Community

What message does IdentityManager provide for insufficient access?

661
3
08-14-2017 03:04 PM
NaciDilekli
by
Occasional Contributor
‎08-14-2017 03:04 PM

I have two types of users in my ArcGIS server user base; mappers and editors. As you can imagine only editors can view and edit the FeatureLayers. I see a strange behavior, though. When prompted for login at a site with secured services, a mapper can enter his/her credentials, without any problems at the login screen. Mapper user won't be able to see the featurelayers, but the server won't generate any errors either.

So I thought I could manually create an alert or something, based on the successful / failed authorization. For that, I looked at what IdentityManager generates for the mapper vs editor users. The results look identical. For both of them, findCredential method (with userId and secured service URL as parameters) return this credential object:

  1. creationTime:1502747512054
  2. expires:1502751112194
  3. isAdmin:undefined
  4. resources:["some service"]
  5. scope:"server"
  6. server:"some server"
  7. ssl:false
  8. token:"IcXTutjVEYmbP7LuYKqmO-wDyUx56vW5xjbN8LrENGo."
  9. userId:"someMapper/Editor"
  10. validity:60

First, how come the server generates a token with validity for a mapper user, while that user can't view that resource? 

Secondly, how can I programmatically tell if a user has or doesn't have access to some resource?

Thanks

0 Kudos
3 Replies
ThomasSolow
by
Occasional Contributor III
‎08-15-2017 06:59 AM

Token are not generated per resource, just per user.  So a mapper is generating a token the same way an editor is, their token will just not be accepted when they try to access a resource they don't have permission to view.

I'm not sure the best way for you to handle this, but you may want to have users login using OAuth (that's 3.XX).  Once the user has logged in, you'll have PortalUser object, which has information about that user's role and privileges.  You could check this object and show a warning.

Another option is just to add a catch to the code that adds the layers in question.  When a tries to view a layer, a request is made to the server for the layer information.  If the user doesn't have permission, an error is thrown from within the asynchronous request code.  You can tap into this error by adding a .catch(err => <show error dialogue>) to the asynchronous code that is loading the layer(s).  It's hard for me to say more without knowing how layers are being added/other specific details about your application.

NaciDilekli
by
Occasional Contributor
‎08-15-2017 10:47 AM

Thanks for the reply. I think the second method makes more sense as I understand OAuth is designed for ArcGIS online users(?). It would make more sense if the IdentityManager had a method [e.g. Boolean hasAccess(userId, url)] to return info on access to certain services.

0 Kudos
ThomasSolow
by
Occasional Contributor III
‎08-15-2017 10:54 AM

OAuth works fine for AGOL users or Portal users.

I agree that that would be a nice convenience method.  You could write it yourself though, something like:

function checkUserPermissions(token, featureLayerURL){
  return esriRequest(featureLayerURL,{
    query: {
      token: token,
      f: 'json'
    }
  })
  .then(r => true)
  .otherwise(err => false);
}