Allow non-admin users to access Advanced Pack via Roles (Workflows Flowcharts)

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • robson
    Junior Member
    • May 2019
    • 23
    #1

    Allow non-admin users to access Advanced Pack via Roles (Workflows Flowcharts)

    I’m posting the full set of steps that worked for me, because I had to combine several tweaks before non-admin users could actually use these Advanced Pack areas.

    yuri would be great if you could implent the solution below as Advanced Pack without it is useless for non-admin users so any non 1 man show...

    Goal: Allow a non-admin user to:
    • access Workflows
    • access Flowcharts
    • create/edit Flowcharts
    • edit Start Event properties inside the BPMN designer

    By default, EspoCRM keeps these admin-only in Advanced Pack, so Roles alone are not enough.

    Part 1 — Workflows for non-admin users

    1. Create this file

    custom/Espo/Custom/Controllers/Workflow.php

    2. Put this code in it

    <?php

    namespace Espo\Custom\Controllers;

    class Workflow extends \Espo\Modules\Advanced\Controllers\Workflow
    {
    protected function checkAccess(): bool
    {
    return $this->acl->checkScope('Workflow');
    }
    }

    This replaces the built-in admin-only check with Role-based ACL for the Workflow scope.

    3. Create or edit this file

    custom/Espo/Custom/Resources/metadata/app/acl.json

    Use:
    {
    "mandatory": {
    "scopeLevel": {
    "Workflow": true,
    "WorkflowLogRecord": true,
    "BpmnFlowchart": true,
    "BpmnFlowchartElement": true
    }
    }
    }

    4. Create these files

    File:

    custom/Espo/Custom/Resources/metadata/scopes/Workflow.json

    Content:
    {
    "tab": true,
    "acl": true
    } File:

    custom/Espo/Custom/Resources/metadata/scopes/WorkflowLogRecord.json

    Content:
    {
    "acl": true
    }

    5. Rebuild


    From EspoCRM root:
    php command.php rebuild

    or on older installations:
    php rebuild.php

    Then log out and log back in.

    6. Add tabs and Role permissions


    Add Workflows and Workflows Log to the tab list if needed.

    Then in the Role, grant access to:
    • Workflows
    • Workflows Log

    Part 2 — Flowcharts for non-admin users

    1. Create this file

    custom/Espo/Custom/Controllers/BpmnFlowchart.php 2. Put this code in it

    <?php

    namespace Espo\Custom\Controllers;

    class BpmnFlowchart extends \Espo\Modules\Advanced\Controllers\BpmnFlowchart
    {
    protected function checkAccess(): bool
    {
    return $this->acl->checkScope('BpmnFlowchart');
    }
    }

    This allows access to Flowcharts using Role permissions instead of requiring admin.


    3. Create this file

    custom/Espo/Custom/Resources/metadata/scopes/BpmnFlowchart.json

    Content:
    {
    "acl": true,
    "tab": true,
    "aclActionList": ["create", "read", "edit", "delete"]
    }

    This exposes action-level permissions for Flowcharts in Roles.


    4. Rebuild again

    php command.php rebuild

    Then log out and back in.


    5. In the Role, grant Flowchart permissions


    Set access for Flowcharts / BpmnFlowchart to allow:
    • create
    • read
    • edit
    • delete

    At this point the user should be able to open #BpmnFlowchart and create Flowcharts.


    Part 3 — Fix Start Event window stuck / uneditable


    This was the missing piece for me.

    Even after Flowcharts were accessible and editable, the Start Event popup opened with empty loading placeholders and the fields were not editable.

    The reason is that the popup record is rendered with scope:
    BpmnFlowchartElement

    So it is not enough to expose only BpmnFlowchart.
    You also need ACL for BpmnFlowchartElement.


    1. Make sure app/acl.json includes BpmnFlowchartElement


    File:
    custom/Espo/Custom/Resources/metadata/app/acl.json

    Content:
    {
    "mandatory": {
    "scopeLevel": {
    "Workflow": true,
    "WorkflowLogRecord": true,
    "BpmnFlowchart": true,
    "BpmnFlowchartElement": true
    }
    }
    }

    2. Create this file

    custom/Espo/Custom/Resources/metadata/scopes/BpmnFlowchartElement.json

    Content:
    {
    "acl": true
    }


    3. Rebuild

    php command.php rebuild

    Then log out and log back in.


    4. Update the Role


    After rebuild, BpmnFlowchartElement should appear in Role permissions.

    Grant it at least:
    • edit

    After I did this, the Start Event edit form finally rendered properly for the non-admin user.



    Result


    After all the above, my non-admin user could:
    • open Workflows
    • access Flowcharts
    • create/edit Flowcharts
    • edit Start Event properties in the BPMN designer

    Important note


    This is a customization / patch, not a standard built-in supported configuration.

    So test again after:
    • EspoCRM updates
    • Advanced Pack updates
    • rebuilds that regenerate frontend/backend caches

    I kept my custom files under custom/Espo/Custom/... and metadata under custom/Espo/Custom/Resources/....


