Announcement

Collapse
No announcement yet.

Document ACL: checkEntityRead

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Document ACL: checkEntityRead

    Hi there

    in Document entity, i add a boolean attribute "financialConfidentiality".
    I want to control the read access to the "documents" having this attribut set. It will be only accessible to users having the good role

    I add a custom ACL checkEntityRead function to control that behaviour.

    Here is the code:
    PHP Code:
    <?php
    namespace Espo\Custom\Acl;
    use 
    \Espo\Entities\User as EntityUser;
    use 
    \Espo\ORM\Entity;
    use 
    \Espo\Core\Exceptions\Forbidden;


    class 
    Document extends \Espo\Core\Acl\Base {

      public function 
    checkEntityRead(EntityUser $userEntity $entity$data) {
        if (
    $user->isAdmin()) {
          
    $GLOBALS['log']->info('Document ACL read check => OK (is admin)');
          return 
    true;
        }

        
    // Document has boolean attribute 'financialConfidentiality' == true
        
    if ($entity->get('financialConfidentiality')) {
          
    $GLOBALS['log']->info('Document ACL read check => need to check roles for the user');

          
    $roleList = [];
          foreach (
    $user->get('roles') as $role)
            
    $roleList[] = $role;      

          foreach(
    $roleList as $role) {
            if (
    $role->get('name') == 'AdminDocumentFinancier') {
              
    $GLOBALS['log']->info('Document ACL read check => user has role AdminDocumentFinancier => OK');
              return 
    true;
            }
          }
          
    $GLOBALS['log']->info('Document ACL read check => FORBIDDEN ACCESS');
          
    #throw new Forbidden('Acces refusé...');
          
    return false;
        }

        return 
    true;
      }
    }
    When i click on a Document name link, i can see the popup message about the 403 error => meaning that the code is working fine... but, then, the red popup disappear and i have access to the Document detail view... so the ACL doesn't help a lot because the restricted document is displayed
    Click image for larger version

Name:	Capture d’écran 2017-07-12 à 12.44.18.png
Views:	631
Size:	54.6 KB
ID:	29179


    If i completely reload the page ...
    i have this given 403 access error (that's ok, that's the expected behaviour) ... and nothing is displayed...
    Click image for larger version

Name:	Capture d’écran 2017-07-12 à 12.43.27.png
Views:	607
Size:	40.8 KB
ID:	29180

    Is there a bug when clicking on the document tree, then clicking on a document name ? I don't know how to avoid to display the detail document content is the ACL is not OK

    Thanks for your feedback & support!
    I can record my screen if it's not clear :-)

  • #2
    Hello
    you need to override also client acl

    as example you can use Email
    starts from application/Espo/Resources/metadata/clientDefs/Email.json 'acl' section

    Comment


    • #3
      Hi tanya

      thanks for your quick answer

      So, i created this file : client/custom/src/acl/document.js

      PHP Code:
      Espo.define('custom:acl/document''acl', function (Dep) {

          return 
      Dep.extend({

              
      checkModelRead: function (modeldataprecise) {
                  var 
      result this.checkModel(modeldata'read'precise);

                  if (
      result) {
                      return 
      true;
                  }

                  if (
      data === false) {
                      return 
      false;
                  }

                  var 
      data || {};
                  if (
      d.read === 'no') {
                      return 
      false;
                  }

                  if (
      model.has('usersIds')) {
                      if (~(
      model.get('usersIds') || []).indexOf(this.getUser().id)) {
                          return 
      true;
                      }
                  } else {
                      if (
      precise) {
                          return 
      null;
                      }
                  }

                  return 
      result;
              }

          });

      }); 
      I have also created the file :
      custom/Espo/Custom/Resources/metadata/clientDefs/Document.json

      PHP Code:
      {
        
      "acl""custom:acl/document"


      but i still have the same behaviour

      Any idea?

      Comment


      • #4
        needs to add 'click a.link' event listener
        Code:
        if (this.getAcl().checkModel(model, 'read')) {
        before
        Code:
        this.getRouter().navigate
        in recordListView

        Comment


        • #5
          Thanks for your help!

          Comment


          • #6
            Hello!
            Raise this topic, I do not understand this point:
            Originally posted by tanya View Post
            needs to add 'click a.link' event listener
            Code:
            if (this.getAcl().checkModel(model, 'read')) {
            before
            Code:
            this.getRouter().navigate
            in recordListView
            Explain more details
            Where is the "recordListView"?

            Comment


            • #7
              EspoCRM – Open Source CRM Application. Contribute to espocrm/espocrm development by creating an account on GitHub.

              Comment

              Working...
              X