ericgibson
commented
7 years ago The PortalIdentityAdapter.java file gets the AGOL roles back in the json file, around line 396, see below:
if (jsoResponse.has("role") && (!jsoResponse.isNull("role"))) {
// "role": "org_admin" "org_publisher" or "org_user"
String role = jsoResponse.getString("role");
if (role.equals("org_admin") || role.equals("account_admin")) hasOrgAdminRole = true;
if (role.equals("org_publisher") || role.equals("account_publisher")) hasOrgPubRole = true;
if (role.equals("org_user") || role.equals("account_user")) hasOrgUserRole = true;Then it assigns variable isAdmin and/or isPublisher to true if you have AGOL Org Roles OR if you are in Geoportal Admin or Publisher groups (created in AGOL), I commented out the AGOL Org Roles as seen below:
if ((adminGroupId != null) && (adminGroupId.length() > 0)) {
if (isInAdminGroup) isAdmin = true;
//if (hasOrgAdminRole) isAdmin = true;
} else {
//if (hasOrgAdminRole) isAdmin = true;
}
if (allUsersCanPublish) {
if (hasOrgAdminRole || hasOrgPubRole || hasOrgUserRole) isPublisher = true;
}
if ((pubGroupId != null) && (pubGroupId.length() > 0)) {
if (isInPubGroup) isPublisher = true;
} else {
//if (hasOrgPubRole) isPublisher = true;
} This works, but I would like to add a parameter in the gpt.xml to control this functionality...
Anybody have any thoughts on doing it this way???
We noticed after we implemented two factor authentication, some of our users who were NOT in the AGOL Geoportal Administrators group had administrator capabilities in Geoportal. This was very confusing since we created two AGOL groups we thought would delegate our Admins and Publishers.
Once we dug down deeper, we found out that Geoportal now was looking at the role field each user has in AGOL. Some of our users had a role named ORG_ADMIN. There seems to be only three roles that might fit in this role field: ORG_ADMIN, ORG_PUBLISHER, & ORG_USER...
Depending on the user and their role field designation, that user would get elevated privileges in Geoportal no matter what group they were in.
This was troublesome on our part so to temporarily remove this issue, we commented out the code in Geoportal that searched for that role field. Once we did that Geoportal's two factor authentication with AGOL worked as we wanted it to: only users in the AGOL Geoportal Administrators group had admin capabilities in Geoportal and only users in the AGOL Geoportal Publishers group had publisher capabilites in Geoportal.
This was problematic given our workflow, maybe not for others, but definitely for ours.