It's all about the answers!

Ask a question

Finding username in a widget's context


Vic Watson (1111) | asked Dec 11 '12, 9:25 a.m.
Hi All.

I'm writing some RTC widgets for a corporate dashboard. They're basically just implanted web pages from an external server (which processes my raw data and displays a summary). I've been asked to add the ability to annotate the results on display.

Doing the actual annotation is easy enough - I can just POST the comment at the external server. But that's likely to leave many anonymous comments, which I don't want. I'd like to be able to prepend the user's name so that everyone knows who is making the comment - does anyone have a handy way to get at it? It's in the overall page, but I can't find anything in the iframe's DOM.

Is this possible?

Thanks!

Vic.

3 answers



permanent link
David Boyer (812) | answered Dec 11 '12, 1:15 p.m.
FORUM MODERATOR / JAZZ DEVELOPER
 An alternative which would not require reaching across the iframe/document boundary is to use the 'st' param from the iframe url.

'st' is the secure token, it is a colon delimited list of values.  The first value is the userid.  The gadget has access to that information.

permanent link
Curtis d'Entremont (1.3k3) | answered Dec 11 '12, 12:06 p.m.
FORUM MODERATOR / JAZZ DEVELOPER
The following enhancement is to track the proper solution for getting the user id in a gadget:
Provide a simple way to get current user id from an OpenSocial gadget (244518)

As a temporary workaround, if you don't use lock domain support (hosting the gadget under another hostname/domain for security), then you can actually reach up and grab the user id from the parent window. Here's a quick hack you can use until the real solution comes along:

window.top.com.ibm.team.repository.web.client.session.getAuthenticatedUserId()

This should work in RTC as long as you're not using lock domain. You have to call this from the gadget itself, e.g. here's a test gadget that just prints out the user id:

<?xml version="1.0" encoding="UTF-8"?>
<Module>
    <ModulePrefs title="Test" height="300">
    </ModulePrefs>
    <Content type="html">
        &lt;script type="text/javascript"&gt;
            alert(window.top.com.ibm.team.repository.web.client.session.getAuthenticatedUserId());
        &lt;/script&gt;
    </Content>
</Module>

So if you have another iframe you're using inside there, you can tack that onto the iframe URL and read it from inside the iframe.

permanent link
Curtis d'Entremont (1.3k3) | answered Dec 11 '12, 11:07 a.m.
FORUM MODERATOR / JAZZ DEVELOPER
It depends how your widget is implemented - is it an OpenSocial gadget, External Content Widget, or Viewlet? If it's one of the first two, or if it's implemented as a simple iframe pointing to the remote server, then browser security will prevent you from reaching out and finding out who is logged into the page that contains the iframe. If you're creating the iframe yourself, then you could pass in the user id in a URL parameter for the iframe so that it can read it, but you may not have this luxury depending on how you implemented it.

The best approach is to actually authenticate with your own server, so that it knows independently of the Jazz server who you are. This is the most secure option as you wouldn't be able to circumvent this easily and inject another users id in there for the POST. The server would essentially get the user principal from the app container based on the session cookie, or whatever authentication method you use.


Comments
Vic Watson commented Dec 11 '12, 11:31 a.m.
is it an OpenSocial gadget


Yes :-(

browser security will prevent you from reaching out and finding out who is logged into the page that contains the iframe
Yes. I thought as much. Just wondered if some of the javascript thet RTC puts into the iframe might help - but I can't find anything in there.

The best approach is to actually authenticate with your own server
I'm not sure that's going to be great from a usability perspective though - users are already logged in, they'll be unwilling to jump through another hoop.
This is the most secure option
I'm not overly worried about that - this is a utility function; the people who will be using it could just hack at the database if they were that interested in working around it.

Ho hum...

Vic.

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.