Forum Discussion

Kev_B's avatar
Kev_B
Advisor
7 years ago

API call to roles collection returning empty for non-moderators

Hi, 

 

Bit of a weird one here, we've built a component to test users' roles against board titles, only displaying the boards that have matching roles.

 

Trouble is, it only works if the user has the role of moderator.

 

I'm pulling the roles data like this:

 

<#assign userID = user.id />
<#assign rolesQuery = "SELECT name FROM roles WHERE users.id = '" + userID + "'" />
<#assign roles = rest("2.0", "/search?q=" + rolesQuery?url) />

I'm then testing 'roles' for results etc below before proceeding with further lists / conditionals. If I view this as a moderator, all the subsequent content displays, if I view as a non-moderator, nothing below this conditional displays.

 

<#if roles?? && roles.status?? && roles.status == "success" && roles.data?? && roles.data.size gt 0 && roles.data.items?? && roles.data.items?has_content>

Does anybody have any experience of this? I've tested the query in the API browser and it returns results, so there isn't a problem with pulling results it seems.

 

Is there something that prevents these API calls on user's if they don't have certain permissions?

  • TariqHussain's avatar
    TariqHussain
    7 years ago

    Kev_B- By restadmim , i mean restadmin freemarker object. 

     

    Lithium does not provide access to all object to a normal user. A normal user can not view any other user roles (same as a normal user can not view private board messages). However, moderater have access to view other users roles and rest context object make call and fetch result according to the permissions.

    Lithium does provide an object restadmin which can make a call with admin privileges.

    it's an object to make a REST call with Administrator permissions on behalf of the user viewing the component. This call essentially bypasses permission checks for the current user.

    E.g Updated your query with restadmin call.

     

    <#assign userID = user.id />
<#assign rolesQuery = "SELECT name FROM roles WHERE users.id = '" + userID + "'" />
<#assign roles = restadmin("2.0", "/search?q=" + rolesQuery?url) />

    However, we should make restadmin call only when we know the information is sharable with normal users.

     

7 Replies

Sort By
  • Kev_B's avatar
    Kev_B
    Advisor
    7 years ago

    I think that might do it, I don't have access to the restadmin stuff on here so have requested it to be able to amend the code accordingly.

     

    Thanks :)

  • TariqHussain's avatar
    TariqHussain
    Boss
    7 years ago

    Kev_B- By restadmim , i mean restadmin freemarker object. 

     

    Lithium does not provide access to all object to a normal user. A normal user can not view any other user roles (same as a normal user can not view private board messages). However, moderater have access to view other users roles and rest context object make call and fetch result according to the permissions.

    Lithium does provide an object restadmin which can make a call with admin privileges.

    it's an object to make a REST call with Administrator permissions on behalf of the user viewing the component. This call essentially bypasses permission checks for the current user.

    E.g Updated your query with restadmin call.

     

    <#assign userID = user.id />
<#assign rolesQuery = "SELECT name FROM roles WHERE users.id = '" + userID + "'" />
<#assign roles = restadmin("2.0", "/search?q=" + rolesQuery?url) />

    However, we should make restadmin call only when we know the information is sharable with normal users.

     

  • Kev_B's avatar
    Kev_B
    Advisor
    7 years ago

    As an add on to this, I've got the component working and it does as intended.

     

    However, on our production instance it seems to be unable to find any roles that occur at position 16 or lower in the list. I've tested on stage and the logic continues up to at least 24 (that's as far as I've tested).

     

    I'm just wondering if there are any limits applied to restadmin calls on a production instance that don't apply to stage given that there's less traffic between the site and the server? If so, is there a workaround?

  • PerBonomi's avatar
    PerBonomi
    Boss
    7 years ago

    Have you tried adding a limit to the end of the query?

     

    <#assign rolesQuery = "SELECT name FROM roles WHERE users.id = '${userID}' LIMIT 30" />
  • TariqHussain's avatar
    TariqHussain
    Boss
    7 years ago

    Kev_B - Just to provide more info about PerBonomi reply. 

     

    LIQL returns max 25 result if no limit is given to the API call. So if you want to fetch more than 25 results you will need to pass limit to the API call. 

    If you do not know the limit you can get it dynamically e.g

     

    <#assign rolesQuerycount = "SELECT count(*) FROM roles WHERE users.id = '${userID}' " />
    <#assign rolesCount = restadmin("2.0", "/search?q=" + rolesQuerycount?url).data.size />
    <#assign rolesQuery = "SELECT name FROM roles WHERE users.id = '${userID}' LIMIT '${rolesCount}' " />