Hello,
How can I hide the History in the Details view for specific profiles? The reason: I'm hiding critical attributes for specific profiles with the functions GetAttributesflags and Get but the users are able to view the values in the activyPanel.
The function GetCMDBChangeOpEditsEntriesForObject is responsible for loading the ChangeOps but ignores the AttributFlags.
Can you help me to secure the critical attributes from beeing read by unauthorized users?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
<?xml version="1.0" encoding="UTF-8"?><itop_designxmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"version="3.0"><snippets><snippetid="hide_history_entries"_delta="define"><placement>core</placement><rank>0</rank><content><![CDATA[ class HideHistoryEntries implements iBackofficeStyleExtension { public function GetStyle(): string { // Check if current user has a profile for which we want to hide history entries $aCurrentUserProfiles = \UserRights::ListProfiles(); $aProfilesToHideEntriesFor = ['Support Agent']; foreach ($aCurrentUserProfiles as $sCurrentUserProfile) { if (in_array($sCurrentUserProfile, $aProfilesToHideEntriesFor)) { // Then force edits entries to be hidden return <<<CSS.ibo-activity-entry.ibo-edits-entry { display: none !important;}CSS; } } // Current user doesn't have a restricted profile, leave CSS as-is return ''; } } ]]></content></snippet></snippets></itop_design>
Adjust $aProfilesToHideEntriesFor to put the profiles for which you want to hide the edit entries for (in the example 'Support Agent'
Copy the folder of your extension in the /extensions folder of iTop
Run the setup of iTop and mind to select the extension on the final step
Then check that it works as expected
Hope it helps,
Guillaume
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Guillaume,
thank you very much for your help.
The problem with this solution is that the critical information is just hidden from the user and all history information is transfered to the user. This is a security vulnerability. If the user searches for .ibo-edits-entry he will get all the critical information.
Do you have any other idea?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Not really, you could do the same thing but with a JS snippet that would remove the information from the DOM completely, but an advanced user could still set a breakpoint in its browser to prevent the JS snippet from being executed and search for the said info.
If you are looking for a feature that define permissions per attributes, it has been discussed but it is not planned yet unfortunately.
👍
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Guillaume,
I understand, implementing permissions per attribute will be quite complex.
Maybe a quick win is to extend the function GetCMDBChangeOpEditsEntriesForObject that it doesn't return ActivityEntries of Attributes with OPT_ATT_HIDDEN.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
How can I hide the History in the Details view for specific profiles? The reason: I'm hiding critical attributes for specific profiles with the functions
GetAttributesflagsandGetbut the users are able to view the values in the activyPanel.The function
GetCMDBChangeOpEditsEntriesForObjectis responsible for loading the ChangeOps but ignores the AttributFlags.Can you help me to secure the critical attributes from beeing read by unauthorized users?
Hello Dave,
There is no such possibility out of the box in iTop unfortunately.
That being said, you can work your way around this with a custom extension, are you conformtable writing PHP code? We could guide you.
Guillaume
Hi Guillaume,
thank you! That would be great. I'm conformtable writing PHP code.
$aProfilesToHideEntriesForto put the profiles for which you want to hide the edit entries for (in the example 'Support Agent'Hope it helps,
Guillaume
Hi Guillaume,
thank you very much for your help.
The problem with this solution is that the critical information is just hidden from the user and all history information is transfered to the user. This is a security vulnerability. If the user searches for
.ibo-edits-entryhe will get all the critical information.Do you have any other idea?
Not really, you could do the same thing but with a JS snippet that would remove the information from the DOM completely, but an advanced user could still set a breakpoint in its browser to prevent the JS snippet from being executed and search for the said info.
If you are looking for a feature that define permissions per attributes, it has been discussed but it is not planned yet unfortunately.
Hi Guillaume,
I understand, implementing permissions per attribute will be quite complex.
Maybe a quick win is to extend the function
GetCMDBChangeOpEditsEntriesForObjectthat it doesn't return ActivityEntries of Attributes with OPT_ATT_HIDDEN.