Using the user management built into the Client GUI. Have discovered a few items I wish to prevent, not sure about the best way to go about it. I have 3 roles defined, user, operator, administrator.
Only the administrator has access to the user management screen. However, it looks like this user can go in and delete their own account. There appears to be a warning but doesnt stop you from doing it.
Also, need to limit users to only having one of the predefined roles. Is there a way to limit this?
If you’re using 7.9.1+, check out the onDeleteUser and onSaveUser extension functions for that component. (docs) You can reject the delete or save if it doesn’t meet your requirements.
Upon further inspection it appears that the onSaveUser may not work for what im looking for…
The function works. I can reject saves based on the user role but it seems to be based on the role that the user is currently assigned to, not what is selected in the role boxes when creating or editing a user. Are their functions to access those specific check boxes?
Is it also giving you the currently assigned role though?
for example, if the user I am editing has role administrator and I deselect the administrator checkbox and then hit save does it still return administrator? FYI I tested this in 7.9.0
I wrote a quick script for the onSaveUser extension function showing how you can get all the possible info you need:
# How to get user info for person doing the editing
loggedInUserName = system.security.getUsername()
loggedInUser = system.user.getUser("", loggedInUserName)
print "Logged in user", loggedInUserName, "has these roles:", loggedInUser.getRoles()
# How to get unedited info for person being edited (might not be logged in user)
editedUser = system.user.getUser("", user.get('Username'))
print "Edited user", editedUser.get('Username'), "has these roles:", editedUser.getRoles()
# How to get the edited values
print "After editing, user", user.get('Username'), "will have these roles:", user.getRoles()
saveContext.rejectSave("Testing")
The output was this:
Logged in user admin has these roles: [Administrator]
Edited user JaneDoe has these roles: [User]
After editing, user JaneDoe will have these roles: [My Super Role]
13:10:09.025 [SwingWorker-pool-466102072-thread-8] INFO Vision.Components.UserManagementPanel - User save rejected: Testing
Was sidetracked on other projects, have implemented this and it is working. I am just getting the length of the ‘will have these roles’ list and if it is greater than 1 I am rejecting the save. This is working well.
Have found another issue. Say I change the user’s role from admin to user. In my project there are many permissions to various screens, functions, etc that an admin has and a user doesnt. When I change this account’s role it does not appear to take action until that user is logged out and back in again. Is there a way to auto logout this user when by using this extension as well. Also, they may be logged into another client at the time the change is made
For the client the user made the change in, logging them out is pretty simple: system.security.logout()
For other clients, you might look at using system.util.sendMessage() to send a message to the appropriate clients, which will then use system.security.logout() to logout the user. system.util.getSessionInfo() will give you which clients to logout
Have found another strange bug with this. When editing an existing users Roles this script works and only limits them to one. However when creating a new user it will not work. Seems to hang up because this user does not have a user name yet? Is this because it is not created until the save is actually processed?
Right, the user is not created until the save completes. You’ll need to add more logic if you want that script to work for both new and existing users.
How is this possible? If the user is not created until after the save is complete then there is no way to access the info that will be saved until they are created.
The component has the info, it’s just that the user isn’t created in the user source yet. If they were already created in the user source, onSave would not be much use.