Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 2
  • Filter
  • Time
Clear All
new posts
Previous 1 2 template Next
    #1

    Hide or gray-out UI elements based on user role

    I am using declarative security to limit user's ability to view or modify data based on their authenticated role. The security works fine, but it results in low-privilege users seeing some buttons and ui elements that don't work for them and throw authorization related errors instead.

    Is there a way in the tool kit to cause some elements either to not be draw at all or appear grayed out for users that lack the privilege to use them?

    A pointer to an example or the documentation that I've missed would be great.

    Thanks
    RP
    Tags: None
    #2
    When the UI element in question comes from a DataSourceField definition, this is automatic when using Declarative Security attributes such as editRequiresRole.

    For other elements, like buttons that lead to functionality the user can't access, attributes such as visibleWhen can be used to check user roles if you put them into the ruleScope via provideRuleContext().

    Comment

      #3
      Originally posted by Isomorphic View Post
      For other elements, like buttons that lead to functionality the user can't access, attributes such as visibleWhen can be used to check user roles if you put them into the ruleScope via provideRuleContext().
      Actually I'm trying to use this technique, but I'm facing the problem that I have an array of user roles, but in an AdvancedCriteria I can't express a criterion which says that a value must be 'inSet' of a fieldName value.
      Have you got any hints?

      Comment

        #4
        In another thread we were just discussing your use of the "inSet" operator. The same operator exists for client-side criteria. Did you have some trouble using it?

        Comment

          #5
          Let's say that I put the user roles in the rule context like this:
          Code:
          myLayout.provideRuleContext("roles", ["ROLE_1", "ROLE_2"]);
          Then I want to enable a canvas if the user has at least ROLE_1.
          How can I express this in a criterion?

          This isn't the right criteria:
          Code:
          {fieldName:"myLayout.roles", operator:"inSet", value:"ROLE_1"}

          Comment

            #6
            please let me know if I'm missing something

            Comment

              #7
              Claudio,

              I'm not sure the correct way to search for matches within an array, but if you made "roles" a string you could search for the role as a sub-string like:

              myLayout.provideRuleContext("roles", "ROLE_1,ROLE_2");

              {fieldName:"myLayout.roles", operator:"contains", value:"ROLE_1"}

              RP

              Comment

                #8
                This looks like what I want. The piece I'm stumped on is how to access the user roles from the client side. I'm using a custom SecureIDACall to set userRoles to a string of concatenated roles based on group memberships passed from our shibboleth authentication system. I just don't know if or how that is exposed in the client javascript.

                Thanks
                RP

                Comment

                  #9
                  rpoyner thanks for the suggestion, actually that would work as long as there isn't a role with a name which contains the string ROLE_1

                  Comment

                    #10
                    Originally posted by rpoyner View Post
                    This looks like what I want. The piece I'm stumped on is how to access the user roles from the client side. I'm using a custom SecureIDACall to set userRoles to a string of concatenated roles based on group memberships passed from our shibboleth authentication system. I just don't know if or how that is exposed in the client javascript.
                    I write them as a js variable in my JSP:
                    Code:
                    JSTranslater jsTranslater = JSTranslater.get();
jsTranslater.toJSVariable(userRoles, "userRoles", out);

                    Comment

                      #11
                      Thanks for the help. For some reason I hadn't thought of doing it in jsp. I ended up with:

                      <script type="text/javascript" language="JavaScript">
                      userRoles='<%=((String) request.getAttribute("isMemberOf")).replace(";",",")%>';
                      </script>

