideRecord('u_mauricio_palomar');
gr.u_foo = "Hello world - abel.tuter";
gr.insert();

impUser.impersonate('admin');

 

Visiting the table, u_mauricio_palomar, I see that Abel is able to write to this table. The ACLs didn't stop him. I'm attaching my update set from my developers instance. It's a Kingston update set. I've tested this on Jakarta and Kingston. 

 

Preview file
51 KB
0 Helpfuls
  • 1,577 Views
1 ACCEPTED SOLUTION

Go to solution
Brad Tilton
ServiceNow Employee
ServiceNow Employee

‎04-13-2018 11:22 AM

I believe GlideRecord runs with system level access no matter who the logged in user is, so impersonating wouldn't matter. You might try using GlideRecordSecure or test gr.canWrite() which would both evaluate ACLs.

View solution in original post

0 Helpfuls
2 REPLIES 2

Go to solution
Brad Tilton
ServiceNow Employee
ServiceNow Employee

‎04-13-2018 11:22 AM

I believe GlideRecord runs with system level access no matter who the logged in user is, so impersonating wouldn't matter. You might try using GlideRecordSecure or test gr.canWrite() which would both evaluate ACLs.

0 Helpfuls

Go to solution
mauricio_paloma
Tera Expert
In response to Brad Tilton

‎04-13-2018 11:29 AM

I tested GlideRecordSecure and that worked!

0 Helpfuls