Name

sn_hr_er.er_CaseAccessBase

Description

Base class of methods used for Employee Relations Case access. Edit script include er_CaseAccess to override specific methods or add custom functionality.

Script

var er_CaseAccessBase = Class.create();
er_CaseAccessBase.prototype = {
  initialize: function() {
  },
  type: 'er_CaseAccessBase'
};

er_CaseAccessBase.securityUtils = new sn_hr_er.er_SecurityUtils();

/* Whether the current user can read the given task record
* @param GlideRecord gr The task to be tested against
* @return Boolean True if the current user can read the given task
*/
er_CaseAccessBase.canReadTask = function(gr) {
  if (er_CaseAccessBase.hasReaderRole() && er_CaseAccessBase.canAccessParentCase(gr.getValue('parent'), true) && !er_CaseAccessBase.securityUtils.isOpenedForOrSubjectPerson(gr.parent))
  	return true;
  else
  	return er_CaseAccessBase._hasAssignedAccess(gr);
};

/* Whether the current user can write the given task record
* @param GlideRecord gr The task to be tested against
* @return Boolean True if the current user can write the given task
*/
er_CaseAccessBase.canEditTask = function(gr) {
  if (er_CaseAccessBase.hasWriterRole() && er_CaseAccessBase.canAccessParentCase(gr.getValue('parent'), false) && !er_CaseAccessBase.securityUtils.isOpenedForOrSubjectPerson(gr.parent))
  	return true;
  else
  	return er_CaseAccessBase._hasAssignedAccess(gr);
};

/* Whether the current user was granted explicit access to the task record
* @param GlideRecord gr The task to be tested against
* @return Boolean True if the current user has explicit access to the task record
*/
er_CaseAccessBase._hasAssignedAccess = function (gr) {
  var userId = gs.getUserID();
  // Check if the user belongs to the assignment group
  if (!gs.nil(gr.assignment_group) && new global.HRSecurityUtils().isMemberOfGroup(userId, gr.assignment_group.toString()))
  	return true;

  // Check if it's a user in the watch list field
  if (!gs.nil(gr.watch_list) && gr.watch_list.indexOf(userId) > -1)
  	return true;
  
  // Check if the task is assigned to the user
  if (!gs.nil(gr.assigned_to) && gr.assigned_to == userId)
  	return true;
  
  // Check if the task is delegated to the user
  if (GlidePluginManager().isActive('com.glide.granular_service_delegation') && new sn_delegation.DelegationUtil().isRecordDelegatedToUser(userId, gr))
  	return true;

  return false;
};

/* Whether the current user can read the given case record
* @param GlideRecord gr The case to be tested against
* @return Boolean True if the current user can read the given case
*/
er_CaseAccessBase.canReadCaseRecord = function(gr) {
  if (parseInt(gr.getValue('locked')) && !(er_CaseAccessBase.securityUtils.canSeeLockedCase(gr)))
  	return false;
  return er_CaseAccessBase.canReadCase(gr, true) || er_CaseAccessBase.canReadParent(gr);
};

/* Whether the current user can read the given case record via role permission
* @param  GlideRecord gr                The case to be tested against
* @param  Boolean     checkedLockAccess True if lock access has already been checked
* @return Boolean                       True if the current user can read the given case
*/
er_CaseAccessBase.canReadCase = function(gr, checkedLockAccess) {
  var failedRead = false;
  if (er_CaseAccessBase.hasReaderRole())
  	if (er_CaseAccessBase.checkPolicy(gr, sn_hr_core.hr_SecurityUtils.READ))
  		return true;
  	else
  		failedRead = true;
  
  return sn_hr_core.hr_Case.userHasSubjectPersonAccess(gr) || er_CaseAccessBase.canEditCase(gr, failedRead, checkedLockAccess);
};

