- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-13-2019 02:01 AM
I have an issue where an unauthenticated guest user (as output by gs.getUserName()) can pull a record from a table that has no ACL's whatsoever on it (u_one_time_code), and get the referenced user's sys_id from that record's u_user field. This is just a reference to the sys_user table. All of this is happening in the Server Script of a Widget in the Service Portal.
Further down the track i'd like to get the user's user_name & other attributes out of either the customer_contact/sys_user table with a glide record;
var gr = new GlideRecord('sys_user');
gr.addQuery('sys_id', user); //Have confirmed this function is being passed the exact
//sys_id of the user I'm looking for in 'user'
gr.query();
gs.log(gr.getValue('user_name'));
I'd never seen this before but if this code ran in my browser while I was logged in as me (an admin), the gr.getValue('user_name') returned the value I was looking for. While this ran as an unauthenticated user (which it most certainly needs to) the glide record failed, and returned false.
I've tried adding ACL's to the customer_contact & sys_user tables, at the row & field (*) levels, giving the role 'public' access. I've also granted the guest user the public role, to no avail.
If anyone requires extra info, or would be able to explain why I'm experiencing this issue and how I can get past it, please let me know.
Solved! Go to Solution.
- Labels:
-
Service Portal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-18-2019 05:06 PM
How embarrassing - This was my own fault. I had a query business rule on my customer_contact table that was locking off access to records on a per account basis. The guest account does not have an account associated with it, ergo I prevent the guest user from seeing any records.
I excluded the guest user from the BR condition & everything started working. Marking this as the correct answer I guess.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-14-2019 07:09 AM
To confirm, you're trying to get the username & other attributes for someone who's not logged in? If they don't authenticate, we don't know who they are, so not sure that will work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-15-2019 09:30 PM
Hi Michael,
Thanks for the reply. You're correct, the unauthenticated user triggers a workflow, & consequently some functions script includes. However the functions run as the System's 'Guest' user. This was previously working, without any ACL's or anything. Giving the guest user the 'public' role and the aforementioned ACL's on customer contact made no difference.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-18-2019 05:06 PM
How embarrassing - This was my own fault. I had a query business rule on my customer_contact table that was locking off access to records on a per account basis. The guest account does not have an account associated with it, ergo I prevent the guest user from seeing any records.
I excluded the guest user from the BR condition & everything started working. Marking this as the correct answer I guess.