[AC-257] Manual session management in ArrowDB
| GitHub Issue | n/a |
|---|---|
| Type | Bug |
| Priority | n/a |
| Status | Closed |
| Resolution | Done |
| Resolution Date | 2015-12-09T11:59:25.000+0000 |
| Affected Version/s | n/a |
| Fix Version/s | n/a |
| Components | Arrow Cloud |
| Labels | arrowdb |
| Reporter | Manuel Conde Vendrell |
| Assignee | Mostafizur Rahman |
| Created | 2015-07-24T11:06:13.000+0000 |
| Updated | 2015-12-09T11:59:25.000+0000 |
Description
Hi.
Currently, on ACS (the old), the way we have to make modifications to other objects not owned by the current user is (controlling the session by the "Manual Session Management"):
1. Login as an admin user
2. Get the admin user id
3. Make modifications on the object with that session id
4. Forget about it and continue using the current user session in the other calls.
This is something like:
// NOTE: Only a user with ACS ADMIN privileges can update another user data, so access as an admin user and make the changes.
ACS.Users.login({
login : "admin",
password : adminpass
}, function(e) {
if (e.success) {
ACS.Users.update({
session_id: e.meta.session_id, // the session id of the manager admin
user_id: id, // the user id to modify
first_name: first_name,
last_name: last_name
}, function(data) {
if (data.success) {
console.log('User "' + username + '" edited');
res.redirect('/admin/users');
} else {
console.log('Error: ' + ((data.error && data.message) || JSON.stringify(data)));
// Render again the page, with the error
res.redirect('error');
}
});
} else {
console.log('Error login as manager: ' + ((e.error && e.message) || JSON.stringify(e)));
// Render again the page, with the error
res.redirect('error');
}
});
session_id: req.session.session_id in the calls.
Acordly with info on http://docs.appcelerator.com/arrowdb/latest/#!/guide/nodejs, the only thing I need to do is deactivate the Cookie-Based Session Management (instantiating arrowDB in form arrowDBApp = new ArrowDB('<App Key>', {autoSessionManagement:false}); and add the session manually after the login with arrowDBApp.sessionCookieString = result.cookieString; (if I do not the last step, I get user not logged in on every query I do).
But the code does not work as expected, when I login as admin user, the login remains for the rest of the session.
// NOTE: Only a user with ACS ADMIN privileges can update another user data, so access as an admin user
arrowDBApp.usersLogin({
login : "admin",
password : adminpass
}, function(err, result) {
if (err) {
console.log('Error login as manager: ' + err.message);
} else {
arrowDBApp.customObjectsUpdate({
classname: 'Topics',
session_id: result.body.meta.session_id,
fields: {
name: name
}
}, function(err, result) {
if (err) {
console.log('Error: ' + err.message);
} else {
res.redirect('/admin/topics');
}
});
}
});
An ArrowDB user login session is identified by a session_id parameter in the request or response data. When logging in to a user account or creating a new user, the session_id is returned in the response data of the API calls. It can be retrieved from the response data by using the body.meta.session_id property of the callback's result object. For example:
function loginUser(req, res) { arrowDBApp.usersLogin({ login: 'test', password: 'test' }, function(err, result) { console.log('Login session is: ' + result.body.meta.session_id); }); }Hi Sharif. You are right, I did a typo there (fixed now) but the behaviour remains the same. The idea here is to "update" an object as an admin but continue the session as the previous non-admin user. Width ACS that worked and with ArrowDB don't. Anyway I decide to use another approach and now I'm using ACLs to do the same, giving all users write permisions on the "Topics" object in the example, so now it's not needed to log as admin and do the update. You can close this issue. I can understand that the ACS behaviour was not intended and the right is the ArrowDB.