topic Re: What message does IdentityManager provide for insufficient access? in ArcGIS JavaScript Maps SDK Questions

What message does IdentityManager provide for insufficient access?

NaciDilekli — Mon, 14 Aug 2017 22:04:40 GMT

I have two types of users in my ArcGIS server user base; mappers and editors. As you can imagine only editors can view and edit the FeatureLayers. I see a strange behavior, though. When prompted for login at a site with secured services, a mapper can enter his/her credentials, without any problems at the login screen. Mapper user won't be able to see the featurelayers, but the server won't generate any errors either.

So I thought I could manually create an alert or something, based on the successful / failed authorization. For that, I looked at what IdentityManager generates for the mapper vs editor users. The results look identical. For both of them, findCredential method (with userId and secured service URL as parameters) return this credential object:

creationTime:1502747512054
expires:1502751112194
isAdmin:undefined
resources:["some service"]
scope:"server"
server:"some server"
ssl:false
token:"IcXTutjVEYmbP7LuYKqmO-wDyUx56vW5xjbN8LrENGo."
userId:"someMapper/Editor"
validity:60

First, how come the server generates a token with validity for a mapper user, while that user can't view that resource?

Secondly, how can I programmatically tell if a user has or doesn't have access to some resource?

Thanks

Re: What message does IdentityManager provide for insufficient access?

ThomasSolow — Tue, 15 Aug 2017 13:59:00 GMT

Token are not generated per resource, just per user. So a mapper is generating a token the same way an editor is, their token will just not be accepted when they try to access a resource they don't have permission to view.

I'm not sure the best way for you to handle this, but you may want to have users login using OAuth (that's 3.XX). Once the user has logged in, you'll have PortalUser object, which has information about that user's role and privileges. You could check this object and show a warning.

Another option is just to add a catch to the code that adds the layers in question. When a tries to view a layer, a request is made to the server for the layer information. If the user doesn't have permission, an error is thrown from within the asynchronous request code. You can tap into this error by adding a .catch(err => <show error dialogue>) to the asynchronous code that is loading the layer(s). It's hard for me to say more without knowing how layers are being added/other specific details about your application.

Re: What message does IdentityManager provide for insufficient access?

NaciDilekli — Tue, 15 Aug 2017 17:47:50 GMT

Thanks for the reply. I think the second method makes more sense as I understand OAuth is designed for ArcGIS online users(?). It would make more sense if the IdentityManager had a method [e.g. Boolean hasAccess(userId, url)] to return info on access to certain services.

Re: What message does IdentityManager provide for insufficient access?

ThomasSolow — Sun, 12 Dec 2021 03:21:20 GMT

OAuth works fine for AGOL users or Portal users.

I agree that that would be a nice convenience method. You could write it yourself though, something like:

function checkUserPermissions(token, featureLayerURL){
  return esriRequest(featureLayerURL,{
    query: {
      token: token,
      f: 'json'
    }
  })
  .then(r => true)
  .otherwise(err => false);
}‍‍‍‍‍‍‍‍‍‍