Javascript Temporary Permissions

Good day all.  I'm still using v11 SP10.  How do I grant temporary permission for a user through Javascript?  I want to add a Comments tab to our custom change ItemType.  I have a script attached to an Action to open a dialog box so a user can add a comment.  The Submit button runs another script to pull the comments field information and sends it back to the original script.  The original script then creates a Comments relationship entry for the change.  I have this working except when the change is in the In Review Life Cycle state for normal user, it works for admins.  I want to temporarily grant Aras PLM identity to the user so it can be added.  I don't want to allow users to be able to edit anything else in the change while it is In Review.  

Method:  DEMO_Notes_Form

// Aras Labs Project
// Eli Donahue - 10/5/16
//
// Call a custom form in a modal dialog
// Perform some action based on the values returned from dialog

// Aras Labs Project
// Eli Donahue - 10/5/16
//
// Call a custom form in a modal dialog
// Perform some action based on the values returned from dialog

var inn = new Innovator();

// var thisItem = document.getThis

var topWnd = aras.getMostTopWindowWithAras(window);
    topWnd = topWnd.main || topWnd;

// get form
var formName = "DEMO_Change_Notes";
var fetchForm = this.getInnovator().newItem("Form","get");
    fetchForm.setProperty("name",formName);
    fetchForm = fetchForm.apply("get"); 

// check form for error
if (fetchForm.isError())
    return alert("Can't find a form called " + formName);

// get form params
var params = 
{
    title: 'Change Notes', 
    formId: fetchForm.getID(),       // put your form's id here
    aras: aras,
    dialogWidth: 600,                // set width int
    dialogHeight: 400,               // set height int
    content: 'ShowFormAsADialog.html'
};

var parentItem = parent.thisItem;
var value = parentItem.getProperty("id","");
var userID = aras.getCurrentUserID();

var callback2 = function(res) 
{
    var innovator = new Innovator();
    
    var partItem = innovator.newItem("sm_DEMO_NDR_Notes","add");
        partItem.setProperty("source_id", value);
        partItem.setProperty("comments", res.param1);
    
    var resultItem = partItem.apply();
}
// call form in dialog
topWnd.ArasModules.Dialog.show("iframe", params).promise.then(callback2);


return null;

DEMO_SUBMIT-Notes

// Aras Labs Project
// Eli Donahue - 10/5/16
//
// onClick field event for Submit button
// Returns the form field values to the method that called the current dialog

// get param1 field
var wrapper1 = getFieldByName("comments");
var p1 = wrapper1.getElementsByTagName("textarea")[0];

// confirm fields were correctly retrieved
if (!p1)
{
	alert("Can't find field param1");
	return;
}

// return entered values
var retVal = {};
    retVal["param1"] = p1.value;
    retVal["param2"] = sourceID;
    // retVal["searchResult"] = p3.value;

parent.returnValue = retVal; 
parent.close();

Parents
  • You cannot grant temporary permission for a user through Javascript. In general this is impossible.

    Just image somebody builds his own Aras Client and is able to influence permission this way. This way regular users could transform themselves into root accounts. Would be a great way to hack a system!

    What you want do is not a uncommon task. I do the same in my own dialog calls. You need an additional Server Method that is called from the dialog. The Server Method uses GrantPermission so you can execute the query with Aras PLM or similar rights. You should be able to find GrantPermission samples online. Even Aras use this technique.

     

Reply
  • You cannot grant temporary permission for a user through Javascript. In general this is impossible.

    Just image somebody builds his own Aras Client and is able to influence permission this way. This way regular users could transform themselves into root accounts. Would be a great way to hack a system!

    What you want do is not a uncommon task. I do the same in my own dialog calls. You need an additional Server Method that is called from the dialog. The Server Method uses GrantPermission so you can execute the query with Aras PLM or similar rights. You should be able to find GrantPermission samples online. Even Aras use this technique.

     

Children