1. Apliqo UX Avatar Apliqo UX
  2. Apliqo UX
  3. apq-c3-ux
  4. Issues

Javascript after cell change not running for non-admins

Issue #592 closed
Daniel Miller created an issue

We have a custom javascript that is executed after a cell change in a view widget. This javascript runs a process that then runs a TM1py script to take the text entered in the cell, and create a notation in a correlated numerical cell. The annotation uses incognito mode to record the annotation as the user running the process/changing the cell unless the user is an admin which loads the annotation with the service account.

This feature works in our non-production environment for admins and non-admins. However, in production, this is only working for admins. When a non-admin enters data in the cell, nothing else happens. But when we have the user test running the process with the same parameters, the annotation records under that user’s ID as expected.

This leads us to believe that the issue is with the javascript functionality. But we’ve confirmed the javascript is the same in both environments, and we don’t see any security layer for the javascript functionality.

Is there some reason why the javascript would not work for non-admins in our production environment?

Comments (3)

  1. Scott Wiltshire
    • changed status to open

    Hi Daniel, Apliqo doesn't impose any restrictions on running javascript functions. Any javascript set to run on an event should run for all users regardless of role in the TM1 server.

    If it is working in one environment and not the other for non-admin users and in both environments for admin users then it sounds like you have a difference in TM1 permissions somewhere along the chain.

    The execution chain does sound quite complicated. If I understood correctly:

    1. js function is used to run a TI process
    2. TI process uses ExecuteCommand to run a py script
    3. py script authenticates with a fixed admin service account. If the user context (presumably passed as a parameter from the TI to the py script) is non-admin then the py script impersonates the user. If admin it continues as the service account
    4. the py script reads the comment entered in the comment cube and duplicates the comment as an annotation

    This does seem a bit more complicated than necessary:

    1. why not have the js function do the rest call directly to update the annotations? (Reason most likely lack of js coding expertise?)
    2. why not have TI process update the annotation directly and at least cut out the tm1py layer? (Necessary to parse some json in TI but not that complicated as structure of annotations object is quite simple.)

    If a non-admin user runs the TI process directly with the correct parameters then the annotation is created. This woudl rule out a permissions issue to the TI process and to the user having the rights to update the annotations. (Still please check the user has read access to the TI process and write access to the }CellAnnotations cube.)

    Have you checked in the browser developer console for both admin and non-admin users to inspect the calls being made on the network tab? Is it definite that the js function isn't called versus a failure later in the chain?

  4. Log in to comment
Assignee
Type
bug
Priority
major
Status
closed
Component
Widget - All Other
Milestone
Version
2022.12
Votes
0
Watchers
1