Options
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 15 subscribers
  • Views 2371 views
  • Users 0 members are here
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

M-Files VBScript State Action Problem - Access Denied

KarloAdanic

Greetings,

 

We have issues with a VB Script that sends a document to another state.

 

We have a specific situation with our client. When the document meets some condition from VB Script, it is necessary to transfer it to another state.

In our case, it does not want to transfer the document if it is not a System Administrator account or there is no direct connection from the state from which it sends the document to the state where the document should be placed via VB Script.

 

The above logic is mandatory for us at the client and that part would have to work because of the Audit Trail.

You can replicate the error by creating three states in workflow - "Test1", "Test2", "Test3". Place in Test 2 the script that will switch to "Test3" and try to switch with a non-admin user. (There must not be a state transition in the workflow between Test2 and Test3).

 

The script im using at client:

Option Explicit

 

Dim Employee, iClass, DepartmentManager, iWFState, FunctionManager

iClass = PropertyValues.SearchForProperty(100).TypedValue.DisplayValue

Employee = PropertyValues.SearchForProperty(1061).TypedValue.DisplayValue

DepartmentManager = PropertyValues.SearchForProperty(1161).TypedValue.DisplayValue

FunctionManager = PropertyValues.SearchForProperty(1160).TypedValue.DisplayValue

  ' Create a typed value for the "last modified by" value.

Dim objLastModifiedByTypedValue

Set objLastModifiedByTypedValue = CreateObject("MFilesAPI.TypedValue")

objLastModifiedByTypedValue.SetValue MFDatatypeLookup, CurrentUserID

 

' Update the last modification info.

Vault.ObjectPropertyOperations.SetLastModificationInfoAdmin ObjVer, True, objLastModifiedByTypedValue, False, Nothing

 

'Conditions depending on property Class and FunctionManager = Employee

 

IF iClass = "Work Instruction" AND Employee = DepartmentManager Then

' PropertyValues.SearchForProperty(1061).Value.SetValue MFDataTypeMultiSelectLookup, null

'Save the changed propertyvalues to the object

iWFState = Vault.WorkflowOperations.GetWorkflowStateIDbyAlias("WFS.BoardDecision2.41Approved")

PropertyValues.SearchForProperty(39).TypedValue.SetValue MFDataTypeLookup, iWFState

Vault.ObjectPropertyOperations.SetAllProperties ObjVer, true, PropertyValues

 

ELSEIF iClass = "Procedure" AND Employee = FunctionManager Then

' PropertyValues.SearchForProperty(1061).Value.SetValue MFDataTypeMultiSelectLookup, null

'Save the changed propertyvalues to the object

iWFState = Vault.WorkflowOperations.GetWorkflowStateIDbyAlias("WFS.BoardDecision2.41Approved")

PropertyValues.SearchForProperty(39).TypedValue.SetValue MFDataTypeLookup, iWFState

Vault.ObjectPropertyOperations.SetAllProperties ObjVer, true, PropertyValues

 

ELSEIF iClass = "Decision" AND Employee = FunctionManager Then

                IF PropertyValues.SearchForProperty(1156).TypedValue.DisplayValue = "No" Then

                               ' PropertyValues.SearchForProperty(1061).Value.SetValue MFDataTypeMultiSelectLookup, null

'Save the changed propertyvalues to the object

iWFState = Vault.WorkflowOperations.GetWorkflowStateIDbyAlias("WFS.BoardDecision2.41Approved")

                               PropertyValues.SearchForProperty(39).TypedValue.SetValue MFDataTypeLookup, iWFState

                               Vault.ObjectPropertyOperations.SetAllProperties ObjVer, true, PropertyValues

END IF

END IF

 

In this case its not working for regular users:

In this case its working for regular users: 

If state transition inbetween states 2 and 3 has deny permission, then its not working for System Admins.

I just want to point out that both ways work if user has System Admin role.

It was tested on versions from 22.2 to 22.5 and every time same problem occured.

Parents
  • +1

    The underlying issue is that the server will look at the object's starting state (2) and the ending state (3), and check that the current user has the rights to make that transition.  If there is no valid transition from 2->3 then normal users cannot possibly have rights to do so.  Admins bypass this requirement check.

    One simple hack you can use is to add a new state (4) after 2, place your code there, and make an automatic state transition from 2 to 4.  Automatic state transitions are run by the server, so the "current user" who then moves from 4-3 should be the server, who's an admin, who can then move the object regardless of whether there's a defined transition.

    I haven't personally used this hack for a few years, but I think that I'm remembering it correctly.

    Another solution - albeit needing you to use VAF - is to add an entry to a task queue on state 2, then get a task processor to do the move to state 3.  It adds some delay to the process so it may not be desirable, but it is a good workaround in some situations.

Reply
  • +1

    The underlying issue is that the server will look at the object's starting state (2) and the ending state (3), and check that the current user has the rights to make that transition.  If there is no valid transition from 2->3 then normal users cannot possibly have rights to do so.  Admins bypass this requirement check.

    One simple hack you can use is to add a new state (4) after 2, place your code there, and make an automatic state transition from 2 to 4.  Automatic state transitions are run by the server, so the "current user" who then moves from 4-3 should be the server, who's an admin, who can then move the object regardless of whether there's a defined transition.

    I haven't personally used this hack for a few years, but I think that I'm remembering it correctly.

    Another solution - albeit needing you to use VAF - is to add an entry to a task queue on state 2, then get a task processor to do the move to state 3.  It adds some delay to the process so it may not be desirable, but it is a good workaround in some situations.

Children
  • 0 in reply to Craig Hawker

    Craig is correct as always and has described very well why this rejection occurs. The "hack" he offers is a pretty good solution in most cases. I myself use it when necessary, but in this case it will remain in history that the action was performed by the M-Files server, and this will hardly please the auditors.

  • 0 in reply to Ne0Tr0n

    If you work for a regulated industry, or one where auditing of these specific objects is important, then obviously speak to your compliance officer (or similar) to understand the implications of such changes.  It is incredibly important to ensure that scripting does not affect your ability to meet any external or internal requirements.

    But a blanket statement that automated actions cannot appear in an object's history is perhaps not accurate; there'll be a record of the fact that the object was moved from state 1->2 by user X, and there should be a documented automated process that the system will then move from 2-3 and 3-4.  As such there's still a record of who caused it to go to 4.

    Plus, even in the original set of code, the object would be altered by the script and would have lost the audit trail data anyway.

  • 0 in reply to Craig Hawker

    I totally agree with you Craig. I was particularly impressed by this part of the code, which really manipulates the user who last modified the object.

    Dim objLastModifiedByTypedValue
Set objLastModifiedByTypedValue = CreateObject("MFilesAPI.TypedValue")
objLastModifiedByTypedValue.SetValue MFDatatypeLookup, CurrentUserID

' Update the last modification info.
Vault.ObjectPropertyOperations.SetLastModificationInfoAdmin ObjVer, True, objLastModifiedByTypedValue, False, Nothing

  • 0 in reply to Ne0Tr0n

    This is documented on the Developer Portal: Audit Trail and Scripting (fixing "(M-Files Server)" in the audit logs)

    But, again, from an auditing perspective, needs to be done with care.

M-Files
M-Files Support


© 2025 M-Files, All Rights Reserved.