Restrict Access to an action-view

Hey there, let me start with a scenario first.

I have an action-view « team.tasks.all »

This is linked to a menu item « All Tasks » which when clicked, redirects to all the tasks in axelor

My problem is, after I removed the « All Tasks » from the user’s menu, if I type the link manually containing the action-view name (« http://localhost:8080/#/ds/team.tasks.all/list/1 » ) in the browser, the user is still able to access the page which I would want to prevent since it shows tasks that are from other companies and projects the user is not involved.

What would be the best way to go around this?

Digging around, I suspect I may need to modify permissions but Im not quite sure how to go about it.

I suspect this is the permission (if this is indeed the right direction) that is involved.

However I fear if I modify/remove this permission, it would affect the viewing of other tasks, such as the ones where the user is indeed involved.

Another option is to delete the action-view itself but I might lose the ability to view all tasks as an admin.

What is the best way to restrict access to an action-view

I’ve encounter a similar problem with security from pasting urls in the same way as this. If a url is pasted by a user without the permission to view that particular record or item through clicking via the UI I believe it is possible to access the item.

If I find a solution I’ll be in touch as it might help.

true I felt it too

1 « J'aime »

I think the solution could be in refining the permissions further to have more conditions. The problem is I am not too versed in making custom permissions and only have been using the already existing ones. I’m hoping someone who has played around with custom permissions could enlighten us

1 « J'aime »

the problem you mentioned above is some kind of bug like it should default protect it,

1 « J'aime »

Has anyone found a solution for it yet?

Apparently I was already staring at the answer the whole time. This is the permission needed to restrict the user to be able to view tasks he is allowed to (if the rule is you can only open tasks wherein youre a project member). Even if you type the link to tasks outside your projects, you wont be able to view them.

1 « J'aime »

Ce sujet a été automatiquement fermé après 30 jours. Aucune réponse n’est permise dorénavant.