Thread Details
  • State Not Answered
  • Replies 12 replies
  • Subscribers 377 subscribers
  • Views 2122 views
  • Users 0 members are here
Forum Actions
Related

How do I HIDE the DELETE item in the LIST ACTIONS dropdown?

Acuitus

Tried adding a custom ACL to disallow DELETE as per

https://enricosimonetti.com/powerful-customisations-with-sugars-acl/

but this does NOT seem to work when I try it on Sugar 13.0.3

custom\Extension\modules\Contacts\Ext\Vardefs\acl.php

$dictionary['Contacts']['acls']['SugarACLDenyDelete'] = true;

custom\data\acl\SugarACLDenyDelete.php

class SugarACLDenyDelete extends SugarACLStrategy {
	// allowed user ids
    protected $user_ids_to_allow = array(
    );

    // denied actions: example was READ-ONLY, we want to deny only DELETE
    protected $denied_actions = array(
        //'edit',
        'delete',
        //'massupdate',
        //'import',
    );

    // our custom method to check permissions
    protected function _canUserWrite($context)
    {
        // retrieve user from context
        $user = $this->getCurrentUser($context);

        // allow only admin users or special users access
        if(/*$user->isAdmin() || */in_array($user->id, $this->user_ids_to_allow)) { //we DENY to ADMINS too
            return true;
        } else {
            return false;
        }
    }

    // runtime access check
    public function checkAccess($module, $view, $context)
    {
        $view = SugarACLStrategy::fixUpActionName($view);
        // if it is not a blocked action, or there is no bean, allow it
        if(!in_array($view, $this->denied_actions) || !isset($context['bean'])) {
            return true;
        }

        // can user write?
        if($this->_canUserWrite($context)) return true;

        // everyone else for everything else is denied
        return false;
    }

    // mostly for front-end access checks (cached on the application, per user)
    public function getUserAccess($module, $access_list = array(), $context = array())
    {
        // retrieve original ACL
        $acl = parent::getUserAccess($module, $access_list, $context);

        // if user can't write
        if(!$this->_canUserWrite($context)) {
            // override access, disable access where required if not admin and not special user
            foreach($acl as $access => $value) {
                if(in_array($access, $this->denied_actions)) {
                    $acl[$access] = 0;
                }
            }
        }

        // return modified acl
        return $acl;
    }
}

Can anyone point me to a way that works in v13+?

  • 0 Sugar Employee Badge

    Hello  , 

    I didn't review all code of the SugarACLDenyDelete.php but there is a small issue on your vardef. 
    Instead of 'Contacts' it should read 'Contact': 

    $dictionary['Contact']['acls']['SugarACLDenyDelete'] = true;


    Can you change, run a QRR and let us know if that was the piece that was missing? 

    Cheers, 

    André 

  • 0 in reply to Andre Serrazina

    Thanks, with that change the DELETE item is still in the menu, but when I try to select a contact and then DELETE it, a 403 error occurs and the contact is not deleted.

    Is there a way to tale the DELETE item out of the dropdown list so users can't even try?

  • 0 Sugar Employee Badge in reply to Acuitus

    Hello  , 

    Can you describe what you are trying to accomplish. 
    What are the conditions to hide the delete button in Contacts module? 


  • 0 in reply to Andre Serrazina

    I want to stop users from being able to DELETE Contacts.

    So the "condition" is "always".

    (we have added a "hide" yes/no field to Contacts,, and the default filter will exclude Contacts with hide "yes")

    I thought that making the ACL return FALSE for the "acl_action" of the button would automatically HIDE it?

    I have managed to HIDE the DELETE button by REMOVING it from the LIST

    Made a file

    custom\modules\Contacts\clients\base\views\recordlist\recordlist.php

    which is a copy of

    modules\Contacts\clients\base\views\recordlist\recordlist.php

    but with the DELETE button commented out:

                /*array( // !!! DO NOT show DELETE option
                'name' => 'massdelete_button',
                'type' => 'button',
                'label' => 'LBL_DELETE',
                'acl_action' => 'delete',
                'primary' => true,
                'events' => array(
                    'click' => 'list:massdelete:fire',
                ),
            ),*/

  • 0 Sugar Employee Badge in reply to Acuitus

    Hello  , 

    If you want to prevent user to delete Contacts. The best is to create a new Role "Disable Contact Deletion"



    And add all your users there. 
    This will prevent the Delete button to show up in Contacts for all the users except Admins and no code is needed. 

    Would this work for you? 

  • 0 in reply to Andre Serrazina

    I would prefer a code only method, so we can easily implement this on STAGING and PRODUCTION by having the same code in place in both and running sugar_repair script.

  • 0 Sugar Employee Badge in reply to Acuitus

    Can you give it a try with these files: 

    custom/Extension/modules/Contacts/Ext/Vardefs/noDelete.php

    <?php
$dictionary['Contact']['acls']['SugarACLRestrictDelete'] = true;


    custom/data/acl/SugarACLRestrictDelete.php

    <?php

if (!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');

/**
 * Custom ACL to restrict delete capabilities for Contacts module to admins only
 */
require_once('data/SugarACLStrategy.php');

class SugarACLRestrictDelete extends SugarACLStrategy
{
    /**
     * Check access method
     *
     * @param string $module
     * @param string $action
     * @param array $context
     * @return boolean
     */
    public function checkAccess($module, $action, $context)
    {
        global $current_user;

        // Apply this ACL only to the Contacts module
        if ($module !== 'Contacts') {
            return true;
        }

        // Allow all actions for admin users
        if ($current_user->isAdmin()) {
            return true;
        }

        // Restrict delete action for non-admin users
        if (strtolower($action) === 'delete') {
            return false;
        }

        // Allow other actions by default
        return true;
    }
}
?>

    Seems to work for me locally. 

    I hope this helps 

    Cheers, 

  • 0 in reply to Andre Serrazina

    Thanks, yes that code also stops the DELETE from working but the DELETE option still appears and trying to DELETE gives the same ERROR popups.

    So I still need a custom RecordList definition without the DELETE item.

  • 0 Sugar Employee Badge in reply to Acuitus

    Hello  , 

    That is weird.

    You can check the video bellow that shows how it works on a stock installation, by default if permissions for deletion are removed the Delete button will not appear (List View, Record View ). 
    Would you mind running a QRR and clear the cache/ folder just to double check

     

    If the button still shows, perhaps you are referencing a custom button that was added to the instance.? 

    Would you mind sharing a print screen of the button that you are referring to? 

    Many thanks

    André 




  • 0 in reply to Andre Serrazina

    I tried deleting the CACHE folder and doing another repair.

    I still see the DELETE option in the dropdown on the LIST page.

    I also see the DELETE option on the dropdown on the DETAIL page.

    We have a custom API which handles the DELETE by throwing an EXCEPTION (instead of just doing the delete!) which then shows a message to the user saying "don't delete, HIDE the Contact instead"

    So we're not worried about that DELETE option still appearing. though it sounds like that should not be showing either.

    With the custom RECORDLIST without the DELETE button at all we get

    so no DELETE option here