Activate God Mode in CRM 2013- Don’t Let Your Users See This

Posted: July 30, 2014 in Dynamics CRM 2013, JavaScript

Previously I’ve been posting about how to recreate CRM functionality using browser bookmarkets. These have included useful functions like opening advanced find, or publishing customizations. In this blog post I’m going to go one step further and show how we can completely disable ALL client side validation on a form so that we can make changes to a form without worrying about field requirement levels, visibility, business rules, or JavaScript.

What I’m about to show is intended for testing purposes only, and should not be used in any production environments – otherwise you might end up with dirty data in your system. So use it cautiously, and use it wisely!

What it does:

  • Makes all required fields not required.
  • Makes all hidden fields visible.
  • Enables all disabled fields.
  • Makes all hidden tabs visible.
  • Makes all hidden sections visible.
  • Expands all collapsed tabs.
  • Clears field notifications on all fields.
  • Prevents JavaScript from firing on save.
  • Allows editing of inactive records.

One click of this button and you instantly have edit access to every field added to your form. This is extremely useful when you have JavaScript or plugins setting or relying on hidden fields on your form, and you need to quickly get in and see or modify those fields.

It’s also useful if you need to change a value on a form without entering in all the required fields – particularly as an admin when you need to fix up 1 or 2 fields on an existing record without filling out the rest of the required fields.

I’ve set up a form as an example below.

You can see we have most fields disabled. What you can’t see are the hidden fields and sections. Also when we try to save the form, our CRM Admin has added some “secure” JavaScript to prevent us from saving the form:

One click of our magic ‘God Mode’ button, and voila!

As you can see, literally every field is now unlocked, and not required. We can also see the ‘Company’ field in the second column which was previously hidden, the entire ‘Hidden’ tab is now visible, and we can edit any of the values (with the exception of Status, Created On, and Created By which can be changed but do not save to the database). We can also now save the form and bypass that pesky on save validation, and even clear the value of required fields.

Further down what you can’t see in the screenshot is that our Details tab has now been expanded as well. This means if we need to find a field we can Ctrl + F and quickly find what we’re looking for even if it was in a collapsed tab.

One other unexpected feature of this button is that we can also open an inactive record, turn on God Mode, and then change any of the ‘disabled’ fields. We can then simply navigate away from the record and the changes will be saved to the inactive record! (Only works with autosave enabled, or if you have rollup 1 or lower, and doesn’t work on activity entities).

Any user can set up this button for their own personal use, and it can be used with any CRM 2013 system, on any modern entity, and you don’t need any additional CRM security roles/privileges. To configure the bookmarklet, simply create a new bookmark, then edit the properties and set the URL to the following script:

javascript:var form=$("iframe").filter(function(){return $(this).css("visibility")=="visible"})[0].contentWindow;try{form.Mscrm.InlineEditDataService.get_dataService().validateAndFireSaveEvents=function(){return new Mscrm.SaveResponse(5,"")}}catch(e){}var attrs=form.Xrm.Page.data.entity.attributes.get();for(var i in attrs){attrs[i].setRequiredLevel("none")}var contrs=form.Xrm.Page.ui.controls.get();for(var i in contrs){try{contrs[i].setVisible(true);contrs[i].setDisabled(false);contrs[i].clearNotification()}catch(e){}}var tabs=form.Xrm.Page.ui.tabs.get();for(var i in tabs){tabs[i].setVisible(true);tabs[i].setDisplayState("expanded");var sects=tabs[i].sections.get();for(var i in sects){sects[i].setVisible(true)}}

 

If you’re a CRM admin/developer reading this, you probably want to think about what validation you’re doing on the client side and consider moving anything critically important into server side validation.

Advertisements
Comments
  1. PeB says:

    unbelievable, that this is possible.
    OK. If you think about it, it is understandable, how it works, and why it works…
    can MS in an future update never block that this is possible?

    But if a user finds that out – all security is gone.

    Paul, only for your Info: We created for every entity one AdminForm which only could be seen if you have the adminrights, you need to switch to this form.
    We had the need to bring every new field onto that AdminForm, need to check that its visible & writeable, check also the sections and tabs etc.

    There are several checks in onload of forms and onchange of fields, that look if you have adminrights or if adminform is loaded …

    unbelievable that this all is not needed anymore.

    i am really very very stunned.
    woow.

    MANY MANY THX for that.

    Greets Pit

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s