Document ACL: checkEntityRead

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • wtconseil
    Active Community Member
    • Apr 2015
    • 335

    Document ACL: checkEntityRead

    Hi there

    in Document entity, i add a boolean attribute "financialConfidentiality".
    I want to control the read access to the "documents" having this attribut set. It will be only accessible to users having the good role

    I add a custom ACL checkEntityRead function to control that behaviour.

    Here is the code:
    PHP Code:
    <?php
    namespace Espo\Custom\Acl;
    use \Espo\Entities\User as EntityUser;
    use \Espo\ORM\Entity;
    use \Espo\Core\Exceptions\Forbidden;
    
    
    class Document extends \Espo\Core\Acl\Base {
    
      public function checkEntityRead(EntityUser $user, Entity $entity, $data) {
        if ($user->isAdmin()) {
          $GLOBALS['log']->info('Document ACL read check => OK (is admin)');
          return true;
        }
    
        // Document has boolean attribute 'financialConfidentiality' == true
        if ($entity->get('financialConfidentiality')) {
          $GLOBALS['log']->info('Document ACL read check => need to check roles for the user');
    
          $roleList = [];
          foreach ($user->get('roles') as $role)
            $roleList[] = $role;      
    
          foreach($roleList as $role) {
            if ($role->get('name') == 'AdminDocumentFinancier') {
              $GLOBALS['log']->info('Document ACL read check => user has role AdminDocumentFinancier => OK');
              return true;
            }
          }
          $GLOBALS['log']->info('Document ACL read check => FORBIDDEN ACCESS');
          #throw new Forbidden('Acces refusé...');
          return false;
        }
    
        return true;
      }
    }
    When i click on a Document name link, i can see the popup message about the 403 error => meaning that the code is working fine... but, then, the red popup disappear and i have access to the Document detail view... so the ACL doesn't help a lot because the restricted document is displayed
    Click image for larger version

Name:	Capture d’écran 2017-07-12 à 12.44.18.png
Views:	754
Size:	54.6 KB
ID:	29179


    If i completely reload the page ...
    i have this given 403 access error (that's ok, that's the expected behaviour) ... and nothing is displayed...
    Click image for larger version

Name:	Capture d’écran 2017-07-12 à 12.43.27.png
Views:	735
Size:	40.8 KB
ID:	29180

    Is there a bug when clicking on the document tree, then clicking on a document name ? I don't know how to avoid to display the detail document content is the ACL is not OK

    Thanks for your feedback & support!
    I can record my screen if it's not clear :-)
  • tanya
    Senior Member
    • Jun 2014
    • 4308

    #2
    Hello
    you need to override also client acl

    as example you can use Email
    starts from application/Espo/Resources/metadata/clientDefs/Email.json 'acl' section

    Comment

    • wtconseil
      Active Community Member
      • Apr 2015
      • 335

      #3
      Hi tanya

      thanks for your quick answer

      So, i created this file : client/custom/src/acl/document.js

      PHP Code:
      Espo.define('custom:acl/document', 'acl', function (Dep) {
      
          return Dep.extend({
      
              checkModelRead: function (model, data, precise) {
                  var result = this.checkModel(model, data, 'read', precise);
      
                  if (result) {
                      return true;
                  }
      
                  if (data === false) {
                      return false;
                  }
      
                  var d = data || {};
                  if (d.read === 'no') {
                      return false;
                  }
      
                  if (model.has('usersIds')) {
                      if (~(model.get('usersIds') || []).indexOf(this.getUser().id)) {
                          return true;
                      }
                  } else {
                      if (precise) {
                          return null;
                      }
                  }
      
                  return result;
              }
      
          });
      
      }); 
      
      I have also created the file :
      custom/Espo/Custom/Resources/metadata/clientDefs/Document.json

      PHP Code:
      {
        "acl": "custom:acl/document"
      } 
      

      but i still have the same behaviour

      Any idea?

      Comment

      • tanya
        Senior Member
        • Jun 2014
        • 4308

        #4
        needs to add 'click a.link' event listener
        Code:
        if (this.getAcl().checkModel(model, 'read')) {
        before
        Code:
        this.getRouter().navigate
        in recordListView

        Comment

        • wtconseil
          Active Community Member
          • Apr 2015
          • 335

          #5
          Thanks for your help!

          Comment

          • mr2d2
            Senior Member
            • Apr 2017
            • 126

            #6
            Hello!
            Raise this topic, I do not understand this point:
            Originally posted by tanya
            needs to add 'click a.link' event listener
            Code:
            if (this.getAcl().checkModel(model, 'read')) {
            before
            Code:
            this.getRouter().navigate
            in recordListView
            Explain more details
            Where is the "recordListView"?

            Comment

            • tanya
              Senior Member
              • Jun 2014
              • 4308

              #7
              EspoCRM – Open Source CRM Application. Contribute to espocrm/espocrm development by creating an account on GitHub.

              Comment

              Working...