Auth0 Home Blog Docs

Delegated Adm: "User Details" view wrong memberships

bug
delegated-admin

#1

I’ve setup Delegated Admin Extension to create new users and assign access rights to them. I’m providing an array (e.g. [ ‘User Management’, ‘Software Downloads’, ‘Support’ ]) in my Memberships Hook and it’s working just fine for the “Create User” view.
But when I open the “User Details” view it’s always listing all access right, not the assigned ones. I think the problem is that the Hook is used for both scenarios: creating the list of available memberships and creating the list of assigned memberships.
So basically, I need a possibility to tell if the Hook is requesting data for the “Create User” view or the “User Details” view. Is there any property available in the ctx object?


Create_User


#3

I believe you can leverage the fact that when called at initialization to get a list of memberships that the currently logged in user to the extension can select when creating users the ctx.payload.role property will be set. This seems to indicate if the current user is a DAE admin or just a regular user, but could work to disambiguate from a view user call (unless the end-users themselves also have a root role property which I didn’t test).

A quick test shows that something like the following could be used to differentiate the calls:

function(ctx, callback) {
 
  if(ctx.payload.user.role) {
    ctx.log("Initialization request associated with DAE user itself.");
    
    var department = ctx.payload.user.app_metadata.department;
    
    if (department === 'IT') {
       return callback(null, [ 'IT', 'HR', 'Finance', 'Marketing', "TSE" ]);
    }
    
    return callback(null, [ department ]);
  }
  
  ctx.log("View end-user details request.");
  
  return callback(null, ctx.payload.user.app_metadata.memberships);
}

When there’s a role I assume it’s a call to get the drop down values (you can tweak this condition further). I also then check another property, in my case, a department to see if the DAE user can create users in multiple memberships or just one. If it’s not the initialization call I just return the data from ctx.payload.user.app_metadata.memberships which is where selected memberships will be stored by default.


#4

Hi João,

thanks for your response! I was able to fix this on myself already, but I couldn’t find a way to reply on my own post or editing it. This is what I came up with:

// requesting assigned memberships
if (ctx.request.user.email !== ctx.payload.user.email) {
   return callback(null, othersAccessRights);
}

// requesting list of assignable memberships (alias my own memberships)
return callback(null, assignableAccessRights);

But I have another problem which is very urgent. Can you please have a look into that issue Need to query app_metadata in Delegated Admin Extension?

Thank you in anticipation!


#5

I left a reply there, but it’s not the best news I’m afraid…