Hi,
By reading other topics in the forum I came up with a simple code that hides Admin roles and Admin users from the user management.
With filterUser and filterRole:
def filterUser(self, user):
“”"
Called for each user loaded into the management table. Return false to
hide this user from the management table. This code is executed in a
background thread.
Arguments:
self: A reference to the component that is invoking this function.
user: The user object itself. Call user.get('propertyName') to
inspect. Common properties: 'username', 'schedule', 'language'. Call
user.getRoles() for a list of rolenames.
"""
userName = system.security.getUsername() # logged in user
userIn = system.user.getUser("", userName)
rolesIn = userIn.roles # roles for current user
roleNames = user.getRoles() # inspect user role loaded in management table
if "Administrator" in roleNames:
return 0
else:
return 1
def filterRole(self, role):
“”"
Called for each role loaded into the management table. Return false to
hide this role from the management table. This code is executed in a
background thread.
Arguments:
self: A reference to the component that is invoking this function.
role: The role name.
"""
if role == "Administrator":
return 0
else:
return 1
I have three roles: Administrator, Maintenance, Operator. All of them can edit the user management table.
The bug is: when I delete the current user with non-admin roles, all Admin users and roles start showing in the table, meaning that it is possible to change them.
I wonder, who is really logged in when I delete the current user?
Thank you
Edit, Ignore this
Hi @tupanaster, not sure if I've missed something but you state:
Should the following statement:
actually be:
if role == "Administrator":
return 1
else:
return 0
EDIT: I think I understand now, you're hiding it regardless of the current user logged in?
This confused me, as I assumed you were doing some form of check, but it doesn't seem to be used anywhere.
Anyway, the logic is not failing 'safe'. Therefore, if user.getRoles() returns nothing it will always return true. I would switch it too:
if "Administrator" not in roleNames and roleNames:
return 1
else:
return 0
I think the problem is that the users are allowed to delete themselves. Once the user is gone, there is nothing tying that user to the usersource, and the project is still running.
Either keep the user from deleting himself, or force a logout if he does.
4 Likes
If user is not an Admin then it hides Admin user and Admin role. If an Admin user is logged in he can see all users and roles.
This is something to keep in mind.
I have to think about this one. "roleNames AND roleNames"? roleNames itself should be "true or false"?
Either choice sounds like a good solution.
Is it weird the way I am using the User management? Is there a better or common approach?
roleNames is a list. If a list is empty it returns false in an if statement.
It is doing 2 checks:
- "Administrator" not in roleNames
- checking if roleNames is empty
Another way to look at it is:
if ("Administrator" not in roleNames) and (roleNames):
I'd say the fist question is why does everyone have access to user management?
A high level of security is not required and there isn’t that much personnel in the plant. It is important to limit Admin access so they won’t have access to the gateway. It is also important to limit other companies’ access to the Gateway until our warranty is due.
I came up with this idea to make it simple but now I’m not sure if it was the best approach.