Board visibility privileges in custom component

Hello Community!

We are using a custom component to display Boards, Nested Boards and Blogs on our homepage and the boards' visibilities seem to be screwed up.

Some of these boards have a custom visibility, meaning they are only visible to certain user groups (moderators/admins) or even just individual users. These privileges are set in the lithium backend. The purpose is to have moderator discussion boards, that should not be visible to 'normal' users.

With the standard Board overview component this always worked as expected. If a user with the right privilege opened the page, they saw these boards, if the user did not have the privileges, the user did not see them.

Now, since we are using a custom component, Lithium always displays an error message ('This widget could not be displayed') if the user does not have the right privileges to see it. These error messages are ugly and screw up our layout.

Here's the error we are getting from the REST call we are using

REST Error: path="http://helsana.stage.lithium.com/helsana/restapi/vc/boards/id/mod_discussion?restapi.response_style=view" status="error" code="303" message="Der Benutzer -1 verfügt nicht über die folgenden Berechtigungen bei mod_discussion: [ read_board ]" The failing instruction: ==> #assign boards = rest("/boards/id/{... [in template "community_list" at line 30, column 9]

This is a permission error because we are trying to display the private "mod_discussion" board via the REST API and anonymous users do not have the "Read Board" permission granted by default.

Are there API calls we can use that only return boards if the user has the right privileges to see it?

Please help and Thank you!

Madrian

Tyson
11 years ago
Not sure if this helps, but you can check a user's permissions to view a specific board like so:

/boards/id/[your board id]/view/allowed

Cheers,
Tyson

VarunGrazitti

Boss

11 years ago

Hi madrian - In case of the custom components, managing the permissions requires bit of a workarounds, as Tyson mentioned, that could be one way of doing it, but we have noticed that using the /boards/id/[your board id]/view/allowed call also tends to show the "Widget could not be displayed" error. As we had a similar widget where we had to show/hide boards/ categories etc in a custom component, you can use following code and see if this helps, there might be few edits required to run it as per your requirements, but it should be working fine without any edits also.

This is working fine for us, you can scale it to your needs.

<!-- To fetch the list of all the nested boards, blogs and ideas inside the root category-->
<#assign customer_boards = rest("/categories/id/customer-community/boards/nested?restapi.response_style=view").boards/>
<#assign partners_resources = rest("/categories/id/partner-resources/boards/nested?restapi.response_style=view").boards/>
<div class="discussion_topic">
	<div class="content pie">		
		<div class="boxtext">
<#if user.registered >  <#-- if the user is not anonymous -->
<#assign show_module = false />
<#list restadmin("/users/id/${user.id?c}/roles").roles.role as role>  <#-- REST call to get the user's roles -->
<!-- here, you define the roles for those who see the restricted boards-->
    <#if role.name?? && (role.name == "Administrator") || role.name?? && (role.name == "Moderator")>    
        <#assign show_module = true />
    </#if>
</#list>
<#if show_module>
<section class="section">
<#assign abuse_reports = rest("/categories/id/administration-and-moderation/boards?restapi.response_style=view").boards/>
	<div class="section_container" >
	<div class="boxtitleinner">Abuse Reports</div>
<#list abuse_reports.board as topics>
	<!-- Getting the threads count-->
	<#assign get_threads_count = rest("/boards/id/${topics.id}/threads/count").value/>	 
	
	<#if coreNode.title == topics.title>
	<div class="active_thread"><a href="${topics.@view_href}">${topics.title}</a><span class="number">${get_threads_count}</span></div>
	<#else>
	<div><a href="${topics.@view_href}">${topics.title}</a><span class="number">${get_threads_count}</span></div>
	</#if>
</#list>
	</div>	
</section>
</#if>
</#if>
<!-- customer_boards -->
<section class="section">
<#if page.name=="CommunityPage">
<center>
<div class="discussion_btn"><a href="/t5/forums/postpage/choose-node/true/interaction-style/forum">Create New Discussion</a></div>
</center>
</#if>
	<div class="section_container" >
	<div class="boxtitleinner">Discussions</div>
<#list customer_boards.board as topics>
	<!-- Getting the threads count-->
	<#assign get_threads_count = rest("/boards/id/${topics.id}/threads/count").value/>
	<#if coreNode.title == topics.title>
	<div class="active_thread"><a href="${topics.@view_href}">${topics.title}</a><span class="number">${get_threads_count}</span></div>
	<#else>
	<div><a href="${topics.@view_href}">${topics.title}</a><span class="number">${get_threads_count}</span></div>
	</#if>
</#list>
	</div>	
</section>
<!-- To get the access check, we have a separate partner category created and given the Partner Access role to it -->
<section class="section">	
	<div class="section_container" >
	<div class="boxtitleinner">Resources</div>
<#list partners_resources.board as topics>
	<!-- Getting the threads count-->
	<#assign get_threads_count = rest("/boards/id/${topics.id}/threads/count").value/>	 
	
	<#if coreNode.title == topics.title>
	<div class="active_thread"><a href="${topics.@view_href}">${topics.title}</a><span class="number">${get_threads_count}</span></div>
	<#else>
	<div><a href="${topics.@view_href}">${topics.title}</a><span class="number">${get_threads_count}</span></div>
	</#if>
</#list>
	</div>				
</section>
		</div>
	</div>
</div>

Tyson
Mentor
11 years ago
Not sure if this helps, but you can check a user's permissions to view a specific board like so:

/boards/id/[your board id]/view/allowed

Cheers,
Tyson
- Tim_h
  Boss
  11 years ago
  We've set things up the same as Tyson suggests and have wrapped some #if tags around those sections to skip them.
  
  We're doing ours by checking for the role that grants access to that section. Keeps things out of the way for logged out, or general users.
keshavkelkar
Ace
8 years ago
You also can Hide node from admin settings Admin -> Community Structure -> Your Category/Board/etc -> Edit properties -> Hide from lists and menus -> check here
And get the required status via Rest Call
<#assign catHidden = restadmin("/categories/id/${catId}/settings/name/config.hidden").value?string />

This also will help you for visibility management of your Nodes.
- Tim_h
  Boss
  8 years ago
  If you make the call with rest instead of restadmin, it just won't retrieve
  boards hidden to that user.
  
  Security wise I'd definitely advise against using restadmin in almost every
  case.
  Better to catch failures in code than to let unintended users execute code
  or retrieve data.
  
  Excellent point about the "hidden" status being available via rest though!
  - keshavkelkar
    Ace
    8 years ago
    Tim_h Yes I agree with you.. Using Rest in place of Restadmin is always good practice. Thanks for appreciation .
madrian
Guide
11 years ago
Hey Guys,

thanks a lot for you quick and detailed help. We ended up using Tyson's /boards/id/[your board id]/view/allowed solution and it works like a charm for us.

Thanks Again!

madrian

Forum Discussion

Board visibility privileges in custom component

Related Content

Private/Visibility logo overlay in Atlas

Delete an SDK @override Component?

What is the component for blog contributors?

Aurora Storybook - Component Library

Help with Editing a Component with Freemarker

Recent Discussions

API v1 docs gone since Atlas migration to Aurora

Does anyone know how to change the display title of Custom Fields in Aurora?

Can someone walk me through authenticating and using Postman with Aurora?

Seeking Advice on Restricting Access to a posts to those who have the permalink.

TinyMceEditor is undefined