Best way to check if specific user has a role in a client script? ie not current user

Go to solution
Mark233
Giga Expert

‎10-03-2018 11:11 AM

What is the best way to determine whether a user being referenced on the current record has a role from a client script?

 

Creating an ajax script include feels excessive for such a simple check, what's the best practice here?

 

Specifically my scenario is that when changing a sys_user_delegate record if the delegate is set to a user without an approval role then the "Approvals" field is set false and read only

Thanks,

Mark

0 Helpfuls
  • 28,672 Views
1 ACCEPTED SOLUTION

Go to solution
Dennis R
Tera Guru

‎10-04-2018 09:00 AM

If you want to reliably check whether a user who is not accessing the page has a role, you absolutely must do that using an AJAX call. The reason why is because client-side, most users will not have access to that information. (That is, it would be a security risk for some rando user Bob to know what roles some other rando user Alice has access to.) It must be queried server-side.

Here's one way to do it. Create the following script include, called AjaxUserUtil:

var AjaxUserUtil = Class.create();
AjaxUserUtil.prototype = Object.extendsObject(AbstractAjaxProcessor, {
    type: 'AjaxUserUtil',
    hasRole: function(user, role) {
        if (!user) user = this.getParameter('sysparm_user');
        if (!role) role = this.getParameter('sysparm_role');
        if (user && role)
            return gs.getUser().getUserByID(user).hasRole(role);
    },
});

Then client-side, do something like this:

var ga = new GlideAjax('AjaxUserUtil');
ga.addParam('sysparm_name', 'hasRole');
ga.addParam('sysparm_user', 'jdoe');
ga.addParam('sysparm_role', 'app_user');
ga.getXML(function(resp) {
    var hasRole = JSON.parse(resp.responseXML.documentElement.getAttribute('answer'));
    if (hasRole) {
        // User has role. Note that admin users will always return true for
        // all roles.
    }
});

(Substitute your actual user's user ID or sys_id for jdoe, and the role you want to check for in for app_user.) Note that unless there's a hard requirement for doing so, I would avoid passing all user roles back to the client for checking client-side. That could be used as an exploit by a malicious user.

Hope this helps,
--Dennis R

View solution in original post

8 REPLIES 8

Go to solution
Kalaiarasan Pus
Giga Sage

‎10-04-2018 01:53 AM

This should give you the list of roles that a user has. Pass the sys Id of the user you want the roles to the getUserByID().

 

var userObject = gs.getUser().getUserByID('4a68fb5f094b12005f24fc5dc9f27dc5');
gs.print(userObject.getRoles());

 

Since it is server side, place it in a script include and access it via GlideAjax.

Go to solution
Mark233
Giga Expert
In response to Kalaiarasan Pus

‎10-04-2018 08:38 AM

Okay thanks Kalai.

Was wondering if there was a better way that avoids having to do that. Will create an ajax callable role utils script include

0 Helpfuls

Go to solution
Dennis R
Tera Guru

‎10-04-2018 09:00 AM

If you want to reliably check whether a user who is not accessing the page has a role, you absolutely must do that using an AJAX call. The reason why is because client-side, most users will not have access to that information. (That is, it would be a security risk for some rando user Bob to know what roles some other rando user Alice has access to.) It must be queried server-side.

Here's one way to do it. Create the following script include, called AjaxUserUtil:

var AjaxUserUtil = Class.create();
AjaxUserUtil.prototype = Object.extendsObject(AbstractAjaxProcessor, {
    type: 'AjaxUserUtil',
    hasRole: function(user, role) {
        if (!user) user = this.getParameter('sysparm_user');
        if (!role) role = this.getParameter('sysparm_role');
        if (user && role)
            return gs.getUser().getUserByID(user).hasRole(role);
    },
});

Then client-side, do something like this:

var ga = new GlideAjax('AjaxUserUtil');
ga.addParam('sysparm_name', 'hasRole');
ga.addParam('sysparm_user', 'jdoe');
ga.addParam('sysparm_role', 'app_user');
ga.getXML(function(resp) {
    var hasRole = JSON.parse(resp.responseXML.documentElement.getAttribute('answer'));
    if (hasRole) {
        // User has role. Note that admin users will always return true for
        // all roles.
    }
});

(Substitute your actual user's user ID or sys_id for jdoe, and the role you want to check for in for app_user.) Note that unless there's a hard requirement for doing so, I would avoid passing all user roles back to the client for checking client-side. That could be used as an exploit by a malicious user.

Hope this helps,
--Dennis R

Go to solution
Mark233
Giga Expert
In response to Dennis R

‎10-04-2018 11:15 AM

Hi Dennis,

That makes total sense, thank you for spelling it out. Have marked you correct and helpful!

0 Helpfuls