GlideRecordSecure and ServiceNow API

josh_brostoff
Giga Contributor

I have created a scripted REST API. However, any user from the third party application can query this endpoint and see any incidents regardless if they are "private" or not.   I have tried using GlideRecordSecure, but it just comes back into the third party application blank.   What is wrong here?

var gr = new GlideRecordSecure(table);

gr.addEncodedQuery('active=true^assigned_to.user_name='+term);

gs.info(name);

gr.orderBy('name');

gr.query();

answer += 'Found ' + gr.getRowCount() + ' results\n';

while(gr.next()){

  answer += '<' + instance + gr.getLink() + '|' + gr.number + ' | ' + gr.short_description + ' | ' + gr.assigned_to.name + '>\n';

}

3 REPLIES 3

Patrick Schult2
Giga Guru

You're saying that any user who runs a GET on this custom API endpoint can get all the incident records? You should insert logging statements into the script to verify the user the script is running as is what you expect.



Put in a logging statement like this and see what it says.


gs.info('current user running GlideRecordSecure query: {0}', gs.getUserID());


Hey Patrick - I checked the logs and its identifying the current user as "guest".



In the scripted rest API, I want to set the current user to the user ID in the request header of the inbound payload. I am trying to do this in the line below:


  var sn_user_name = queryParams.user_name;



  gs.debug();


  var JSON = new global.JSON();


  var auth = false;


  var queryParams = request.queryParams;


  var slackToken = queryParams.token;


  var sn_user_name = queryParams.user_name;


  //gs.info(sn_user_name);


You've got debugging statements to show the number of rows found in the query...are they showing up in your log as non-zero? If they are, include another logging statement right before it returns the data so you can have ServiceNow tell you what it returned to your client.



If you want GlideRecordSecure to work like you expect, I'd recommend having the inbound request actually be authenticated as the user you want it to run as, like with basic authentication. If you used that, ServiceNow would be executing the script as that person, and GlideRecordSecure would do what you want.



It's worth mentioning that what you are doing is basically replicating the Table API, which does limit results based on security. It won't return pipe-separated data like the format shown in your example, however. If at all possible, you should use that, and use the available parameters to limit which fields are returned to the requester.