Board visibility privileges in custom component

Hello Community!

We are using a custom component to display Boards, Nested Boards and Blogs on our homepage and the boards' visibilities seem to be screwed up.

Some of these boards have a custom visibility, meaning they are only visible to certain user groups (moderators/admins) or even just individual users. These privileges are set in the lithium backend. The purpose is to have moderator discussion boards, that should not be visible to 'normal' users.

With the standard Board overview component this always worked as expected. If a user with the right privilege opened the page, they saw these boards, if the user did not have the privileges, the user did not see them.

Now, since we are using a custom component, Lithium always displays an error message ('This widget could not be displayed') if the user does not have the right privileges to see it. These error messages are ugly and screw up our layout.

Here's the error we are getting from the REST call we are using

REST Error: path="http://helsana.stage.lithium.com/helsana/restapi/vc/boards/id/mod_discussion?restapi.response_style=view" status="error" code="303" message="Der Benutzer -1 verfügt nicht über die folgenden Berechtigungen bei mod_discussion: [ read_board ]" The failing instruction: ==> #assign boards = rest("/boards/id/{... [in template "community_list" at line 30, column 9]

This is a permission error because we are trying to display the private "mod_discussion" board via the REST API and anonymous users do not have the "Read Board" permission granted by default.

Are there API calls we can use that only return boards if the user has the right privileges to see it?

Please help and Thank you!

Madrian

Tyson
11 years ago
Not sure if this helps, but you can check a user's permissions to view a specific board like so:

/boards/id/[your board id]/view/allowed

Cheers,
Tyson

7 Replies

Tyson
Mentor
11 years ago
Not sure if this helps, but you can check a user's permissions to view a specific board like so:

/boards/id/[your board id]/view/allowed

Cheers,
Tyson
Tim_h
Boss
11 years ago
We've set things up the same as Tyson suggests and have wrapped some #if tags around those sections to skip them.

We're doing ours by checking for the role that grants access to that section. Keeps things out of the way for logged out, or general users.

VarunGrazitti

Boss

11 years ago

Hi madrian - In case of the custom components, managing the permissions requires bit of a workarounds, as Tyson mentioned, that could be one way of doing it, but we have noticed that using the /boards/id/[your board id]/view/allowed call also tends to show the "Widget could not be displayed" error. As we had a similar widget where we had to show/hide boards/ categories etc in a custom component, you can use following code and see if this helps, there might be few edits required to run it as per your requirements, but it should be working fine without any edits also.

This is working fine for us, you can scale it to your needs.

<!-- To fetch the list of all the nested boards, blogs and ideas inside the root category-->
<#assign customer_boards = rest("/categories/id/customer-community/boards/nested?restapi.response_style=view").boards/>
<#assign partners_resources = rest("/categories/id/partner-resources/boards/nested?restapi.response_style=view").boards/>
<div class="discussion_topic">
	<div class="content pie">		
		<div class="boxtext">
<#if user.registered >  <#-- if the user is not anonymous -->
<#assign show_module = false />
<#list restadmin("/users/id/${user.id?c}/roles").roles.role as role>  <#-- REST call to get the user's roles -->
<!-- here, you define the roles for those who see the restricted boards-->
    <#if role.name?? && (role.name == "Administrator") || role.name?? && (role.name == "Moderator")>    
        <#assign show_module = true />
    </#if>
</#list>
<#if show_module>
<section class="section">
<#assign abuse_reports = rest("/categories/id/administration-and-moderation/boards?restapi.response_style=view").boards/>
	<div class="section_container" >
	<div class="boxtitleinner">Abuse Reports</div>
<#list abuse_reports.board as topics>
	<!-- Getting the threads count-->
	<#assign get_threads_count = rest("/boards/id/${topics.id}/threads/count").value/>	 
	
	<#if coreNode.title == topics.title>
	<div class="active_thread"><a href="${topics.@view_href}">${topics.title}</a><span class="number">${get_threads_count}</span></div>
	<#else>
	<div><a href="${topics.@view_href}">${topics.title}</a><span class="number">${get_threads_count}</span></div>
	</#if>
</#list>
	</div>	
</section>
</#if>
</#if>
<!-- customer_boards -->
<section class="section">
<#if page.name=="CommunityPage">
<center>
<div class="discussion_btn"><a href="/t5/forums/postpage/choose-node/true/interaction-style/forum">Create New Discussion</a></div>
</center>
</#if>
	<div class="section_container" >
	<div class="boxtitleinner">Discussions</div>
<#list customer_boards.board as topics>
	<!-- Getting the threads count-->
	<#assign get_threads_count = rest("/boards/id/${topics.id}/threads/count").value/>
	<#if coreNode.title == topics.title>
	<div class="active_thread"><a href="${topics.@view_href}">${topics.title}</a><span class="number">${get_threads_count}</span></div>
	<#else>
	<div><a href="${topics.@view_href}">${topics.title}</a><span class="number">${get_threads_count}</span></div>
	</#if>
</#list>
	</div>	
</section>
<!-- To get the access check, we have a separate partner category created and given the Partner Access role to it -->
<section class="section">	
	<div class="section_container" >
	<div class="boxtitleinner">Resources</div>
<#list partners_resources.board as topics>
	<!-- Getting the threads count-->
	<#assign get_threads_count = rest("/boards/id/${topics.id}/threads/count").value/>	 
	
	<#if coreNode.title == topics.title>
	<div class="active_thread"><a href="${topics.@view_href}">${topics.title}</a><span class="number">${get_threads_count}</span></div>
	<#else>
	<div><a href="${topics.@view_href}">${topics.title}</a><span class="number">${get_threads_count}</span></div>
	</#if>
</#list>
	</div>				
</section>
		</div>
	</div>
</div>

madrian
Guide
11 years ago
Hey Guys,

thanks a lot for you quick and detailed help. We ended up using Tyson's /boards/id/[your board id]/view/allowed solution and it works like a charm for us.

Thanks Again!

madrian
keshavkelkar
Ace
8 years ago
You also can Hide node from admin settings Admin -> Community Structure -> Your Category/Board/etc -> Edit properties -> Hide from lists and menus -> check here
And get the required status via Rest Call
<#assign catHidden = restadmin("/categories/id/${catId}/settings/name/config.hidden").value?string />

This also will help you for visibility management of your Nodes.
Tim_h
Boss
8 years ago
If you make the call with rest instead of restadmin, it just won't retrieve
boards hidden to that user.

Security wise I'd definitely advise against using restadmin in almost every
case.
Better to catch failures in code than to let unintended users execute code
or retrieve data.

Excellent point about the "hidden" status being available via rest though!
keshavkelkar
Ace
8 years ago
Tim_h Yes I agree with you.. Using Rest in place of Restadmin is always good practice. Thanks for appreciation .

Forum Discussion

Board visibility privileges in custom component

7 Replies

Related Content

Private/Visibility logo overlay in Atlas

Aurora: Understanding the Salesforce connector components and their entities

Delete an SDK @override Component?

What is the component for blog contributors?

Aurora Storybook - Component Library

Recent Discussions

How to fetch all labels associated with TkbArticlePage and count how many times each label is used

In Aurora, add additional <script> and <meta> tags

Setup content filter for arabic language

24.10 API change breaks navigation

How to create/subscribe the Webhook in Aurora