Possible to check if the current user has permission to access a specific app?

Hello!

Is there a way with JavaScript to check if the current user has access to a specific app? I would use this to hide certain links in the sidebar component that I share between apps using a module. I see that I have access to the current user groups, so I could implement it that way, but I'd prefer an explicit permission check against the app itself. That way I could use multiple groups to grant access to specific apps and I wouldn't have to worry about modifying my sidebar for each new group I create.

Thank you!

Hey @ffaubert!

If you have permissions set up to allow users from the 'production_users' group, for example, you could do something like this perhaps:

{{ !current_user.groups.find(group => group.name == 'production_users') }}

If this condition is in the component's Hidden field, it would hide the component if the user is not in the 'production_users' group!

Aside from that, this is a feature request that already exists internally so I'll keep you updated on its progress

Hi Victoria,

Any update regarding this feature request?

We need to be able to read the permissions object, to make the validations more dynamic, and not depend on changing them and updating the permissions, as it is a double work.

thanks!

Hi @cejaramillof! As far as I can see there aren't plans to add more granular permission controls within an app right now (going based on the request Victoria mentioned). Would you mind describing your use case a bit more? Do you have any specific examples of validations in mind?

Hi @Kabirdas,

Basically, is to have an app with a sidebar or menu, in which I have a series of apps, and if the user has the group that has the perimso to see, show the button, if not hide it.

I see, the navigation component should dynamically display apps based on a user's permissions - that might be worth exploring to see if the tradeoff with UI customizability is worth it. If you find you need to use buttons or other components I would go with @victoria's workaround or something similar for the time being. Depending on how your permissions are managed it might be easier to keep a list of app-specific permissions using organization-wide preloaded JavaScript that you can reference but it would need to be updated manually e.g.:

(Where b9def380-ff8d-11eb-a90c-xxxxxxxxxxxx is the app UUID).

Do one of those solutions look like they could work?

Hi @Kabirdas In my retool i have 6 web app, now i need to give access for the certain app to the particular user only, for the other user the app should not be visible is there any code for that. In the below image i got the app uuid and i have some questions regarding the image

1. In the preloaded java script what is user1@retool.com
2. Hidden works for the component how it will be available for the app.

please help me regarding this issue and can you give me a detailed explanation about it.

Capture-1798×493 52.9 KB

Hey @gangaaram_tech!

To revoke permissions on an entire app there's a built-in UI that you can use to configure user permissions. Docs on that exist here!

In order to use it you'll need to be on the Business plan or higher.

I'm also interested in a way to build a side bar nav menu that could be filtered dynamically based on the current_user object. The nav component has a dynamic option, so logically I would want to put something like {{current_user.apps}} or however y'all decide.

Hey @Ian_Donaldson! Would you mind sharing a bit more context about what you're looking to build? What would you like to filter? I believe we actually do allow users to create a dynamic nav bar depending on the current_user!

I built a shared module that has our company branding and dynamically builds a navigation menu based on the users group access. When I look at the current_user object in our version of Retool (v2.117.3) I didn't see anything on the user object that says anything about their assigned groups.
Perhaps when we update our instance, this feature will be natively available?

Ah, I believe so! The current_user object has the groups property now

https://docs.retool.com/reference/apps/global/objects/current_user

Also, I’d definitely recommend upgrading in general! I think we’re at v3.30 now and have shipped a lot of exciting updates and bug fixes since v2.117.

With that said, a big version jump might cause parity issues so I recommend following these best practices:

https://docs.retool.com/self-hosted/concepts/update-deployment

And let us know if you get stuck anywhere!

You say in your post " the navigation component should dynamically display apps based on a user's permissions"

I see no facilities for listing apps based on a users group or permissions. Could you clarify?

Tom

Hi @troot,

It should be handled automatically based on user permissions. After you configure your navigation component to open different Retool apps (using the App menu item type), if a user doesn't have access to a given app, it will be omitted from the navigation when they view it.

what about for multi-page apps? It doesn't look there's a way to limit user group's access to pages in a multi-page app from the groups configuration page.

So, is a transformer on the pages array the workaround? or is there something else y'all would recommend?

Hi @Luis_Rodriguez,

Great question! We haven't shipped page specific permissions quite yet, but it is high on our list of features to add.

Yes, in the meantime, you could use Javascript or a transformer. You could dynamically pass in the data source array or you could dynamically hide certain pages from certain users under Hidden. If you have a specific permission group that shouldn't see a certain app, you can check for that permission group in the current_user.groups array. One challenge with not having a native feature for page permissions is that you may have to manually update your logic if you ever make changes to the permissions

If you can share, I'd love to hear how you'd use page permissions. Are you mainly concerned about viewers only seeing certain pages, or do you want to block editors from seeing certain pages. I imagine it could change per app, but curious to hear about your initial use case.

I'm trying to do something like this:

const pages = {{  retoolContext.pages }}
const currentUserIsAdmin = {{ current_user.groups.some(({name}) => name === "admin") }}
const group1 = {{ current_user.groups.some(({name}) => name === "group1") }}

let modifiedPages = pages;

if (group1) {
  return pages.filter(({ id }) => id === "pageForGroup1");
}

if (!currentUserIsAdmin) {
  modifiedPages = pages.filter(({ id }) => id !== "adminPage");
}

return modifiedPages

this works in terms of showing/hiding the page in navigation, but the navigation's highlight functionality stops working.

Any thoughts?

This is the function that ended up working best. In the Hidden field of navigation:

First validation to hide pages if a user is in group1. Second validation is to hide the admin page if a user is not an admin.

{{ current_user.groups.some(({ name }) => name === "group1") && ["page1", "page2", "page3"].includes(item.id) || !current_user.groups.some(({ name }) => name === "admin") && item.id === "adminPage" }}

Hi Luis,

I wanted to follow up here on workarounds for page permissions. While you can hide certain pages based on permission groups, if the user finds the url for the page, they could still potentially access the page directly. You could add some Javascript query logic to redirect them, but they may see some sensitive info as the page first attempts to load. For this reason, it likely makes more sense to move particularly sensitive pages to their own app (which you can control access to). We added info about this workaround to our docs: Configure permission controls | Retool Docs

Hopefully, I'll have a more concrete update on page permissions soon

In case you cannot bifurcate the app this is the approach I've been experimenting with recently:

-- Disable and hide the page buttons via the respective page properties on the navigation component as suggested in this thread
-- Utilise the same logic to disable the queries on those pages from running
-- Then if you're extra paranoid you can put all the page components in a container and disable+hide it accordingly

Disable/hide your elements with the logic that they are disabled by default in case there is ever an issue reading your permissions.

But keeping things separate as Tess suggests is best wherever feasible.