sys_template.read ACL not allowing users to read

andypollino · ‎08-30-2017

I'm tearing my hair out over this one.

I want to allow users access to templates based on User Criteria. To accomplish this, I've created a script include that evaluates whether a user belongs to a specific user criteria. The constructor takes a user_criteria sys_id, and the function userBelongs() evaluates whether the currently logged in user "belongs" to that User Criteria. It works to my satisfaction, as tested by background scripts and invoking from business rules. I made a custom field on the sys_template table called u_user_criteria that references the user_criteria table. I created a very simple user criteria that has a single user in the Users field and confirmed that my test user, Ben, met the conditions and that the script include agreed that he met the conditions.

I then added an ACL to the sys_template table:

Type: Record

Application: Global

Operation: Read

Active: true

Advanced: true

Admin overrides: true

Name: Template [sys_template]

Requires role: [blank]

Condition: [blank]

Script:

var foo = new UserCriteriaMatch(curent.u_user_criteria);

answer = foo.userBelongs();

Yet, when I impersonate Ben, I don't see my desired record. I also don't see a line at the bottom of the page indicating that an ACL has restricted any records (I mention this because I previously ran into this problem while using others' solutions: Re: Make template available for multiple groups )

Hopefully you can help me!!

Dave Smith1 · ‎08-30-2017

Andy Pollino wrote:

var foo = new UserCriteriaMatch(curent.u_user_criteria);

answer = foo.userBelongs();

Should that read "current" ...?

andypollino · ‎08-30-2017

It certainly should. I updated it to say 'current,' and it still doesn't work:

I'm double checking every step I described above for typos, but I believe it's mostly references, which are inherently checked for correctness (as in it won't let me reference a record that doesn't exist!).

Dave Smith1 · ‎08-30-2017

My only other suggestion would be to add some debug lines in that log output, e.g.:

var foo = new UserCriteriaMatch(curent.u_user_criteria);

gs.log("current.user criteria is:" + current.u_user_criteria, "Andy's ACL");

gs.log("Foo appears to be:" + foo, "Andy's ACL");

answer = foo.userBelongs();

gs.log("Answer is:" + answer, "Andy's ACL");

andypollino · ‎08-30-2017

EDIT: I now realize I was searching the wrong place for 'Andy.' The ACL script was setting answer to false, so I'll look more closely at why that is. I did, however, attempt to change my Script Include to a single function instead of a whole Class. When I did that, it set the answer to true, but Ben still did not see this Template. I'll create a new reply to this after exploring further. Thank you for your assistance, Dave!

Original Post:

Debugging suggests that the script doesn't even run the first line (creating the UserCriteriaMatch object)

I used the code you provided, impersonated Ben, and typed sys_template.list into my navigator (that's how I've been checking templates). I switched back to my admin account to check the logs (System Logs -> System Log -> All, filtered message for *Andy), and I got the following:

unpictured is one more very similar error.

These errors make sense, so I went back and updated the first line to be "current.u_user_criteria," then I repeated my impersonation process. I checked the logs again and had the same nine records, so I added a line to the ACL before line 1 essentially logging that the ACL was running. I checked as Ben, I checked my logs, and I had nine messages about the ACL starting to run (though no messages from your second line, now my third line). That makes me think the script is balking at invoking the class from the Script Include.

I've been successful in invoking the Script Include in business rules and background scripts. I built the Script Include off of this page: Use script includes

But this at least gives me something to go off of, so thank you! Debugging using the log is not a strength of mine, so I hadn't thought to try it. I'll now try to create a script include that is a single function instead of a whole class.