Assume a user has the write access to a table (call it table1), but not create access. Further assume, that on another table(call it table2), where this user has the create access, have a dot walked field of the previous table's one field (table2 form has table1.field ).
Now if the user tries to create a new record on the table2 and changes the value on the table1.field, the record for table2 will be created, but the value for the table1.field will be unchanged.
It is found that create ACL is failing for table1. If we make the user pass the ACL, then the field will be updated.
1. Create a new role called "problem_creator".
2. Modify the create ACL of problem in such a way that only users with "problem_creator" can create new records in Problem table.
3. Configure Problem task table to add a "Assignment Group" of Problem table on the form. "Assignment Group" should not created newly rather form layout should be modified to configure the "Assignment Group " from problem table by dot walking to problem table.
4. Assign "User 1 " with "problem_creator" role. Assign "User 2" with only ITIL role.
5. When impersonating as "User 2" and try to create a new record in problem task table , we can see that the new value selected in assignment group (field which is dot walked from problem table) will be reset to the value from problem form.
6. When impersonating as "User 1" and try to create a new record in problem task table , we can see that the new value selected in assignment group (field which is dot walked from problem table) will be set to the value which the user has given while creating a new record.
From the steps to reproduce, on the 5th step, the value on the form will be reset to an empty value when the user tries to save and will not update successfully. However, if the user puts in the value again and saves the form for the second time. The value will update successfully.
This issue is currently fixed, however, the fix in back-ports is disabled by default. To enable the fix, please add the property - glide.security.form_submit_aclcheck_legacy and set the value to false.