Only allow certain users to edit triggers

From pmusers
Jump to: navigation, search

Any user with the PM_FACTORY permission in her role can edit triggers. This means that these users can write triggers using the executeQuery() function which can read from or write to the database. ProcessMaker's core tables and PM Tables can be protected in version 3.0.1.8 and later, but that doesn't stop users from reading those tables or calling ProcessMaker's internal classes.

If wishing to only allow certain users to edit triggers, then open the source code file workflow/engine/src/ProcessMaker/BusinessModel/Trigger.php in a plain text editor (like Geany or Notepad++) and change lines 148-150 from:

    public function saveTrigger($sProcessUID = '', $dataTrigger = array(), $create = false, $sTriggerUid = '')
    {
        if ( ($sProcessUID == '') || (count($dataTrigger) == 0) ) {

To:

    public function saveTrigger($sProcessUID = '', $dataTrigger = array(), $create = false, $sTriggerUid = '')
    {
        $aAllowedUsers = ['00000000000000000000000000000001', '4017955525d07ebd4ad06d2025843469'];
        if (!in_array($this->getUserId(), $aAllowedUsers)) {
           throw new \Exception("User not allowed to create triggers");
        }
        
        if ( ($sProcessUID == '') || (count($dataTrigger) == 0) ) {

Set the array ['00000000000000000000000000000001', '4017955525d07ebd4ad06d2025843469'] to the IDs of users who are allowed to edit triggers. The IDs of these users can be found in the wf_<workspace>.USERS.USR_UID field in the database or by looking at the USER_LOGGED system variable in Debug Mode.

Unfortunately, this change won't explain to the user why she can't edit the trigger, but when trying to save a trigger, an "Error" message will appear.

PreventEditingTriggers ErrorMessage.png