Default Role Permissions

[MrBigAllan]

Is it possible to default permissions for users who are not part of a user role, that is, permissions that are also inherited by other roles as default permissions?

Situation: By default I want some fields to only be writable by a certain group of users. Everyone else should not have access to the change the field value.

I want to avoid creating a default role where I have to add all new users. If it is possible to create a role where users are automatically added, then that might be an option.

[eggsurplus]

Yes, I've had to do this in the past. Create a logic hook for when a user gets created and add the default role if a role is not associated to the user yet.

[MrBigAllan]

Great idea! I'll try it out.

[MrBigAllan]

It took a bit of time to figure out as most of the examples in the forum were based on version 5.

Here is what I ended up doing for Sugar version 6 in case any one is interested:

In the logic hook I set-up my code to be run after login.

/custom/modules/Users/logic_hooks.php

PHP Code:

<?php
// Do not store anything in this file that is not part of the array or the hook version.  This file will    
// be automatically rebuilt in the future. 
 $hook_version = 1; 
$hook_array = Array(); 
// position, file, function 
$hook_array['after_login'] = Array(); 
$hook_array['after_login'][] = Array(1, 'SugarFeed old feed entry remover', 'modules/SugarFeed/SugarFeedFlush.php','SugarFeedFlush', 'flushStaleEntries'); 

// Add to the default role
$hook_array['after_login'][] = Array(2, 'Add to default user role', 'custom/modules/Users/AddToDefaultUserRole.php','AddToDefaultUserRole', 'addToDefaultUserRole'); 
?>

In the custom code, I check if the user is part of a given role, and if not, add him/her to the role. The only ugly bit about this code is that the ACLRole ID is hard-coded. I want to find a way of making it configurable. Unfortunately ACLRole cannot be extended from studio, otherwise I would have added an additional boolean field (Default), that would be read in the script below.

/custom/modules/Users/AddToDefaultUserRole.php

PHP Code:

<?php

class AddToDefaultUserRole {
    
    /* Unique ID of the default user role that all users must be a member of. */
    const DEFAULT_USER_ROLE_ID = "ca4a4302-a96b-d9c5-f949-4ee88a48b047";

    function addToDefaultUserRole(&$bean, $event, $arguments) {
        
        // Check that the bean is a User class
        if (method_exists($bean, 'check_role_membership')) {

            // Fetch the default role
            $role = new ACLRole();
            $role->retrieve(AddToDefaultUserRole::DEFAULT_USER_ROLE_ID);

            // Check if the user is already a member of the default role
            $in_role = $bean->check_role_membership($role->name);

            if (!$in_role) {
                // Add user to role, if he/she is not already a member
                $role->set_relationship('acl_roles_users', 
                        array('role_id' => $role->id, 'user_id' => $bean->id), 
                        false);
            }
        }
    }
}
?>

[sts]

Regarding your problem with adding a new field to ACLRole:

1) It should be possible to get this module to Studio with adding a file studio.php into ACLRoles/metadata. I didn't try this out but I read that an empty file should do the job.

2) Another approach would be to manually add a field to vardefs.php and do a quick repair after that.

[MrBigAllan]

I've managed to add the field by putting the studio.php file in the metadata directory. Unfortunately it is a bit more tricky to update the edit view so that the field can be set. The edit view for ACLRole is completely custom (because of module and field level permissions). So I'm still to update EditView.tpl and EditView.php. This is not upgrade safe though :-(

[mjoyner]

Kudos MrBigAll and Jason................ Just what I was looking for and nice hack.

[adam.frank]

I've had to implement something similar in the past - the logic hook would probably work as an after_save rather than after_login - otherwise, it gets fired on every log in.