Saleslogix v9.1 Sales Library Functional Security Inconsistency

In the Saleslogix web client’s Sales Library screen we have seen inconsistent application of the functional security that control the visibility to the add, edit, and delete buttons on the screen. This functional security is based on secured actions granted to the user through the normal role access.

This screen is a dojo widget implemented in the Sage/Library/Manager.js file. Inside this file is a method called _CreateView. This method creates the folder tree, the file grid, and the two toolbars that sit above those two controls. Its code looks like this:

_createView: function () {
    this._createTreeViewToolbar();
    this._createTreeView();
    this._createGridToolbar();
    this._createGrid();
}

In the two toolbar methods _createTreeViewToolbar and _createGridToolbar, they each use a supporting library. For the _createGridToolbar method this is the Sage/Library/FileHandler.js. For the _createTreeViewToolbar it uses Sage/Library/FolderHandler.js.

Inside both of these supporting classes is an object called “can” with boolean properties for “add”,”edit”, and “delete”. These properties are set in these libraries within a method called “_initSecurity”. This method uses secured actions to determine which rights are set, as shown here:

_initSecurity: function () {
    this.can.add = this._roles.hasAccess('Entities/LibraryDirs/Add');
    this.can.edit = this._roles.hasAccess('Entities/LibraryDirs/Edit');
    this.can['delete'] = this._roles.hasAccess('Entities/LibraryDirs/Delete');
    this.can.manage = (this._roles.hasAccess('Administration/Manage/Library') || this._roles.hasAccess('Administration/View'));
}

What I have found is that this can object is not correctly getting set with the properties as corresponding to the current user’s secured action permissions. I believe this is caused from the “_initSecurity” method not being properly called.

To fix this what we want to do is to ensure the _initSecurity method is called before the calls to _createTreeViewToolbar and _createGridToolbar in the Manager.js file.

To implement this what we need to do is add a pre-action to the _createTreeViewToolbar and _createGridToolbar in the Manager.js file. Within the pre-action we then make sure to call the supporting library’s _initSecurity method. We can do this using the following code:

define([    
    'dojo/aspect'    
],
    function (aspect) {

        if (!Sage|| !Sage.Library || !Sage.Library.Manager) return;        
        aspect.before(Sage.Library.Manager, '_createGridToolbar', function () {
            Sage.Library.FileHandler._initSecurity();
            console.log('FileHandler');
            console.log(Sage.Library.FileHandler.can);
        });
        aspect.before(Sage.Library.Manager, '_createTreeViewToolbar', function () {
            Sage.Library.FolderHandler._initSecurity();
            console.log('FolderHandler');
            console.log(Sage.Library.FolderHandler.can);
        });
    }
);

Please note that the if check that returns out of the function is necessary if you are loading this code globally. This is because the Sage.Library.Manager is only instantiated on the Library page. If you were to add this code to other pages without that if statement, all other pages would fail to load.

You can also see in the code I am outputting the values of the can objects to the browser console. This is not required, but is useful to ensure that the property values are being set based on the secure action permissions granted to the user.

Want content like this delivered to your inbox? Sign up for our newsletter!
ABOUT THE AUTHOR

Kris Halsrud

Kris Halsrud is a Senior Analyst / Developer for Customer FX Corporation.

Submit a Comment

Your email address will not be published. Required fields are marked *