Restrict access to project notes

**steve.downing** · 2007-12-17, 09:38 PM

i am currently using Sugar community edition Version 4.5.1d (Build 1273). we use the (accounts --> projects --> notes) submodule for storing attachments quite frequently. we however have recently had the need to restrict access to individual notes without restricting access to all notes within a project. (i.e. adding financial data to the project notes, that we don't want the sales rep to see.)

i was thinking that i could add a custom yes/no field to the notes module called "admin only". when this is checked i would like this particular note to only be viewable by database administrators. or i could create a user group, either way is fine with me.

the part i'm having trouble with is restricting the access to the group, or administrators.

the part that we don't want the sales reps to see is in the attachment, so opening the note is ok, but access to the file needs to be restricted.

keep in mind that there are other notes (and their file attachments) in the same project that the sales reps will need access to

thanks in advance for any assistance!

Steve

**kuske** · 2007-12-18, 05:12 PM

Uahh, a very challenging task, I think.

If I had to do such a job I would query the admin only flag in "user hook" for notes "after retrieve" of the notes and then I would set a global php variabe de´pending on the rights of the current user.
This global php variable I would check in module /include/download.php when anybody tries to download an attachment.
Perhaps this could work.

I would estimate 2-16 hours of development and test. good luck.

hk

**andopes** · 2007-12-18, 05:25 PM

Hi, Steve.

I believe there is a way to do it easily and without custom field, just a after retrieve logic hook.

If you want to enable access of Notes related to Project only for admin users, you could follow these steps:

1. create a new logic hook (see sugarcrm.com/wiki for documentation;
This logic hook could have the code:

PHP Code:

 global $current_user;

if($focus->parent_type == 'Project' && ! is_admin($current_user)) {

    $focus = null;

}

In the SugarCRM architecture if the retrieve function of SugarBean returns null, then the action dies with restrict access to admin users.

Estimate: 2 hours.

Cheers

--
André Lopes
Lâmpada Global Services
Rua Bela Cintra, 299 conjunto. 51
São Paulo, SP 01415-000
tel1. 55 11 3237-3110
cel. 55 11 7636-5859
e-mail: info@lampadacrm.com.br