Skip to content

Instantly share code, notes, and snippets.

@esimonetti
Last active November 30, 2023 03:49
Show Gist options
  • Save esimonetti/ee521e03f05ed93b13655294d4775243 to your computer and use it in GitHub Desktop.
Save esimonetti/ee521e03f05ed93b13655294d4775243 to your computer and use it in GitHub Desktop.
SugarCRM v7 - Default a module to Read only through ACL's customisation - Reach out for SugarCRM consulting: https://www.naonis.tech/services/sugar-crm.html
<?php
// filename: custom/Extension/modules/MyCustomModule/Ext/Vardefs/acl.php
$dictionary['MyCustomModule']['acls']['SugarACLReadOnly'] = true;
<?php
//
// Enrico Simonetti
// enricosimonetti.com
//
// 2015-09-10 on Sugar 7.6.0.0
// filename: custom/data/acl/SugarACLReadOnly.php
//
// Read only ACL except for Admin users and specific user ids
//
// Changes to this class might require the user browser's storage and cache to be cleared, to work correctly.
//
class SugarACLReadOnly extends SugarACLStrategy
{
// allowed user ids
protected $user_ids_to_allow = array(
);
// denied actions
protected $denied_actions = array(
'edit',
'delete',
'massupdate',
'import',
);
// our custom method to check permissions
protected function _canUserWrite($context)
{
// retrieve user from context
$user = $this->getCurrentUser($context);
// allow only admin users or special users to write
if($user->isAdmin() || in_array($user->id, $this->user_ids_to_allow)) {
return true;
} else {
return false;
}
}
// runtime access check
public function checkAccess($module, $view, $context)
{
$view = SugarACLStrategy::fixUpActionName($view);
// if it is not a blocked action, or there is no bean, allow it
if(!in_array($view, $this->denied_actions) || !isset($context['bean'])) {
return true;
}
// can user write?
if($this->_canUserWrite($context)) return true;
// everyone else for everything else is denied
return false;
}
// mostly for front-end access checks (cached on the application, per user)
public function getUserAccess($module, $access_list = array(), $context = array())
{
// retrieve original ACL
$acl = parent::getUserAccess($module, $access_list, $context);
// if user can't write
if(!$this->_canUserWrite($context)) {
// override access, disable access where required if not admin and not special user
foreach($acl as $access => $value) {
if(in_array($access, $this->denied_actions)) {
$acl[$access] = 0;
}
}
}
// return modified acl
return $acl;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment