nchong - Monday, November 12, 2012 3:18 PM:
Hello everyone,
I was wondering if I could get a little bit of help here with a problem that I'm facing. I have defined a set of permissions for an ItemType as below:
- An administrator has all privileges
- A team manager has the get and update privileges
- A team member has the get privilege only
The ItemType here has a set of server-side methods that runs 'onAfterGet'. The 'execution_allowed_to' property of the methods are set to 'World'. These methods perform calculations based on certain values found within the ItemType and it's related items and it updates a few properties within the ItemType. On the server-side methods, I have included code that grants the user, whoever they may be, with an administrator's privileges to perform the necessary updates and revoking them at the end.
With this, I would imagine that even when a team member would not be able to edit the ItemType, they would be able to run the necessary server-side methods to view the ItemType. But instead, I am getting the error message "Failed to get the A ItemType". If I grant the team member the update privilege, they are able to view the ItemType without any issue.
So I've hit a brick wall here and I was wondering if there is some sort of permissions behavior within the Innovator that I might be unaware of as I'm pretty new to this. I may even be doing something which is totally off the mark so it would be good if someone could help shed some light. Thanks in advance.
Cheers,
Nicholas
gks by TSI - Thursday, November 15, 2012 6:49 AM:
>> On the server-side methods, I have included code that grants the user, whoever they may be, with an administrator's privileges to perform the necessary updates and revoking them at the end.
Are you sure this code works? As if one is no Administrator, he is unable to grant himself adminrights.
nchong - Thursday, November 15, 2012 3:34 PM:
Yup, I'm quite sure that the piece of code works. I actually got this fragment from an Aras guru but it was just an error on my part where the identities were involved. I think the issue has been resolved. Things seem to be working fine at this point but I'm still running some tests just to be sure.
I believe one of the reasons why that code functionality is made available is to cater for situations where a developer might be required to grant certain permissions where some users may not have the privilege to perform certain actions. Well, I'd like to think that it's not about the user granting himself administrator rights but more of the server temporarily granting the user additional rights in order to execute the necessary functions/logic and then revoking it at the end. The code would be written by a developer and the relevant method is executed within the context of the server. There's no involvement from the user in terms of modifying the access rights. Or at least, that is to the extent of my understanding. I may be wrong though.
