Question

Delete privileges are not evaluated as expected

0

Hello all, We have an Entity that should only be deletable by the System.Owner, however it seems that Mendix is not evaluating the entity access rules as expected, at least with respect to what is rendered in the client. With the default settings (applicable roles), the Delete button is not hidden. However, the attributes are read-only as expected. The user does receive an error message when trying to delete the object so the security seems to be applied, but it is not strange that the button would still display anyway? Is it up to the developer to conditionally hide that button?

asked 2023-02-21

Ryan Saunderson

2 answers

Danny Kumpf · Answer 1 · 2023-02-21

Hi Ryan,

As far as I know the feature that hides buttons based upon the permissions of the action is limited to microflow/nanoflow/page actions but does not extend to the delete function. (Although I couldn’t find this explicitly stated anywhere in the documentation for on click events)

In your case you could either add conditional visibility to the button or create a custom delete microflow which has limited permissions for Managers only.

Hope this helps

Danny

Thijs Oosting · Answer 2 · 2023-02-21

Hi Ryan,

You can still delete from a microflow if you defined the action there, that checkbox only impacts default buttons and some widgets who depend on that setting.

If I had to guess your issue is more at your domain model and possible the associations where the user has no or limited rights for. Or it is the contraint that you are using, if those two options didn't offer the solution you might want to share the error message from your console.