How does this result in misconfigurations?
Let’s assume an administrator creates a CRT with “No Permissions Required.” In including customized fields, he desires some fields to be readable by unauthenticated customers, so he units their Default Entry Stage to View; different fields that shouldn’t be readable, he units Default Entry Stage to None, assuming the job is completed.
This might be incorrect as a result of the “Default Stage for Search / Reporting” (DLSR) setting remains to be Edit, even when Default Entry Stage is ready to None. And this, Costello exhibits, will be abused by means of the NetSuite API to learn the info in that discipline. The confusion right here could possibly be brought on by the truth that fields with Default Entry Stage set to None can’t have their knowledge learn by means of the SuiteScript API loadRecord operate, which is a part of the N/report module and comprises the most well-liked capabilities for performing CRUD (create, learn, replace, delete) operations on particular person data.
However there’s a completely different API operate known as nlapiSearchRecord, a part of the N/search module, that will also be used to learn knowledge from report fields, and the permission for this API is outlined by the DLSR setting. The distinction is that studying discipline values with nlapiSearchRecord requires understanding the sector title, whereas studying knowledge through loadRecord requires understanding the sector ID. Fortunately, the info obtainable from the 2 APIs full one another.
