abstract class %CSP.Portal.Utils extends %Library.RegisteredObjectAPIs used by the System Management Portal.
pItems(n) = $LB(name,date,url)
These are reset on system restart.
Returns 0 if the link is not to a csp application. (enable)
Returns 1 if the user is permitted access to the page. (enable)
Returns 2 if could not determine Target User. Clicking on link will bring up login page. (choice: enable or disable)
Returns 3 if the user doesn't have access to the CSP application.(disable)
Returns 4 if the user doesn't have resources specific to the page.(disable)
- It is assumed the CheckLinkAccess is called from a context in which %session and %request are available, ie, from callpage in the CSP Server
- In order to minimize information trolling, CheckLinkAccess will just return a bit indicating if the link should be enabled in the current calling context.
- Source application - application in which the current caller is being run
- Current user - ($Username) the user currently logged into the Source Application
- Target Application - the application pointed to by the link
- Target User - the computed username under which the user will be logged into the Target Application
- Target Page: the page portion of the link, e.g., /csp/app/mypage.csp: mypage.csp
This method is meant to be called from the link's containing page within the context of the CSP server. The containing page is part of a source application.
We must be able to detemine which target user will be used to check privileges. The target user cannot be determined if the source and target applications are different and the target is neither part of an active by-id group nor sharing-sessions with the source application.
Applications share sessions when:
- The source and target are the same application.
- The link to the target page contains CSPSHARE=1.
- Source and target applications have the same Session Cookie Path.
Who is the target user?
Since this is called from with a CSP session, there are the following situations:
- The target application is a member of an authenticated by-id group. That group's authenticated user is the Target User.
- The target application will be in the current session. The CSP server has already
handled logic for determing the user.
- The session's user is not UnknownUser. The target user is $Username.
- The session's user is UnknownUser
- If the target application is the source application, the Target User is UnknownUser.
- If the target application is different, the target user is the user from the session's Sticky-context. If the session has no sticky-context, the Target User will be UnknownUser
- If the Target Application is not a CSP Application, return ENABLE/UNKNOWN
- If the Source and Target application are the same, skip to check resources.
- If the Target Application is neither in an authenticated by-id group nor in the Source Application's session, return ENABLE/UNKNOWN
- Compute the Target User. See 'Who is Target User?' above.
- If the Target Application is two-factor enabled and the Target User is not, return NO_APP_ACCESS.
- Get any application-defined and user-defined resources assigned to the Target Page.
- If Source and Target Applications are different, check that the Target User has the right roles to enter the Target Application. If not, return NO_APP_ACCESS.
- Check Resources:
If the Target User can access the Target Page's Resources after escalating roles from the Target Application, return ENABLE/UNKNOWN. Else return NO_PAGE_ACCESS.