                      RP

                      Comment

                        #12
                        Originally posted by claudiobosticco View Post
                        Actually I'm trying to use this technique, but I'm facing the problem that I have an array of user roles, but in an AdvancedCriteria I can't express a criterion which says that a value must be 'inSet' of a fieldName value.
                        Have you got any hints?
                        Now I'm doing it like this:
                        Code:
                            // add user roles to the ruleContext of globalLayout which is marked as isRuleScope:true
    for (var index = userRoles.getLength() - 1; index >= 0; index--) {
        var role = userRoles.get(index);
        globalLayout.provideRuleContext("userRoles.role_" + index, role);
    }
    // add some utility methods to create criterions:
    globalLayout.addProperties({
        getHasRoleCriterion: function (aRole) {
            var userRoles = globalLayout.getRuleContext().userRoles;
            var criteria = [];
            for (var roleKey in userRoles) {
                criteria.add({fieldName: "userRoles." + roleKey, operator: "equals", value: aRole});
            }
            return {operator: "or", criteria: criteria};
        },
        getHasNotRoleCriterion: function (aRole) {
            var userRoles = globalLayout.getRuleContext().userRoles;
            var criteria = [];
            for (var roleKey in userRoles) {
                criteria.add({fieldName: "userRoles." + roleKey, operator: "notEqual", value: aRole});
            }
            return {operator: "and", criteria: criteria};
        }
    });
    // usage sample:
    /*
    enableWhen: {
            _constructor: "AdvancedCriteria",
            operator: "and",
            criteria: [
                globalLayout.getHasRoleCriterion("ROLE_ADMIN"),
                {fieldName: "someGrid.anySelected", operator: "equals", value: true}
            ]
        },
     */

                        Comment

                          #13
                          Got pulled into other projects for a couple of days. I'm back on this and observing an odd problem with visibleWhen.

                          The visibleWhen criteria should always be false as written and hide the button, but it does not.

                          isc.ToolStripButton.create({
                          ID:"topToolStripReportButton",
                          autoDraw:false,
                          title:"Reports",
                          visibleWhen:{fieldName:"roles",operator:"contains",value:"some"},
                          click:function() {
                          reportWindow.resetWindow();
                          reportWindow.show();
                          }
                          });

                          Throws _2.getLocator related errors in the console log of the browser like:

                          ISC_Core.js?isc_vers…_2017-11-27.js:1197 *11:36:07.771:TMR4:WARN:Log:TypeError: _2.getLocator is not a function
                          Stack from error.stack:
                          [c]AutoTest.getObjectLocator(<no args: exited>) on [Class AutoTest] @ ISC_Core.js:4283:113
                          Canvas._getObjectLocatorForWhenRules(<no args: exited>) on [ToolStripButton ID:topToolStripReportButton] @ ISC_Core.js:3466:154
                          Canvas.__createCanvasWhenRules(<no args: exited>) on [ToolStripButton ID:topToolStripReportButton] @ ISC_Core.js:3468:14
                          _5(<no args: exited>) @ ISC_Core.js:3467:31
                          [c]Class.fireCallback(_1=>callback(), _2=>null, _3=>null, _4=>null, _5=>true) on [Class Timer] @ ISC_Core.js:305:104
                          Timer._fireTimeout(_1=>"$ir2", _2=>4, _3=>undef) on [Class Timer] @ ISC_Core.js:1756:166
                          <anonymous>() @ ISC_Core.js:1753:40
                          and

                          Uncaught TypeError: _2.getLocator is not a function
                          at _3.isc_c_AutoTest_getObjectLocator [as getObjectLocator] (ISC_Core.js?isc_vers…_2017-11-27.js:4283)
                          at _3.isc_Canvas__getObjectLocatorForWhenRules [as $177w] (ISC_Core.js?isc_vers…_2017-11-27.js:3466)
                          at _3.isc_Canvas___createCanvasWhenRules [as $190l] (ISC_Core.js?isc_vers…_2017-11-27.js:3468)
                          at _5 (ISC_Core.js?isc_vers…_2017-11-27.js:3467)
                          at _3.isc_c_Class_fireCallback [as fireCallback] (ISC_Core.js?isc_vers…p_2017-11-27.js:305)
                          at _3.isc_c_Timer__fireTimeout [as $in] (ISC_Core.js?isc_vers…_2017-11-27.js:1756)
                          at ISC_Core.js?isc_vers…_2017-11-27.js:1753

                          Maybe a bug in this version of SC?

                          Comment

                            #14
                            We are not reproducing this error using your code with a recent build.

                            Comment

                              #15
                              Updated to SmartClient_v111p_2018-03-29_PowerEdition and I'm still getting the same errors.

                              Comment

                              Previous 1 2 template Next
                              Working...
                              X