/* Check if the current user can edit the given case
* @param  GlideRecord gr                The case to be tested against
* @param  Boolean     failedReadPolicy  True if the user failed read policies for the case
* @param  Boolean     checkedLockAccess True if lock access has already been checked
* @return Boolean                       True if the current user can edit the case 
*/
er_CaseAccessBase.canEditCase = function(gr, failedReadPolicy, checkedLockAccess) {
  if (gr.isNewRecord() || gr.getValue('sys_id') === null)
          return true;
  
  if (!checkedLockAccess && parseInt(gr.getValue('locked')) && !(er_CaseAccessBase.securityUtils.canSeeLockedCase(gr)))
  	return false;

  var user = gs.getUserID();

  if (er_CaseAccessBase.hasWriterRole() && !failedReadPolicy) {
  	if (er_CaseAccessBase.checkPolicy(gr, sn_hr_core.hr_SecurityUtils.WRITE))
  		return true;
  }

  // Check if it's the user who opened the case
  if (!gs.nil(gr.opened_by) && gr.opened_by == user)
  	return true;

  // Check if it's the user for whom the case was opened for
  if (!gs.nil(gr.opened_for) && gr.opened_for == user)
  	return true;

  // Check if the user is in the watch list field
  if (!gs.nil(gr.watch_list) && gr.watch_list.indexOf(user) > -1)
  	return true;
  	
  // Check if the user is in the collaborator list field
  if (er_CaseAccessBase.hasCollaboratorAccess(gr, user))
  	return true;

  return false;
};

/* Whether the current user has the ER case reader role
* @return Boolean True if the current user has the ER case reader role
*/
er_CaseAccessBase.hasReaderRole = function() {
  return new sn_hr_core.hr_Utils().checkUserHasRole('sn_hr_er.case_reader');
};

/* Whether the current user has the ER case writer role
* @return Boolean True if the current user has the ER case writer role
*/
er_CaseAccessBase.hasWriterRole = function() {
  return new sn_hr_core.hr_Utils().checkUserHasRole('sn_hr_er.case_writer');
};

/* Check if the current user has policy access to a given case for a given operation
* @param  GlideRecord gr        The case to be tested against
* @param  String      operation read or write
* @return Boolean               True if the current user has policy access to the case
*/
er_CaseAccessBase.checkPolicy = function(gr, operation) {
  return new sn_hr_core.hr_SecurityUtils().getCoeSecurityPolicy(gr, operation);
};

/* Check if the current user has access to the case via the parent case
* @param  GlideRecord gr The case to be tested against
* @return Boolean        True if the current user has parent access to the case
*/
er_CaseAccessBase.canReadParent = function(gr) {
  var parent = gr.parent;
  var user = gs.getUserID();

  if (!gs.nil(parent))
  	return parent.opened_for == user || parent.opened_by == user || parent.watch_list.toString().indexOf(user) >=0 || er_CaseAccessBase.hasCollaboratorAccess(parent, user);
  else
  	return false;
};

/* Check if the current user can read or write the secondary ER record's parent case
* @param  String  caseId       sys_id of the parent case
* @param  Boolean readNotWrite True if testing read, false if testing write
* @return Boolean              True if the parent case can be found and accessed by the current user
*/
er_CaseAccessBase.canAccessParentCase = function (caseId, readNotWrite) {
  if (!caseId)
  	return true;
  var gr = new GlideRecord('sn_hr_er_case');
  if (gr.get(caseId)) {
  	if (readNotWrite)
  		return gr.canRead();
  	else
  		return gr.canWrite();
  }
  return false;
};

/* Check if the current user belongs to the collaborator list for the Case
* @param  GlideRecord  case         Glide Record of the case
* @param  String  user         sysId of the User which is in collaborators or not
* @return Boolean              True if the current user is one of the collaborator
*/
er_CaseAccessBase.hasCollaboratorAccess = function(caseGr, user) {
  return (!gs.nil(caseGr.collaborators) && caseGr.collaborators.indexOf(user) > -1 && er_CaseAccessBase.hasWriterRole());
};


/* Whether the current user is impersonate, and whether it matters
* @return Boolean is user impersonating + is the impersonation property on
*/
er_CaseAccessBase.impersonateCheck = function() {
  return new sn_hr_core.hr_CoreUtils().impersonateCheck();
};

Sys ID

c989ded3ff630010a9e7faf9453bf15c

Offical Documentation

Official Docs: