How do I HIDE the DELETE item in the LIST ACTIONS dropdown?

Tried adding a custom ACL to disallow DELETE as per

https://enricosimonetti.com/powerful-customisations-with-sugars-acl/

but this does NOT seem to work when I try it on Sugar 13.0.3

custom\Extension\modules\Contacts\Ext\Vardefs\acl.php

$dictionary['Contacts']['acls']['SugarACLDenyDelete'] = true;

custom\data\acl\SugarACLDenyDelete.php

class SugarACLDenyDelete extends SugarACLStrategy {
	// allowed user ids
    protected $user_ids_to_allow = array(
    );

    // denied actions: example was READ-ONLY, we want to deny only DELETE
    protected $denied_actions = array(
        //'edit',
        'delete',
        //'massupdate',
        //'import',
    );

    // our custom method to check permissions
    protected function _canUserWrite($context)
    {
        // retrieve user from context
        $user = $this->getCurrentUser($context);

        // allow only admin users or special users access
        if(/*$user->isAdmin() || */in_array($user->id, $this->user_ids_to_allow)) { //we DENY to ADMINS too
            return true;
        } else {
            return false;
        }
    }

    // runtime access check
    public function checkAccess($module, $view, $context)
    {
        $view = SugarACLStrategy::fixUpActionName($view);
        // if it is not a blocked action, or there is no bean, allow it
        if(!in_array($view, $this->denied_actions) || !isset($context['bean'])) {
            return true;
        }

        // can user write?
        if($this->_canUserWrite($context)) return true;

        // everyone else for everything else is denied
        return false;
    }

    // mostly for front-end access checks (cached on the application, per user)
    public function getUserAccess($module, $access_list = array(), $context = array())
    {
        // retrieve original ACL
        $acl = parent::getUserAccess($module, $access_list, $context);

        // if user can't write
        if(!$this->_canUserWrite($context)) {
            // override access, disable access where required if not admin and not special user
            foreach($acl as $access => $value) {
                if(in_array($access, $this->denied_actions)) {
                    $acl[$access] = 0;
                }
            }
        }

        // return modified acl
        return $acl;
    }
}

Can anyone point me to a way that works in v13+?

Parents
  • Hello  , 

    I didn't review all code of the SugarACLDenyDelete.php but there is a small issue on your vardef. 
    Instead of 'Contacts' it should read 'Contact': 

    $dictionary['Contact']['acls']['SugarACLDenyDelete'] = true;


    Can you change, run a QRR and let us know if that was the piece that was missing? 

    Cheers, 

    André 

  • Thanks, with that change the DELETE item is still in the menu, but when I try to select a contact and then DELETE it, a 403 error occurs and the contact is not deleted.

    Is there a way to tale the DELETE item out of the dropdown list so users can't even try?

  • Hello  , 

    Can you describe what you are trying to accomplish. 
    What are the conditions to hide the delete button in Contacts module? 


  • I want to stop users from being able to DELETE Contacts.

    So the "condition" is "always".

    (we have added a "hide" yes/no field to Contacts,, and the default filter will exclude Contacts with hide "yes")

    I thought that making the ACL return FALSE for the "acl_action" of the button would automatically HIDE it?

    I have managed to HIDE the DELETE button by REMOVING it from the LIST

    Made a file

    custom\modules\Contacts\clients\base\views\recordlist\recordlist.php

    which is a copy of

    modules\Contacts\clients\base\views\recordlist\recordlist.php

    but with the DELETE button commented out:

                /*array( // !!! DO NOT show DELETE option
                    'name' => 'massdelete_button',
                    'type' => 'button',
                    'label' => 'LBL_DELETE',
                    'acl_action' => 'delete',
                    'primary' => true,
                    'events' => array(
                        'click' => 'list:massdelete:fire',
                    ),
                ),*/

  • Hello  , 

    If you want to prevent user to delete Contacts. The best is to create a new Role "Disable Contact Deletion"



    And add all your users there. 
    This will prevent the Delete button to show up in Contacts for all the users except Admins and no code is needed. 

    Would this work for you? 

  • I would prefer a code only method, so we can easily implement this on STAGING and PRODUCTION by having the same code in place in both and running sugar_repair script.

  • Can you give it a try with these files: 

    custom/Extension/modules/Contacts/Ext/Vardefs/noDelete.php

    <?php
    $dictionary['Contact']['acls']['SugarACLRestrictDelete'] = true;
    


    custom/data/acl/SugarACLRestrictDelete.php

    <?php
    
    if (!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
    
    /**
     * Custom ACL to restrict delete capabilities for Contacts module to admins only
     */
    require_once('data/SugarACLStrategy.php');
    
    class SugarACLRestrictDelete extends SugarACLStrategy
    {
        /**
         * Check access method
         *
         * @param string $module
         * @param string $action
         * @param array $context
         * @return boolean
         */
        public function checkAccess($module, $action, $context)
        {
            global $current_user;
    
            // Apply this ACL only to the Contacts module
            if ($module !== 'Contacts') {
                return true;
            }
    
            // Allow all actions for admin users
            if ($current_user->isAdmin()) {
                return true;
            }
    
            // Restrict delete action for non-admin users
            if (strtolower($action) === 'delete') {
                return false;
            }
    
            // Allow other actions by default
            return true;
        }
    }
    ?>
    

    Seems to work for me locally. 

    I hope this helps 

    Cheers, 

  • Thanks, yes that code also stops the DELETE from working but the DELETE option still appears and trying to DELETE gives the same ERROR popups.

    So I still need a custom RecordList definition without the DELETE item.

  • Hello  , 

    That is weird.

    You can check the video bellow that shows how it works on a stock installation, by default if permissions for deletion are removed the Delete button will not appear (List View, Record View ). 
    Would you mind running a QRR and clear the cache/ folder just to double check

     

    If the button still shows, perhaps you are referencing a custom button that was added to the instance.? 

    Would you mind sharing a print screen of the button that you are referring to? 

    Many thanks

    André 




Reply
  • Hello  , 

    That is weird.

    You can check the video bellow that shows how it works on a stock installation, by default if permissions for deletion are removed the Delete button will not appear (List View, Record View ). 
    Would you mind running a QRR and clear the cache/ folder just to double check

     

    If the button still shows, perhaps you are referencing a custom button that was added to the instance.? 

    Would you mind sharing a print screen of the button that you are referring to? 

    Many thanks

    André 




Children
  • I tried deleting the CACHE folder and doing another repair.

    I still see the DELETE option in the dropdown on the LIST page.

    I also see the DELETE option on the dropdown on the DETAIL page.

    We have a custom API which handles the DELETE by throwing an EXCEPTION (instead of just doing the delete!) which then shows a message to the user saying "don't delete, HIDE the Contact instead"

    So we're not worried about that DELETE option still appearing. though it sounds like that should not be showing either.

    With the custom RECORDLIST without the DELETE button at all we get

    so no DELETE option here

  • Hello  , 

    I still believe that the buttons shouldn't be showing up after restricting the ACL, especially given this parameter in the button definition:

    'acl_action' => 'delete',

    I'm not sure why or how it's appearing in the screenshot you shared—are you using an admin user or perhaps a user with admin access to Contacts?

    If you'd like, feel free to send me a message, and I'd be happy to help you figure out why this might not be working as expected.

    By the way, just a quick tip: if you restrict DELETE via ACL, you don’t need to add a custom exception. Sugar will automatically prevent deletions through the API endpoint as well.

    Hope this helps!

    Cheers,
    André