Constrain Your Data Using XPath - extra challenge help

-1
Good afternoon!  I was working on the intermediary learning path (as per the title) and got stumped on the extra challenge “-Make a dashboard of requests with no approver assigned. Write a microflow that allows managers to claim these requests for themselves.”   Making the page and a button with the microflow to do just that was not a problem. I'm running into an access rule issue however. For the main page in the learning path a datagrid (VacationRequest, by XPath)  is used which only shows requests with the status submitted. Now, depending on whether you are logged in as a manager or a user, different requests will be shown. For the user only the requests submitted by the user ( [VacationManagement.VacationRequest_Submitter='[%CurrentUser%]'] ) and for managers only the requests assigned to that manager to be approved ( [VacationManagement.VacationRequest_Approver='[%CurrentUser%]'] ). This is defined in the entity access rules.  The new page, which requires managers to be able to view unassiged requests, conflicts with those access rules.  I've tried adding an or statement, making the access rules for the manager role as such: [VacationManagement.VacationRequest_Approver='[%CurrentUser%]' or not(VacationManagement.VacationRequest_Approver/Administration.Account)] ; but that doesnt work because now it also shows on the main page (which was only supposed to show tickets submitted by the user or to be approved by the user in case of a manager). Could anyone offer a suggestion? Thanks in advance, Damien  
asked
2 answers
1

You could alter your main page XPath to only show the assigned requests. Normally you wouldn't want to rely on retrieves like this to enforce security, but in this case it's not a security issue as managers are allowed to see any unassigned requests (you just don't want them visible in this grid).

answered
0

Your answer “App Security - Entity access - manager module role - Xpath constrain [VacationRequestApp.VacationRequest_Approver = '[%CurrentUser%]' or not(VacationRequestApp.VacationRequest_Approver/Administration.Account/FullName != empty)]” did the trick for me. 

When I also use “[Status ='Submitted' and VacationRequestApp.VacationRequest_Approver/Administration.Account/FullName != empty]” I don't see any records at all for any users. 

 

So we can conclude there are flaws in the Academy?

answered