"Create new" - security right

[kenneth.thorman]

I would like to be able to control if a user can create new entries for any given module. Similar to the way the normal rolw system works but instead of Edit (i.e. update) I would like Create New (i.e. insert). I have been searching the forums but it does not seem like any of the different Security Suites and TeamOS have this functionality.

Thank you in advance

Kenneth Thorman

[SugarDev.net]

This is simply because Sugar doesn't recognize the difference between the actions. However, I'm with you on the necessity of it.

[kenneth.thorman]

I have been browsing the source and found that by doing this

insert into acl_actions (id,date_entered, date_modified, modified_user_id, created_by, name, category, acltype, aclaccess, deleted)
select distinct uuid(), now(),now(),1,null,'create', category, 'module', 90, 0
from acl_actions

We actually get another column in the edit of a role. And by looking at the edit of a module and the insert of a new there is the uuid differing. So it should be possible to check on if id is part of the post then it is an edit and if not the an insert?

Anyone?

Regards
Kenneth Thorman

[SugarDev.net]

Yes, almost.

PHP Code:

if (empty($bean->id) || !empty($bean->new_with_id)
  //Create
else
  //Edit 


Anyway, the thing is that you need to check this somewhere. This may be possible in a logic hook, although you'd have to add it to every single module by hand. Also, you can alter all the menu's in Sugar to check for it (upgrade safe).

Also found this, though:

PHP Code:

$ACLActions = array(
    'module'=>array('actions'=>
                        array(








                            'access'=>
                                array(
                                    'aclaccess'=>array(ACL_ALLOW_ENABLED,ACL_ALLOW_DEFAULT, ACL_ALLOW_DISABLED),
                                    'label'=>'LBL_ACTION_ACCESS',
                                    'default'=>ACL_ALLOW_ENABLED,
                                ),
                            
                                'view'=>
                                array(
                                    'aclaccess'=>array(ACL_ALLOW_ALL,ACL_ALLOW_GROUP,ACL_ALLOW_OWNER,ACL_ALLOW_DEFAULT, ACL_ALLOW_NONE),
                                    'label'=>'LBL_ACTION_VIEW',
                                    'default'=>ACL_ALLOW_ALL,
                                ),
                    
                        'list'=>
                                array(
                                    'aclaccess'=>array(ACL_ALLOW_ALL,ACL_ALLOW_GROUP,ACL_ALLOW_OWNER,ACL_ALLOW_DEFAULT, ACL_ALLOW_NONE),
                                    'label'=>'LBL_ACTION_LIST',
                                    'default'=>ACL_ALLOW_ALL,
                                ),
                        'edit'=>
                                array(
                                    'aclaccess'=>array(ACL_ALLOW_ALL,ACL_ALLOW_GROUP,ACL_ALLOW_OWNER,ACL_ALLOW_DEFAULT, ACL_ALLOW_NONE),
                                    'label'=>'LBL_ACTION_EDIT',
                                    'default'=>ACL_ALLOW_ALL,
                                    
                                ),
                        'delete'=>
                            array(
                                    'aclaccess'=>array(ACL_ALLOW_ALL,ACL_ALLOW_GROUP,ACL_ALLOW_OWNER,ACL_ALLOW_DEFAULT, ACL_ALLOW_NONE),
                                    'label'=>'LBL_ACTION_DELETE',
                                    'default'=>ACL_ALLOW_ALL,
                                    
                                ),
                        'import'=>
                            array(
                                    'aclaccess'=>array(ACL_ALLOW_ALL,ACL_ALLOW_DEFAULT, ACL_ALLOW_NONE),
                                    'label'=>'LBL_ACTION_IMPORT',
                                    'default'=>ACL_ALLOW_ALL,
                                ),
                        'export'=>
                            array(
                                    'aclaccess'=>array(ACL_ALLOW_ALL,ACL_ALLOW_GROUP,ACL_ALLOW_OWNER,ACL_ALLOW_DEFAULT, ACL_ALLOW_NONE),
                                    'label'=>'LBL_ACTION_EXPORT',
                                    'default'=>ACL_ALLOW_ALL,
                                ),
                        )
                        
                    
                )


); 


I'm not sure, but when I see something like this I think it would be difficult to implement a Create ACLAction and fully make it transparant in the application. But, with a little help from logic hooks, you should be able to make a solution which will actually prevent certain roles from creating certain types of records.

[kenneth.thorman]

Solution:
THIS IS A NON UPGRADE SAFE WAY OF ACHIEVING THIS


1. Add this to the $ACLActions array in modules/ACLActions/actiondefs.php


'create'=> array(

'aclaccess'=>array(ACL_ALLOW_ENABLED, ACL_ALLOW_DEFAULT, ACL_ALLOW_DISABLED),
label'=>'LBL_ACTION_CREATE',
'default'=>ACL_ALLOW_DEFAULT,

),




2. Add the label to the language file at modules/languages/en_us.lang.php

'LBL_ACTION_CREATE'=>'Create',



3. Run the following query if you want all modules in the database to have this right straight away (it seems like sugar is correcting missing rights in the database, so you might not even have to run this sql)

insert into acl_actions (id,date_entered, date_modified, modified_user_id, created_by, name, category, acltype, aclaccess, deleted)
select distinct uuid(), now(),now(),1,null,'create', category, 'module', 90, 0
from acl_actions




4. HACK data/SugarBean.php at line 4840 change the case 'editview'

from

case 'editview':
return ACLController::checkAccess($this->module_dir,'edit', $is_owner);




to this

case 'editview':
// Create / Insert
if (is_null($this->id)) {
return ACLController::checkAccess($this->module_dir,'create', $is_owner);
}
// Edit / Update
else {
return ACLController::checkAccess($this->module_dir,'edit', $is_owner);
}



UPDATE
Please note that I fixed an intermittent bug in this hack.

The insert statement mentioned above is necessary, so now this is run during the installation of the module found here
https://sourceforge.net/project/show...kage_id=261293

this bug was fixed in version 1.2.1 of the module.

PLEASE NOTE: This module contains several fixes/patches to SugarCrm core files and is NOT UPGRADE SAFE.

The fixes and patches are:

http://www.sugarcrm.com/forums/showthread.php?t=34807
http://www.sugarcrm.com/forums/showthread.php?t=34589
http://www.sugarcrm.com/forums/showthread.php?t=34277
http://www.sugarcrm.com/forums/showthread.php?t=33596
http://www.sugarcrm.com/forums/showthread.php?t=28687


I am maintaining this module since I need and use it myself and will release new modules to new SugarCrm versions, but when this either is not my focus anymore or Sugar have incorporated these bugfixes and hack this module will be closed down.

Regards
Kenneth Thorman

[kenneth.thorman]

This can now be downloaded as an installable SugarCrm module from sourceforge. Please note that this module contains 5 different hacks to the Sugar core. So please read the release notes first.

Please see this post on SugarCrm forums

http://www.sugarcrm.com/forums/showt...ht=sourceforge post #5

[clint]

Good stuff! I will get the dev team to look at this. Great sleuthing.

[kenneth.thorman]

It sure would be great if some if these made it into the main distr if that makes sense to the rest of you then I would not have to maintain them any more .

Regards
Ken

[clint]

Just talked with the dev team about this feature. Jennifer Yim says that 5.1 is locked down into bug-fix only mode now and we aren't putting in any new features in order to hit our release target of end-of-July. Sounds good to me! Quality, quality, quality.

However she does think this is a very worthwhile feature and is putting it in the plan for 5.5 which is tentatively planned for early next year.

[kenneth.thorman]

I am happy that it was usefull.