Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Best way to check if specific user has a role in a client script? ie not current user

Go to solution
Mark233
Giga Expert

‎10-03-2018 11:11 AM

What is the best way to determine whether a user being referenced on the current record has a role from a client script?

 

Creating an ajax script include feels excessive for such a simple check, what's the best practice here?

 

Specifically my scenario is that when changing a sys_user_delegate record if the delegate is set to a user without an approval role then the "Approvals" field is set false and read only

Thanks,

Mark

0 Helpfuls
  • 29,582 Views
1 ACCEPTED SOLUTION

Go to solution
Dennis R
Tera Guru

‎10-04-2018 09:00 AM

If you want to reliably check whether a user who is not accessing the page has a role, you absolutely must do that using an AJAX call. The reason why is because client-side, most users will not have access to that information. (That is, it would be a security risk for some rando user Bob to know what roles some other rando user Alice has access to.) It must be queried server-side.

Here's one way to do it. Create the following script include, called AjaxUserUtil:

var AjaxUserUtil = Class.create();
AjaxUserUtil.prototype = Object.extendsObject(AbstractAjaxProcessor, {
    type: 'AjaxUserUtil',
    hasRole: function(user, role) {
        if (!user) user = this.getParameter('sysparm_user');
        if (!role) role = this.getParameter('sysparm_role');
        if (user && role)
            return gs.getUser().getUserByID(user).hasRole(role);
    },
});

Then client-side, do something like this:

var ga = new GlideAjax('AjaxUserUtil');
ga.addParam('sysparm_name', 'hasRole');
ga.addParam('sysparm_user', 'jdoe');
ga.addParam('sysparm_role', 'app_user');
ga.getXML(function(resp) {
    var hasRole = JSON.parse(resp.responseXML.documentElement.getAttribute('answer'));
    if (hasRole) {
        // User has role. Note that admin users will always return true for
        // all roles.
    }
});

(Substitute your actual user's user ID or sys_id for jdoe, and the role you want to check for in for app_user.) Note that unless there's a hard requirement for doing so, I would avoid passing all user roles back to the client for checking client-side. That could be used as an exploit by a malicious user.

Hope this helps,
--Dennis R

View solution in original post

8 REPLIES 8

Go to solution
Kalaiarasan Pus
Giga Sage

‎10-04-2018 01:53 AM

This should give you the list of roles that a user has. Pass the sys Id of the user you want the roles to the getUserByID().

 

var userObject = gs.getUser().getUserByID('4a68fb5f094b12005f24fc5dc9f27dc5');
gs.print(userObject.getRoles());

 

Since it is server side, place it in a script include and access it via GlideAjax.

Go to solution
Mark233
Giga Expert
In response to Kalaiarasan Pus

‎10-04-2018 08:38 AM

Okay thanks Kalai.

Was wondering if there was a better way that avoids having to do that. Will create an ajax callable role utils script include

0 Helpfuls

Go to solution
Dennis R
Tera Guru

‎10-04-2018 09:00 AM

If you want to reliably check whether a user who is not accessing the page has a role, you absolutely must do that using an AJAX call. The reason why is because client-side, most users will not have access to that information. (That is, it would be a security risk for some rando user Bob to know what roles some other rando user Alice has access to.) It must be queried server-side.

Here's one way to do it. Create the following script include, called AjaxUserUtil:

var AjaxUserUtil = Class.create();
AjaxUserUtil.prototype = Object.extendsObject(AbstractAjaxProcessor, {
    type: 'AjaxUserUtil',
    hasRole: function(user, role) {
        if (!user) user = this.getParameter('sysparm_user');
        if (!role) role = this.getParameter('sysparm_role');
        if (user && role)
            return gs.getUser().getUserByID(user).hasRole(role);
    },
});

Then client-side, do something like this:

var ga = new GlideAjax('AjaxUserUtil');
ga.addParam('sysparm_name', 'hasRole');
ga.addParam('sysparm_user', 'jdoe');
ga.addParam('sysparm_role', 'app_user');
ga.getXML(function(resp) {
    var hasRole = JSON.parse(resp.responseXML.documentElement.getAttribute('answer'));
    if (hasRole) {
        // User has role. Note that admin users will always return true for
        // all roles.
    }
});

(Substitute your actual user's user ID or sys_id for jdoe, and the role you want to check for in for app_user.) Note that unless there's a hard requirement for doing so, I would avoid passing all user roles back to the client for checking client-side. That could be used as an exploit by a malicious user.

Hope this helps,
--Dennis R

Go to solution
Mark233
Giga Expert
In response to Dennis R

‎10-04-2018 11:15 AM

Hi Dennis,

That makes total sense, thank you for spelling it out. Have marked you correct and helpful!

0 Helpfuls