Hi,
I have developed a dashboard that is embedded as an iframe in a Plone site. I would like to hide certain content of the dashboard, depending on whether the user currently visiting the site is logged in or not. I am assuming that in order to do this I need to use an endpoint. At the moment I have this:
There is nothing like being " logged in". HTTP is stateless and the portal does not track if you are logged in or not. A HTTP requests provides the authentication information/cookie or not. On the backend side, you can use plone.api.user.get_current() for checking for the current user.
Is the dashboard on the same (Plone) site?
If it is, you can use 'get current' to see if the user is anon.
(with javscript it should also be possible to check CSS classes ( .userrole-authenticated ))
PS: If it is 'the same site', I dont think you should use an iframe.
Yes, if you trust site users. Otherwise, everybody can edit the html dom and replace the user. The iframe site should check if the user in the parameter is the same that is logged via tkt session.
Hey @albavilanova ,
Implementing a SSO system between two different systems is hard, and at least, it requires for you to have dev access to both sides. Is that the case? can you develop in the Plone site and in the dashboard app?
Second, the level of security that you want to achieve is also key. Do you trust in your logged in users? eg. using the iframe querystring might work, provided that nobody is going to impresonate the user (by forging the URL), or hack your dashboard, by appending the querystring to the URL for accessing it.
Parlo catalĂ si vols contacta'm per privat o per les vies habituals.
I am the dashboard developer and don't have access to the Plone site at the moment, but I am in direct touch with the Plone site developer as we work in the same company.
I trust the logged in users, as registrations are accepted on a one-to-one basis, and they are not open to the general public.
As you say, I think somebody might forge the URL and therefore using a querystring does not sound like the safest option.
We wanted to use the REST API but it seems like there is no method to retrieve the currently connected user at the moment (see issue 179 in plone.restapi in Github - I cannot add links)...
I guess the only option we have right now is to send a message with postMessage.
No, there's no such endpoint, basically because it would only work with a token, and, given a token, you have the means to get the user from the token with no call involved.
Also, I assume you are in Plone Classic, so you won't have such token (since classic does not need it). Are you adding the iframe via the editor or through a Mosaic tile. You could get the user from a small Plone development if you are using tiles for that, using plone.api.user. Once you get your user, you pass it to the iframe.
Any other solutions imply sharing the cookie between sites, and all that dance...
Just to close this, at the end we decided to include the login form inside the dashboard and call the REST API from Plone to know if the user exists having his credentials. It is not ideal, but I don't see any safer way. Thank you all for your comments!
I wonder if this is less of a Plone-specific need, and more of an iframe interaction problem; you might be able to:
JavaScript (resource) in page in Plone site evaluates condition of $('body.userrole-authenticated') (body classes are injected in Plone for each user role) and existence of your iframe; if both of these evaluate to true, you could then:
Use window.postMessage [1] with specified origin to pass a simple message indicating that (boolean?) status (or a list of roles, if you wanted to be more complete) into other-origin (dashboard) iframe.
In your iframe, assuming plotly or other tools allow you to use JavaScript within them, receive message with data from passed message; validate origin of the message as a safeguard, then
Within your non-Plone/other-origin iframe, use status and/or roles that you passed from parent page of iframe via postMessage to act as you need to.