Menu

How to enable writing "fields" instead of whole classes

Customizing iTop
Jacopo D.
2025-03-17
2025-03-18

  • Jacopo D.

    Jacopo D. - 2025-03-17

    Hello,

    I created a new profile and gave it the bulk read action.

    Now, I don't want to give the new profile edit permissions for the entire User Request class, but rather, for example, only for the "private log" field. Is there any way to do this?

    <?xml version="1.0" encoding="UTF-8"?>
<itop_design xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.6">
  <user_rights>
    <groups>
      <group id="UserRequest" _delta="must_exist">
        <classes>
          <class id="UserRequest">
          </class>
        </classes>
      </group>
    </groups>
    <profiles>
      <profile id="100" _delta="define">
        <name>Logistics Team</name>
        <description>Profile for logistics team members with read access to assets and limited ticket handling permissions</description>
        <groups>
          <group id="*">
            <actions>
              <action id="action:read">allow</action>
              <action id="action:bulk read">allow</action>
            </actions>
          </group>
          <group id="UserRequest">
            <actions>
              <action id="stimulus:ev_assign">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
    </profiles>
  </user_rights>
</itop_design>

    I also tried to add 2 new methods (GetAttribute and GetInitialSate) but without success:

    <method id="GetAttributeFlags">
    <static>false</static>
    <access>public</access>
    <type>Overload-DBObject</type>
    <code>
        <![CDATA[
        public function GetAttributeFlags($sAttCode, &$aReasons = array(), $sTargetState = '')

            if (($sAttCode == 'private_log') && (UserRights::HasProfile('Logistics Team'))) {
                return (OPT_ATT_MUSTPROMPT | parent::GetAttributeFlags($sAttCode, $aReasons, $sTargetState));
            }

            return parent::GetAttributeFlags($sAttCode, $aReasons, $sTargetState);
        }
        ]]>
    </code>
</method>
     

  • Vincent @ Combodo

    Vincent @ Combodo - 2025-03-18

    1) You must give write access to the "Logistics Team" on UserRequest class, otherwise even if you allow the stimulus, it won't work, as writing of the UserRequest (to change the status and the log) will anyhow fail.
    2) Then you should use the methods (GetAttribute and GetInitialSate) the other way round, because by default, every field are "writable" as soon as the user write access to the class

        if (($sAttCode !== 'private_log') && (UserRights::HasProfile('Logistics Team'))) {
        return (OPT_ATT_READONLY | parent::GetAttributeFlags($sAttCode, $aReasons, $sTargetState));
    }
     

  • Jacopo D.

    Jacopo D. - 2025-03-18

    Hello Vincent,
    Thank you for the reply.

    So, I need to change the logic in the opposite way, right?
    Instead of making everything readable and creating exceptions for writable fields, I should make everything writable and create exceptions for reading.

    The reason is that I don't want new users to have edit permissions for the entire class/classes by default.

    In my opinion, it would be nice if, in the XML, I had the option to add specific fields when necessary.

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.