Perspective - getting windows username (Howto)

ted.garrison · October 9, 2023, 3:37pm

So with Vision, we were able to directly access the windows username of the client via client tags. We used this in an "autolaunch" project that was setup to run on all our Kiosk systems. This project would take the username, and look it up in a sql query. The query would return the gateway, project, and parameters that we actually wanted the Kiosk to be running. The project than did a Redirect to send the system to the desired project. Worked great, as it allowed us to maintain a bunch of Kiosks with a single database.

With Perspective, you can't do quite the same thing. The Browser doesn't have access to the underlying Windows usernames, etc. Good reasons, but made it painful. Here's what we've done to work around it.

We autostart on Windows boot a shortcut that points to Chrome. We've set the target to:

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-fullscreen "https://gatewayaddress:8043/data/perspective/client/perspautostart/?username=%username%"

The %username% is a Windows variable that will be filled in automatically via Windows when it executes the shortcut. perspautostart happens to be the name of the Perspective project that handles the magic.

In that project, we created a single page at "/".

On that page, we created a onStartup system event.

	def runAction(self):
		#clear namedquery cache so we get a good result
		system.db.clearAllNamedQueryCaches()
		
		#get the username that was passed via the url parameter
		varusername = self.page.props.urlParams['username']
		
		#create a dictionary to pass to the NameQuery
		params = {"username":varusername}
	
		#run namedquery against autolaunchclients
		result=system.db.runNamedQuery("getredir",params)
		
		#get number of rows in the result
		rows = result.getRowCount()
		
		if rows == 1: #user was found, proceed
			#change result to a pydataset for ease of access
			pydataresult = system.dataset.toPyDataSet(result)
			
			#exract values
			P_or_V = pydataresult.getValueAt(0, "Persp_or_Vision")
			
			if P_or_V == "P": #user is a Perspective client, proceed
				Gateway = pydataresult.getValueAt(0, "Gateway")
				Project = pydataresult.getValueAt(0, "Project")
				Params = pydataresult.getValueAt(0, "Parameters")
				#join them to make the proper string
				newurl="https://" + Gateway + "/data/perspective/client/" + Project + "/" + Params
				#send the user on their way
				system.perspective.navigate(url=newurl)
			else: #invalid entry in the column. Tell the user to tell us
				#
				stuff goes here to tell anyone that sees the message to tell us so we can fix it
				#
		else: #user not in database
			#
			stuff goes here to tell anyone that sees the message to tell us so we can fix it

pturmel · October 9, 2023, 4:28pm

So, anyone who notices this can supply whatever they want, and spoof any privileged person whose user name they know? Just by editing the URL?

If you need reliable information about the local user or machine that is really difficult to spoof, use Vision. Full stop.

ted.garrison · October 9, 2023, 4:55pm

We don't use it for authentication. Just to redirect to the project we want the Kiosk to use. Which is always a view only project. Anything we require authentication for, we use our IdP to authenticate.