You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Users can change templates when they do not have any access to a field, but not when they have read only

Updated August 1, 2018
posted on July 27, 2018

For some reason users can change templates when they have no access to one of the field, but they can't when a field is read only. What is the difference? Shouldn't it require that a user has edit rights to all fields on the template before they can change it?

0 0
replied on July 30, 2018

Yes, it should definitely require this. If a user lacks access to any field in a template, either due to it being read-only, or not even showing for them, they should not be able to change the template. Just to confirm, is the change actually going through - the client application might not know that there's another field that the user can't even see, but the Server should restrict it. 

0 0
replied on July 31, 2018

Well not sure if it is going through, but it lead down a rabbit hole of strange error messages. The user was trying to change the template and being told they did not have access to AP - Status, which they do have full access to. It was like the system got confused and just threw random error messages.

Eventually we found that they shouldn't even be able to change the template, we enabled the hidden field to be visible but not editable and now they can't change the template. But when there is a hidden field, they can try and cause all sorts of errors that don't match up.

0 0
replied on July 31, 2018

Thanks Chad, 

If the user doesn't have rights to even know about a field, the client applications can't either, so they'll try to process the action and get errored out by the Server. That part is expected. It shouldn't be a random error message though, so we'll see if we can reproduce it. 

0 0
replied on August 1, 2018

Got it. It threw about 20 access rights errors in a huge message. AP Status was just the first field it said the user did not have access to, but I think a majority of the errors were false. They should have had access to all those fields. Once we granted access to the hidden field though, all errors went away.

I was mostly confused by them being able to change the template because I was certain this should be impossible after fighting with trying to change templates for so long.

Ideally I want them to be able to change the template even when they do not have access to a field. This is just because we use read-only status fields all the time so that they can see the status of a document without needing to open the document or the business process pane.

I understand the issue though, the system is trying to prevent someone from using this feature to delete data they shouldn't have access to. It could matter for something like a SSN, but doesn't matter for something like a document status. When they choose the wrong template by accident and it includes a status, they can't ever go back.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...