Mobile App Login restriction

Go to solution
chadp
Mega Contributor

‎04-26-2018 01:28 AM

Hi All, 

 

I find it hard to believe there is now way to restrict access by role to the native mobile app .  I have tried using Business Rule below but am getting mixed results.. 

We want ONLY ITIL users to use the mobile app at this time  and want to restrict access to users with 'user' role. 

//Disables login for users without an ITIL role
(function executeRule(current, previous /*null when async*/) {
	var user = current.user;	
	if(gs.getUser().getUserByID(user).hasRole('user')  && gs.isMobile()){
		current.setAbortAction(true);
	}	
})(current, previous);

Please help I've spent too many hours combing the forums on something that should be an inherent feature of the app 

 

 

Labels:
Preview file
33 KB
0 Helpfuls
  • 3,888 Views
1 ACCEPTED SOLUTION

Go to solution
Sagar Patro
Kilo Guru
In response to chadp

‎04-27-2018 03:02 AM

I think you never changed the code

gr_roles.addQuery("role" , "2831a114c611228501d4ea6c309d626d");//Sys id of the role...admin here

put the sys_id of USER role here.

If you do that, any user which does not have USER role will not be allowed to login on the mobile.

View solution in original post

16 REPLIES 16

Go to solution
Sagar Patro
Kilo Guru
In response to chadp

‎04-27-2018 02:04 AM

Hey,

 

Good attempt but next time run your code with more logs. It is simple to identify the mistake.

Here you go.. I have tested the code.. working!!!

gs.include("PrototypeServer");

var Login = Class.create();
Login.prototype = {
	initialize : function() {
	},
	
	process : function() {
		// the request is passed in as a global
		var userName = request.getParameter("user_name");
		var userPassword = request.getParameter("user_password");
		
		var user = GlideUser;
		var authed = user.authenticate(userName, userPassword);
		if (authed){
			
			//gs.log("Test " + authed.toString() + " isMobile? " +gs.isMobile());//This works perfect
			//gs.log("Test2 " + gs.getUser().getName());//This is the problem. The user retreived here is always a GUEST user. So we need to achieve it in a different way.
			
			if(gs.isMobile()){
				var gr_user = new GlideRecord("sys_user");
				gr_user.addQuery("user_name",userName);
				gr_user.query();
				
				if(gr_user.next())
					{
					var gr_roles = new GlideRecord("sys_user_has_role");
					gr_roles.addQuery("role" , "2831a114c611228501d4ea6c309d626d");//Sys id of the role..admin here
					gr_roles.addQuery("user" , gr_user.sys_id);
					gr_roles.query();
					
					if(gr_roles.next()){
						
						return user.getUser(userName);
						
					}
					else{
						gs.log("User id "+ gr_user.user_name +" was blocked logging in @ "+gs.now());
						this.loginFailed();
						// response.sendRedirect("logout_redirect.do"); //incase you want the user to get redirected to some page. Not tested but may work
						return "login.failed";
						
					}
					
				}
			}
			return user.getUser(userName);
		}
		
		this.loginFailed();
		
		return "login.failed";
	},
	
	loginFailed : function() {
		if (GlideController.exists("glide.ldap.error.connection")) {
			var ldapConnError = GlideController.getGlobal("glide.ldap.error.connection");
			if ( GlideStringUtil.notNil(ldapConnError) )
				GlideSession.get().addErrorMessage(ldapConnError);
		} else {
			var message = GlideSysMessage.format("login_invalid");
			GlideSession.get().addErrorMessage(message);
		}
		
	}
	
};

 

Hit Helpful and Mark it correct if it was 🙂

Go to solution
P M Kamer Taj
Tera Guru
In response to Sagar Patro

‎01-25-2022 12:33 AM

Hi Sagar,

 

I have modified the script as per you suggested in above comment but still all users can access nowmoblie.I need to restrict only those user who has this custom created role.

 

Script:

gs.include("PrototypeServer");

var Login = Class.create();
Login.prototype = {
initialize : function() {
},

process : function() {
// the request is passed in as a global
var userName = request.getParameter("user_name");
var userPassword = request.getParameter("user_password");

var user = GlideUser;
if (GlideStringUtil.notNil(userName)) {
var authed = user.authenticate(userName, userPassword);
if (authed){
if(gs.isMobile()){
var gr_user = new GlideRecord("sys_user");
gr_user.addQuery("user_name",userName);
gr_user.query();

if(gr_user.next())
{
var gr_roles = new GlideRecord("sys_user_has_role");
gr_roles.addQuery("role" , "711761fbdb45c150d19e94ed8a9619d5");//Sys id of the role..nowmobile
gr_roles.addQuery("user" , gr_user.sys_id);
gr_roles.query();

if(gr_roles.next()){

return user.getUser(userName);

}
else {
gs.log("User id "+ gr_user.user_name +" was blocked logging in @ "+gs.now());
this.loginFailed();
// response.sendRedirect("logout_redirect.do"); //incase you want the user to get redirected to some page. Not tested but may work
return "login.failed";

}

}
}
return user.getUser(userName);
}
else if (SNC.AuthenticationHelper.isMutualAuth()) {
var userLoginName = user.authenticateMutualAuthToken();
if (userLoginName != null) {
return user.getUser(userLoginName);
}
}
this.loginFailed();}

return "login.failed";
},

loginFailed: function() {
if (GlideController.exists("glide.ldap.error.connection")) {
var ldapConnError = GlideController.getGlobal("glide.ldap.error.connection");
if (GlideStringUtil.notNil(ldapConnError))
GlideSession.get().addErrorMessage(ldapConnError);
} else if (request.getSession().getAttribute("glide.authenticate.local.login.method") == "certificate") {
var message = GlideSysMessage.format("cert_login_invalid");
GlideSession.get().addErrorMessage(message);
} else {
var message = GlideSysMessage.format("login_invalid");
GlideSession.get().addErrorMessage(message);
}

}

};

 

Let me know do i need to modify anything or else we have to do any other configuration to restrict user to login.

0 Helpfuls

Go to solution
chadp
Mega Contributor

‎04-27-2018 02:40 AM

Thanks Sagar, 

 

I tested with a user that only has user role, and unfortunately they were still able to login to Mobile app.  Is there something I am still missing?  I copied the entire snippet you posted 

Thank you for your continued help! this is hte last item to check off before our rollout of Mobile

gs.include("PrototypeServer");

var Login = Class.create();
Login.prototype = {
	initialize : function() {
	},
	
	process : function() {
		// the request is passed in as a global
		var userName = request.getParameter("user_name");
		var userPassword = request.getParameter("user_password");
		
		var user = GlideUser;
		var authed = user.authenticate(userName, userPassword);
		if (authed){
			
			//gs.log("Test " + authed.toString() + " isMobile? " +gs.isMobile());//This works perfect
			//gs.log("Test2 " + gs.getUser().getName());//This is the problem. The user retreived here is always a GUEST user. So we need to achieve it in a different way.
			
			if(gs.isMobile()){
				var gr_user = new GlideRecord("sys_user");
				gr_user.addQuery("user_name",userName);
				gr_user.query();
				
				if(gr_user.next())
					{
					var gr_roles = new GlideRecord("sys_user_has_role");
					gr_roles.addQuery("role" , "2831a114c611228501d4ea6c309d626d");//Sys id of the role...admin here
					gr_roles.addQuery("user" , gr_user.sys_id);
					gr_roles.query();
					
					if(gr_roles.next()){
						
						return user.getUser(userName);
						
					}
					else{
						gs.log("User id "+ gr_user.user_name +" was blocked logging in @ "+gs.now());
						this.loginFailed();
						// response.sendRedirect("logout_redirect.do"); //incase you want the user to get redirected to some page. Not tested but may work
						return "login.failed";
						
					}
					
				}
			}
			return user.getUser(userName);
		}
		
		this.loginFailed();
		
		return "login.failed";
	},
	
	loginFailed : function() {
		if (GlideController.exists("glide.ldap.error.connection")) {
			var ldapConnError = GlideController.getGlobal("glide.ldap.error.connection");
			if ( GlideStringUtil.notNil(ldapConnError) )
				GlideSession.get().addErrorMessage("Not allowed on mobile");
		} else {
			var message = GlideSysMessage.format("login_invalid");
			GlideSession.get().addErrorMessage("Not allowed on mobile");
		}
		
	}
	
};
0 Helpfuls

Go to solution
Sagar Patro
Kilo Guru
In response to chadp

‎04-27-2018 03:02 AM

I think you never changed the code

gr_roles.addQuery("role" , "2831a114c611228501d4ea6c309d626d");//Sys id of the role...admin here

put the sys_id of USER role here.

If you do that, any user which does not have USER role will not be allowed to login on the mobile.

Go to solution
Sagar Patro
Kilo Guru
In response to Sagar Patro

‎04-27-2018 03:18 AM

I am hoping the above would work for you. It does for me absolutely fine. If you still need more help. Send me a hangout invite on ---------------@gmail.com

Sorry, had to remove the email.