Mobile App Login restriction

chadp · ‎04-26-2018

Hi All,

I find it hard to believe there is now way to restrict access by role to the native mobile app . I have tried using Business Rule below but am getting mixed results..

We want ONLY ITIL users to use the mobile app at this time and want to restrict access to users with 'user' role.

//Disables login for users without an ITIL role
(function executeRule(current, previous /*null when async*/) {
	var user = current.user;	
	if(gs.getUser().getUserByID(user).hasRole('user')  && gs.isMobile()){
		current.setAbortAction(true);
	}	
})(current, previous);

Please help I've spent too many hours combing the forums on something that should be an inherent feature of the app

Sagar Patro · ‎04-27-2018

I think you never changed the code

gr_roles.addQuery("role" , "2831a114c611228501d4ea6c309d626d");//Sys id of the role...admin here

put the sys_id of USER role here.

If you do that, any user which does not have USER role will not be allowed to login on the mobile.

View solution in original post

chadp · ‎04-27-2018

Hi Sagar,

Unfortunately this seems to have stopped working now after initial tests made it work. Any idea hy after some time it would stop?

Sagar Patro · ‎04-28-2018

Pretty hard to guess, what reasons would do that. We have done this earlier and it still works.

chadp · ‎04-28-2018

It is strange, here is the code below showing sys_id fr admin and I am able to login as syn user

gs.include("PrototypeServer");

var Login = Class.create();
Login.prototype = {
	initialize : function() {
	},
	
	process : function() {
		// the request is passed in as a global
		var userName = request.getParameter("user_name");
		var userPassword = request.getParameter("user_password");
		
		var user = GlideUser;
		var authed = user.authenticate(userName, userPassword);
		if (authed){
			
			//gs.log("Test " + authed.toString() + " isMobile? " +gs.isMobile());//This works perfect
			//gs.log("Test2 " + gs.getUser().getName());//This is the problem. The user retreived here is always a GUEST user. So we need to achieve it in a different way.
			
			if(gs.isMobile()){
				var gr_user = new GlideRecord("sys_user");
				gr_user.addQuery("user_name",userName);
				gr_user.query();
				
				if(gr_user.next())
					{
					var gr_roles = new GlideRecord("sys_user_has_role");
					gr_roles.addQuery("role" , "2831a114c611228501d4ea6c309d626d");//Sys id of the role...admin here
					gr_roles.addQuery("user" , gr_user.sys_id);
					gr_roles.query();
					
					if(gr_roles.next()){
						
						return user.getUser(userName);
						
					}
					else{
						gs.log("User id "+ gr_user.user_name +" was blocked logging in @ "+gs.now());
						this.loginFailed();
						// response.sendRedirect("logout_redirect.do"); //incase you want the user to get redirected to some page. Not tested but may work
						return "login.failed";
						
					}
					
				}
			}
			return user.getUser(userName);
		}
		
		this.loginFailed();
		
		return "login.failed";
	},
	
	loginFailed : function() {
		if (GlideController.exists("glide.ldap.error.connection")) {
			var ldapConnError = GlideController.getGlobal("glide.ldap.error.connection");
			if ( GlideStringUtil.notNil(ldapConnError) )
				GlideSession.get().addErrorMessage("Not allowed on mobile");
		} else {
			var message = GlideSysMessage.format("login_invalid");
			GlideSession.get().addErrorMessage("Not allowed on mobile");
		}
		
	}
	
};

Sagar Patro · ‎04-30-2018

Can you provide me with your instance "admin" role sys id please?

chadp · ‎04-27-2018

Thank you so much for your time and help, I now have a much better understanding of installation exits!

I have marked correct. Have a good one Sagar!