Lock down the Mass Update form
Posted By: Alex.Cottner on February 10th, 2011 in Programming, SugarCRM
No Gravatar

Something that I find very quirky with Sugar is the fact that they allow the Mass Update form to be accessible for all users. This can cause serious problems with data integrity if you let end users have the kind of power this form has.

When browsing Sugar’s forum I see topics all the time about how to remove or lock down the mass update form based on specific users, teams, or remove it entirely. There are a couple of different ways of doing this. A few include non-upgrade safe ways because we have to modify core files, and 1 is an upgrade safe way.

Let’s take a look at how we can accomplish these with Sugar Pro 6.1.0

Option 1 – Remove the form completely for all users (Non-Upgrade Safe)

With this option, we are going to completely remove the ability for the mass update form to be brought up. This will  remove it for all users including the admin user.

First, navigate to your site/include/ListView folder. In this folder you’ll want to bring up the ListViewDisplay.php file. Around line 92 you should see a function called setup.

Look for where it will show the mass update based on the Boolean value ($this->show_mass_update_form = true). Set this to false as it is in the above photo.

With this set to false the link for Mass Update in the Actions window for the List View will no longer do anything. This is kind of a quick and dirty way of removing it but not very user friendly. Some users may think that the link is broken since it doesn’t alert them that they don’t have access to the Mass Update form.

Option 2 – Remove the Mass Update link (Non-Upgrade Safe)

In the same ListViewDisplay.php file, if you look around line number 284 you’ll see how it starts to build the link for Mass Update. You’ll also see a call to the function buildMassUpdateLink.

Let’s navigate down to this function around line 351.

There are a couple different things you can do here. In this example, I’m just going to check if the current user is the admin user or not. If they are the admin user then I’ll return the link, otherwise we’ll remove the link entirely from the Actions menu.

protected function buildMassUpdateLink()
  global $app_strings;
  global $current_user;

  if($current_user->user_name == 'admin')
    return *code for the existing link here*

Here we are going to declare the global variable current_user to grab the current user’s information. Then we are going to create our if else statement to determine if the current_user’s username is admin or not. If this is the admin logged in then we’ll let them see the Mass Update link that is returned back to our previous function for building the action items (pictured above). If they are not the admin then we aren’t going to return anything to the above function and eliminate the link from the Actions menu entirely. You can also do some logic here like determining if the current user is on a particular team since some people may only lock down the Mass Update form to sales admin type of team members.

Option 3 -  Upgrade Safe

With Sugar, you can overwrite views in an upgrade safe way by creating your custom views in the custom/modules/YourModule/views folder. In this example I’m going to overwrite the Accounts list view page with my own custom view.list.php file.

Here I’m setting the showMassUpdateFields value to false. This will now remove the link entirely from the Accounts list view page. This is definitely the preferred way of removing the link since it is upgrade safe. You could even use the same logic as option 2 here to determine which users could see the Mass Update link.

Leave a Reply