Name

global.CSMContentAccess

Description

Implements extension point global.CSMContentAccessEP

Script

var CSMContentAccess = Class.create();
CSMContentAccess.prototype = {
  /**
  * @tableName, required - the table name of the record on which requested access pattern is being evaluated
  * @current, required - the current object on which requested access pattern is being evaluated
  */
  initialize: function(tableName, current) {
  	this._setContext(tableName, current);
  },

  resetContext: function(tableName, current) {
  	this._setContext(tableName, current);
  },

  canProcess: function(accessPattern) {
  	return this.RESOURCE_TYPE=="TABLE" && this.RESOURCE_NAME == this.tableName;
  },

  /**
  * @params, optional - additional parameters required to evalute the access
  */
  canRead: function(params) {
  	if(!this.__preProcess(params))
  		return false;

  	//Responsibilities are enforced through query-rules / QBR validations.
  	return this.__canRead();
  },


  /**
  * @params, optional - additional parameters required to evalute the access
  */
  canWrite: function(params) {
  	if(!this.__preProcess(params))
  		return false;

  	if(this._enforceResponsibilities() && this._hasValidResponsibility(this._getWritePermissionMap())) {
  		return true;
  	}
  	return this._canWrite();
  },

  /**
  * @params, optional - additional parameters required to evalute the access
  */
  canCreate: function(params) {
  	if(!this.__preProcess(params))
  		return false;

  	if(this._enforceResponsibilities() && this._hasValidResponsibility(this._getCreatePermissionMap())) {
  		return true;
  	}
  	return this._canCreate();
  },

  /**
  * @params, optional - additional parameters required to evalute the access
  */
  canDelete: function(params) {
  	if(!this.__preProcess(params))
  		return false;

  	if(this._enforceResponsibilities() && this._hasValidResponsibility(this._getDeletePermissionMap())) {
  		return true;
  	}
  	return this._canDelete();
  },


  /** Private methods; do not override these methods. **/

  __isRestrictedAccessAccount: function(accountId) {
  	if(!accountId)
  		return false;

  	var gr = new GlideRecord(global.CSMBaseConstants.ACCOUNT_ACCESS_TABLE);
  	gr.addQuery('account', accountId);
  	gr.addQuery('restrict_contact_access', true);
  	gr.query();
  	return gr.hasNext();
  },

  __preProcess: function(params) {
  	if(gs.nil(this.current))
  		return false;

  	if(!gs.nil(params))
  		this._setParams(params);

  	return true;
  },

  __isQueryRulesEnabled: function() {
  	return new global.CSMQueryRulesUtil().useQueryRules();
  },

  __canRead: function() {
  	if(this.__isQueryRulesEnabled())
  		return this._canRead_QR();

  	return this._canRead_QBR();
  },


  /** Protected methods, allowed to overrride **/

  _setContext: function(tableName, current) {
  	this.tableName = tableName || (!gs.nil(current)? current.getTableName(): null);
  	this.current = current;
  },

  _setParams: function(params) {
  	this.params = params;
  },

  /** 
  * Override _can*() methods only if 
  * 1) entity does not have separate ACLs for regular checks 
  * 2) and, entity security check depends on granular roles
  **/

  _canWrite: function() {
  	return false;
  },

  _canCreate: function() {
  	return false;
  },

  _canDelete: function() {
  	return false;
  },

  _canRead_QR: function() {
  	// TODO: Keep the filter in session variable for subsequent usages. And, make sure it is invalidated when config is changed
  	// TODO: OR, use transaction cache.
  	var filter;
  	var qrRoles = this.__getParam("qr_roles");
  	var qrGenerator = new sn_queryrules.QueryRuleGenerator();
  	if (gs.nil(qrRoles))
  		filter = qrGenerator.getEncodedQuery(this.tableName);
  	else
  		filter = qrGenerator.getEncodedQueryForRoles(this.tableName, qrRoles);
  	return GlideFilter.checkRecord(this.current, filter);
  },

  _canRead_QBR: function() {
  	return false;
  },

  _enforceResponsibilities: function() {
  	return false;
  },

  _isChildOf: function(parent, tableName) {
  	return new global.CSMRelationshipUtils().isChildOf(parent, tableName);
  },

  /** Permission maps for Responsibilities **/
  /**
  *
  * {
  *   relationship1: accessType,
  *   relationship2: accessType,
  *   ...
  * }
  *
  */
  
  _getWritePermissionMap: function() {},

  _getCreatePermissionMap: function() {},

  _getDeletePermissionMap: function() {},

  
  // Access evalulation with the help of Permission Map
  _hasValidResponsibility: function(permissionMap) {
  	if(gs.nil(permissionMap))
  		return false;

  	var _hasAccess = false;
  	var relationships = Object.keys(permissionMap);
  	var utils = new global.CSMRelationshipUtils();
  	for(var p = 0, q = relationships.length; p < q; p++) {
  		var relationship = relationships[p];
  		var accessType = permissionMap[relationship] || global.CSMRelationshipConstants.ACCESS.FULL;
  		_hasAccess = utils.hasAccess(this.current, relationship, accessType, this.params);

  		if(_hasAccess)
  			return true;
  	}

  	return _hasAccess;
  },
  
  __getParam: function(key) {
  	if (!key || !this.params)
  		return null;

  	return this.params[key];
  },
  
  // Always override these variables with right values.
  RESOURCE_NAME : "",
  RESOURCE_TYPE : "TABLE",

  type: 'CSMContentAccess'
};

Sys ID

0fc2120677f23010d3ef07dc7d5a9901

Offical Documentation

Official Docs: