Glide List fields do not honour read ACLs set on the table they are based on.



Steps to Reproduce

1. Login as admin to any Istanbul or Jakarta instance
2. Open an Incident form
3. Configure the Form Layout
4. Select the "Self service" view for editing
5. Add the "Company" reference field in the form view layout
6. Create a new field of type "List" based on "core_company" table
7. Open an active incident which has an ESS role-less caller user (such as "Joe employee")
8. Fill-in the Company field and the new list field
9. Impersonate the ESS user set as caller for the selected incident in step 7
10. Open the same incident record in step 7

Observe the following:

The Company reference field will not be visible on the Incident form, due to the read ACL on the core_company table:

The list field based on core_company is instead visible.

Hovering over the reference icon on the list field, or selecting a new company, will trigger the security error due to the ACL.


After carefully considering the severity and frequency of the issue, and the cost and risk of attempting a fix, it has been decided to not address this issue in any current or near future releases. We do not make this decision lightly, and we apologize for any inconvenience. You can submit an Enhancement Request from the Self-Service portal on HI, and Subscribe to this article for future updates.

Related Problem: PRB1238484

Seen In

There is no data to report.

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2019-05-21 11:34:33