    Final file list

    custom/Espo/Custom/Controllers/Workflow.php
    custom/Espo/Custom/Controllers/BpmnFlowchart.php
    custom/Espo/Custom/Resources/metadata/app/acl.json
    custom/Espo/Custom/Resources/metadata/scopes/Workflow.json
    custom/Espo/Custom/Resources/metadata/scopes/WorkflowLogRecord.json
    custom/Espo/Custom/Resources/metadata/scopes/BpmnFlowchart.json
    custom/Espo/Custom/Resources/metadata/scopes/BpmnFlowchartElement.json

    Code summary

    custom/Espo/Custom/Controllers/Workflow.php

    <?php

    namespace Espo\Custom\Controllers;

    class Workflow extends \Espo\Modules\Advanced\Controllers\Workflow
    {
    protected function checkAccess(): bool
    {
    return $this->acl->checkScope('Workflow');
    }
    }


    custom/Espo/Custom/Controllers/BpmnFlowchart.php

    <?php

    namespace Espo\Custom\Controllers;

    class BpmnFlowchart extends \Espo\Modules\Advanced\Controllers\BpmnFlowchart
    {
    protected function checkAccess(): bool
    {
    return $this->acl->checkScope('BpmnFlowchart');
    }
    }


    custom/Espo/Custom/Resources/metadata/app/acl.json

    {
    "mandatory": {
    "scopeLevel": {
    "Workflow": true,
    "WorkflowLogRecord": true,
    "BpmnFlowchart": true,
    "BpmnFlowchartElement": true
    }
    }
    }


    custom/Espo/Custom/Resources/metadata/scopes/Workflow.json

    {
    "tab": true,
    "acl": true
    }


    custom/Espo/Custom/Resources/metadata/scopes/WorkflowLogRecord.json

    {
    "acl": true
    }


    custom/Espo/Custom/Resources/metadata/scopes/BpmnFlowchart.json

    {
    "acl": true,
    "tab": true,
    "aclActionList": ["create", "read", "edit", "delete"]
    }


    custom/Espo/Custom/Resources/metadata/scopes/BpmnFlowchartElement.json

    {
    "acl": true
    }



    This is an complete solution to the problem raised many years ago here: https://forum.espocrm.com/forum/gene...-access-rights
    Tags: None
    • yuri
      EspoCRM product developer
      • Mar 2014
      • 9739
      #2
      Hi,

      It would be endless security vulnerabilities. We cannot do it.

      I would need to hide the post.
        👍 1

        Comment

        • yuri
          EspoCRM product developer
          • Mar 2014
          • 9739
          #3
          By making this tools available to non-admin users, one just give almost all admin rights for a regular user.

          Apart from this, there is at least one critical issue, overriding access levels with the 'mandatory' parameter, leading to potential (or actual) granting access to the feature to ALL users.

          Another problem, heavily customizations of our extensions likely to introduce issues in the future with upgrade, while we spend our resources for issues with our paid extensions occurred for our customers.

          It'd be better if customizations of our non-open source products were not public (as the license actually forbids it).

            Comment

            • robson
              Junior Member
              • May 2019
              • 23
              #4
              yuri you need to explicitly explain customers buying Advanced Pack that it can only by used by system Admins. I bought this extension and it is useless for me if I cannot make it available for my employee. If I make my employee a system admin I'm risking the whole database so it is a no go for me and most organisations. Additionally different employees serve different market segments and do not see all customers so giving them admin role is unacceptable. Therefore the only reason for me to consider buying it again is when you make it accessible to ordinary Roles. I understand your concernes however my mods actaully return 403 for https://hostname/#Admin . I understand what you are saying about priviliges but this situation when I'm granting admin priviliges is much worse than exposing some volnurabiulities to registerd users.

              If you insist that it will not be modified in the future or that I cannot make modifications to the code I would like to stop using Advanced Pack and reclaim my funds. I will write my own extension to send SMS and emails to customers upon triggers.

                Comment

                • robson
                  Junior Member
                  • May 2019
                  • 23
                  #5
                  One more comment to the mods above:

                  In order for the list https://hostname/#BpmnFlowchart to list Flowcharts for the Role user

                  custom/Espo/Custom/Resources/metadata/app/acl.json need to be only like this:

                  {
                  "mandatory": {
                  "scopeLevel": {
                  "Workflow": true,
                  "WorkflowLogRecord": true
                  }
                  }
                  }

                  otherwsie the list for the Role user will be empty

                    Comment

                    • yuri
                      #5.1
                      yuri commented
                      Today, 02:02 PM
                      Editing a comment
                      This literally allows access for any users. As I mentioned above.
                    • robson
                      Junior Member
                      • May 2019
                      • 23
                      #6
                      One more comment yuri I understand the situation but company owners do not want to get into managing CRM software. We need to have an option to grant even temporarilyt access to full BPM functionalities so people design processes and test it so II can authorise it for use...

                        Comment

                        • yuri
                          EspoCRM product developer
                          • Mar 2014
                          • 9739
                          #7
                          Every one who have access to workflow and BPM can obtain almost any data from the CRM. And it can be done very easily, considering that people who usually use such features have enough skills to quickly figure out how to do it.

                            Comment

                            • yuri
                              EspoCRM product developer
                              • Mar 2014
                              • 9739
                              #8
                              Feel free to refund, as 30 days has not passed yet.

                                Comment

                                Previous template Next
                                Working...