is using getUser().hasRoles() good form?

n_webb
Tera Contributor

2 hours ago

Hello,

I've recently been digging into ACLs on our instance and I found a Read ACL on the sys_user table for user.* 

It current applies to anyone that meets the following conditions:

if (gs.getUserID() == current.sys_id || gs.getUser().hasRoles()) 
    answer = true;
else 
    answer = false;

 

Now I might be showing naivety here but is this really odd? This would mean anyone with a role, even if the role was as silly as "Can't Read Users" - can read all fields on the user table?

All the users who would be submitting tickets don't have roles sure, but if I were to add one, that would mean they could read it? Would it be more sensible to create a new role "user_read" and do this instead:

if (gs.getUserID() == current.sys_id || gs.getUser().hasRoles('user_read')) 
    answer = true;
else 
    answer = false;


Is there a genuine use case here and why would I want to stick with it? Appreciate this may be a silly question but this is how we learn..

0 Helpfuls
  • 171 Views
2 REPLIES 2

yashkamde
Tera Guru

2 hours ago

Hello @n_webb ,

The existing ACL isn’t wrong, but it’s a shortcut that sacrifices security for simplicity and trades precision for convenience.
And yes I would also suggest replacing it with a dedicated role-based check to align with least privilege.

and also silly recommendation but best practice - use 

gs.getUser().hasRoleExactly('user_read');

as the previous one also checks the admin role in OR condition.

If my response helped mark as helpful and accept the solution.

Chaitanya ILCR
Giga Patron

2 hours ago - last edited 2 hours ago

Hi @n_webb ,

I see the ACL 

this is required for the logged in user to access their own record's fields provided they have access to read the sys_user records using the table.none ACL on sys_user table

ChaitanyaILCR_0-1770825878236.png

 

how else users can users can access all the info related to their record?

 

they should have the read access to other records f

 

Now I might be showing naivety here but is this really odd? This would mean anyone with a role, even if the role was as silly as "Can't Read Users" - can read all fields on the user table?  they should have the read access to the record first.

 

if you don't users to the other user record's all fields you can create and update ACL in a way 

1. sys_user.* for the own record of the logged in user

2. sys_user.* with roles like user_admin role without any condition

3. sys_user.field_name acls for all the fields like (fields other than name, first name, last name, email etc ) for all the users with no roles or with least privilege to not to  access the information (give access only fields they need access as per your process with conditions like if record is related to current logged in user or the role you want give)

 

you would have create many sys_user.field_name acl to restrict the access 

 

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

 

 

 

0 Helpfuls