AnsweredAssumed Answered

Block record creation through Outlook plugin

Question asked by Paulo Paiva on May 27, 2016

I've searched without success for this setting on previous versions of the Outlook plugin, and in version 2.2.0 it's still not available.


Basically a way to block record creation from Outlook.


While using the CRM software capabilities we perfected our modules to fill required information, trigger validations or business rules and complement data. However when we use Outlook we get a couple of fields to fill and we create a record, overriding all the business logic, validations and requirements. The role module doesn't distinguish different platforms and we cannot block record creation on the selected roles, because it will affect all platforms and not just Outlook plugin.


While testing different approaches we've identified a potential solution and share it here to identify potentials problems and for other persons with similar issues. It uses two different steps based on the fact that the requests from outlook are now identifiable, through the "platform" property in the RestService object.


Performed on Sugar 7.5.


First step is to change the security permissions returned to Outlook, so that the "New Sugar Record" menu only shows the authorized modules. This is achieved by extending the current user API:




require_once 'clients/base/api/CurrentUserApi.php';

class CustomCurrentUserApi extends CurrentUserApi
    public function retrieveCurrentUser($api, $args)
        global $log;
        $currentUser = parent::retrieveCurrentUser($api, $args);
        if($api->platform == "opi") {
            // for debug purposes
            $log->fatal("CustomCurrentUserApi called from opi! ");
            // block opportunity creation
            $hash = $currentUser["current_user"]["acl"]["Opportunities"]["_hash"];
            $currentUser["current_user"]["acl"]["Opportunities"]["edit"] = "no";
            $currentUser["current_user"]["acl"]["Opportunities"]["create"] = "no";
            $currentUser["current_user"]["acl"]["Opportunities"]["massupdate"] = "no";
            $currentUser["current_user"]["acl"]["Opportunities"]["_hash"] = $hash;      

        return $currentUser;



The parent method is called to perform the standard work in "$currentUser = parent::retrieveCurrentUser($api, $args);" and if the platform is "opi" it adds/changes the permissions to block create, edit and massupdate. I don't know if the last one is actually used.

This is an example. Additional modules can be added and some dynamic can be included by setting the blocked modules on a choice list or config var.


Next step is to use the after_routing event to detect and block record creation from "opi". This is necessary since there are situations where the permission restrictions on the first step are not applied and are validated server-side.

Based from the example in:




$hook_version = 1;
$hook_array = Array();
$hook_array['after_routing'] = Array();
$hook_array['after_routing'][] = Array(
    'after_routing opi logic hook',




class OutlookApiLogicHook
     * Logic hook function tied to 'after_routing' event
    function opiAfterRouting($event, $arguments)
        global $log;
        if($arguments["api"]->platform == "opi" 
           && $arguments["api"]->getRequest()->getRoute()["method"] == "createRecord" 
           && in_array("Opportunities", $arguments["api"]->getRequest()->getPath(), true)) {
            $log->fatal("blocked create record call from " . $arguments["api"]->platform);
            throw new SugarApiExceptionNotAuthorized("Record creation from Outlook is not authorized for this specific module.");



There are more actions to validate such as updates if needed.