Best way to check if specific user has a role in a client script? ie not current user

Go to solution
Mark233
Giga Expert

‎10-03-2018 11:11 AM

What is the best way to determine whether a user being referenced on the current record has a role from a client script?

 

Creating an ajax script include feels excessive for such a simple check, what's the best practice here?

 

Specifically my scenario is that when changing a sys_user_delegate record if the delegate is set to a user without an approval role then the "Approvals" field is set false and read only

Thanks,

Mark

0 Helpfuls
  • 28,659 Views
1 ACCEPTED SOLUTION

Go to solution
Dennis R
Tera Guru

‎10-04-2018 09:00 AM

If you want to reliably check whether a user who is not accessing the page has a role, you absolutely must do that using an AJAX call. The reason why is because client-side, most users will not have access to that information. (That is, it would be a security risk for some rando user Bob to know what roles some other rando user Alice has access to.) It must be queried server-side.

Here's one way to do it. Create the following script include, called AjaxUserUtil:

var AjaxUserUtil = Class.create();
AjaxUserUtil.prototype = Object.extendsObject(AbstractAjaxProcessor, {
    type: 'AjaxUserUtil',
    hasRole: function(user, role) {
        if (!user) user = this.getParameter('sysparm_user');
        if (!role) role = this.getParameter('sysparm_role');
        if (user && role)
            return gs.getUser().getUserByID(user).hasRole(role);
    },
});

Then client-side, do something like this:

var ga = new GlideAjax('AjaxUserUtil');
ga.addParam('sysparm_name', 'hasRole');
ga.addParam('sysparm_user', 'jdoe');
ga.addParam('sysparm_role', 'app_user');
ga.getXML(function(resp) {
    var hasRole = JSON.parse(resp.responseXML.documentElement.getAttribute('answer'));
    if (hasRole) {
        // User has role. Note that admin users will always return true for
        // all roles.
    }
});

(Substitute your actual user's user ID or sys_id for jdoe, and the role you want to check for in for app_user.) Note that unless there's a hard requirement for doing so, I would avoid passing all user roles back to the client for checking client-side. That could be used as an exploit by a malicious user.

Hope this helps,
--Dennis R

View solution in original post

8 REPLIES 8

Go to solution
bardakov
Tera Expert

‎10-03-2018 11:16 AM

To check the role of the user on the client side, you can use g_user.hasRole('your_role')
For example:

g_user.hasRole('itil');

https://developer.servicenow.com/app.do#!/api_doc?v=kingston&id=r_GlideUser-hasRole_String

Go to solution
chrissquires1
Tera Guru
In response to bardakov

‎10-03-2018 11:34 AM

Keep in mind that this will always return true for a user with 'admin' role.

0 Helpfuls

Go to solution
Mark233
Giga Expert
In response to bardakov

‎10-04-2018 01:32 AM

Hi Viktor,

 

Unfortunately I need to check whether a user who is NOT the current logged in user has a role. The user I want is referenced on the record being viewed.

 

I believe g_user.hasRole() can only be used for the current logged in user?

Go to solution
Brandon R1
Tera Contributor
In response to Mark233

‎04-22-2021 10:33 AM

I'm needing to do something similar. Did you manage to get this working without using g_user.hasRole() so you can reference the NOT logged-in user??

Basically, what do you use in the ajax instead of:

gs.getUser().getUserByID(user).hasRole(role);

and, in the Catalog Client Script, if I need to check the roles for the user selected in a reference variable for 'caller_id', do I still use this:

ga.addParam('sysparm_user', 'jdoe');

Thanks,

Brandon

0 Helpfuls