Set a Portal User to only allow editing a record based on conditions?

**Firyo** · 09-28-2023, 09:10 AM

Hi there,

You could use the beforeSave hook for this.
I doubt there is a feature / tweak for this.

**rabii** · 09-28-2023, 02:50 PM

Originally posted by axyl

Hey All,

Any ideas on how I might restrict a Portal User to only being able to edit fields based on conditions? Such as only accepting edits when the status field is set to draft? Should I be looking at the onSave hook? Does the hook event describe that the edit came from the Portal?

(Normal CRM staff should always be able to edit.)

Cheers.

I think it is doable using front end custom view, here is how i would do it, i would create a custom record/view for my entity type as below:

1 - under custom/Espo/Custom/Resources/metadata/clientDefs/your-entity-type.json (define a custom record view)

PHP Code:

{
    "recordViews": {
        "detail": "custom:views/your-entity-type/record/detail"
    }
}

2 - Implement the logic to set fields read if the current user isPortal and status field is draft (create the custom view under client/custom/src/views/your-entity-type/record/detail.js)

PHP Code:

define('custom:views/your-entity-type/record/detail', ['views/record/detail'], function (Dep) {

    return Dep.extend({


        setup: function() {
            Dep.prototype.setup.call(this);

            this.setupFieldPermission();
        },

        setupFieldPermission() {
            this.controlFieldPermission();

            this.listenTo(this.model, 'change:status', () => this.controlFieldPermission());
        },

        controlFieldPermission() {

            if (!this.getUser().isPortal()) {
                return;
            }

            // here you can check if the status if draft then set field to readOnly mode.
            if (this.model.get('status') === 'Draft') {
                this.setFieldReadOnly('name');
                this.setFieldReadOnly('website');
                this.setFieldReadOnly('description');
            }
        },
    });
});

I hope this helps

**axyl** · 10-03-2023, 08:09 AM

Thanks for the replies, but I'd rather block at the server first security wise.

I came up with this...this example checks if the description field of the contact has the value of meh . If so, and the user is a portal user, then they cannot save changes to the record. (I have some logging in there too, just for the testing of the process)

PHP Code:


<?php
namespace Espo\Custom\Hooks\Contact;

use Espo\ORM\Entity;
use Espo\Core\Hook\Hook\BeforeSave;
use Espo\ORM\Repository\Option\SaveOptions;
use Espo\Core\Exceptions\Error;
use Espo\Entities\User;

class checkPortalSaveHook implements BeforeSave
{    
    // An optional parameter, defines in which order hooks will be processed.
    // Lesser value means sooner.
    public static int $order = 1;

    public function __construct(
        // Define needed dependencies.
        private User $loggedInUser,
    ) {}

    public function beforeSave(Entity $entity, SaveOptions $options): void {
        // If the user is editing from the portal, then deny the edit.
        $log= $GLOBALS['log'];
        $log->error("checkPortalSaveHook - options");
        $log->error(print_r($options, true));

        $log->error("Portal User");
        $isPortal= $this->loggedInUser->isPortal();
        $log->error(print_r($isPortal, true));        
              
        $description= $entity->get('description');
        if ($description=="meh" && $isPortal) {
            throw new Error("No permission to edit this record");            
        }
    }
    
}

**rabii** · 10-03-2023, 08:24 AM

Looks cool

Just be aware that your user might be confused hence an error is occurring but no hints on what is the error and why. I think if you want to use a backend it would be better to use saveError Handler https://docs.espocrm.com/development...rror-handlers/

**trungtvmso** · 07-15-2024, 06:30 PM

Hello all, I'm very sorry because re-pump this topic again. But can we use condition for inlineEditDisabled Metadata ? I would like to extend detail view and set User can inline-edit or not by some conditions.

Set a Portal User to only allow editing a record based on conditions?

Set a Portal User to only allow editing a record based on conditions?

Comment

Comment

Comment

Comment

Comment