search

microsoft / AL

Home of the Dynamics 365 Business Central AL Language extension for Visual Studio Code. Used to track issues regarding the latest version of the AL compiler and developer tools available in the Visual Studio Code Marketplace or as part of the AL Developer Preview builds for Dynamics 365 Business Central.
MIT License
722 stars 242 forks source link

AccessByPermission in combination with excluded permissions #7665

Open ptrk-tr opened 5 months ago

ptrk-tr commented 5 months ago

Hi, not sure if this is a bug in itself or just me missing the knowledge. If this is not the proper repository for this issue, please send me the correct way, thanks!

1. Describe the bug The AccessByPermission property is not behaving as expected in the following combination. If I have two permission sets, let's call them A and B: A: allow read all on tabledata grafik

B: include permission set A and then exclude Modify, Insert and Delete permissions on a specific table. grafik

Assign B to a user and let the user navigate to a page where an action is shown based on the property AccessByPermission with the following syntax:

AccessByPermission = tabledata "TheSpecificTable" = RIMD;

To the best of my knowledge the action should not be visible to the user, as they don't have IMD on the table (excluded in permission set B). Instead the action is visible for the user as if only the R permission is being checked.

Removing the R from the AccessByPermission property yields the expected result of the action not being visible to the user, as IMD permissions have been excluded in Permission Set B.

2. To Reproduce Steps to reproduce the behavior:

  1. Create two Permission Sets (A and B), set A to give read permissions on every table. Set B to include Permission Set A and exclude a specific table.
  2. Assign Permission Set B to a user.
  3. Create an action on a page with the AccessByPermission property set to RIMD of the specific table excluded in Permission Set B.
  4. Navigate to the page with the action as the user that has Permission Set B assigned.
  5. See that the action is visible to you, even though you don't have IMD permissions on the table specified in the AccessByPermission property.
AL code snippet that demonstrates the issue or a link to a code repository the developers can easily pull down to recreate the issue locally.

action(IShouldNotBeVisible)
{
    Caption = 'AccessByPermission Issue';
    ToolTip = 'I should not be visible to you, as you don''t have permissions.';
    ApplicationArea = All;
    AccessByPermission = tabledata "Random Table For Demo Purp." = RIMD;
    Image = TestDatabase;

    trigger OnAction()
    begin

    end;
}

3. Expected behavior The action should not be visible as the user has no IMD permissions on the table specified in the AccessByPermission property.

4. Actual behavior The action is visible.

5. Versions:

kalberes commented 5 months ago

It is not for this repo. But I will take it for triage