How to limit who users can Assign To?

Jake_Edwards · April 27, 2022, 2:59am

How can I limit who a User can Assign a document to?

Jake_Edwards · April 27, 2022, 4:29pm

Bump?

peterg · April 27, 2022, 4:33pm

I don’t think there’s any way to do this out of the box. You’d have to implement a custom script.

Jake_Edwards · April 27, 2022, 8:22pm

Thanks.

Seems odd, to me, that allowing end users to Assign things to anyone they like is generally accepted.

szufisher · April 28, 2022, 5:17am

the question is how to define which users can be assigned, technically filter out the allowed users to be assigned is not a big thing.

Jake_Edwards · April 28, 2022, 12:27pm

Thanks for the reply, but I don’t understand your point.

Assume I have 8 Users.

I want User 1 to only be able to Assign a
record to User 2, User 3 and/or User 4.

I want User 5 to only be able to Assign a record to User 6, User 7 and/or User 8.

How do I accomplish this?

peterg · April 28, 2022, 4:12pm

You could do it either client-side or server-side (or even both). If done on client side, you could filter out inappropriate options from the “Assign To” link field. On the server side, you’d throw an exception after the user tried to make an inappropriate assignment.

Server-side

Create a server script on the before_insert event for the ToDo doctype.

if doc.assigned_by == "peterg@erpnext.com" and doc.allocated_to == "szufisher@erpnext.com":
    frappe.throw("This assignment is not allowed")

Client-side

Create a new client script for whatever form you’re trying to limit assignment from:

frappe.ui.form.on('Web Page', {
	refresh(frm) {
        frappe.ui.form.AssignToDialog = class CustomAssignToDialog extends frappe.ui.form.AssignToDialog {
        	get_fields() {
        	    const allowed_users = ["peterg@erpnext.com"]
        		var fields = super.get_fields();
        		fields[1].get_data = function(txt) {
        		    return frappe.db.get_link_options("User", txt, {name: ["in", allowed_users], user_type: "System User", enabled: 1});
        		}
                return fields;
        	}
        };
	}
})

Both approaches should work fine. Server-side is more secure if you’re concerned about people getting around the restriction maliciously.

Jake_Edwards · April 28, 2022, 5:06pm

Thanks! I’ll try both.

szufisher · April 29, 2022, 2:58am

tested this client side script OK, two improvement ideas

instead of hard code , maintain the allowed assign to in a custom DocType with two fields: user, allowed assign to.
hook the script to a custom app and make it generic to any DocType.

peterg · April 29, 2022, 3:58am

Definitely; this is just a proof of concept. Anything that sets the allowed_users variable will work.

I wasn’t able to figure out how to do a set_query call on the link field here like one does with doc forms, so I had to override the class. Do you know if set_query is possible in any way with the dialog api?

szufisher · April 29, 2022, 5:41am

as far as I know not possible.