Solved: Re: User roles - Limit user from removing the last...

StephenSaid · 10-09-2023 11:33 AM

I am building an app and am now implementing some user roles.

I have a Roles field in table Users. This field is a list. (Values: Create, Process, Admin)
One user can have more than one role.

I want to limit the user from removing the last admin user, so basically himself/herself from admin.

I tried this on the field in the table:

The contents of Valid If are:

COUNT( FILTER("Users", CONTAINS( [Roles], "Admin" ) ) ) > 1

As I understand, if this evaluates to True, then the field is valid. Is this logic right?

WillowMobileSys

@takuya_miyai @StephenSaid @LIUZheng

Another approach is to include a "Super Admin" role. Then you can freely remove "Admin" without the need of special logic during editing.

How you manage the "Super Admin" role depends on the app and the nature of admin assignment. It may end up that special logic is simply moved to management of the "Super Admin" role. Personally, I prefer, as App Creator, to simply assign this role in the data directly.

View solution in original post

WillowMobileSys

First, Roles should be an EnumList type column . For lists you want to use the IN() function instead of CONTAINS().

I am not sure if you are using the expression in the correct place. I assume you are removing users by deleting them? If so, then it seems more appropriate to perform this check in the Delete button and show the button only when the user meets the criteria to be able to be deleted. This might be:

OR(
    NOT(IN("Admin", [Roles])),
    AND(
        IN("Admin", [Roles]),
        COUNT( FILTER("Users", IN("Admin", [Roles]) ) ) > 1
    )
)

I hope this helps!

StephenSaid

Thanks, Willow

The field is actually EnumList. My bad in this post.

I am not deleting the user. I am editing the user, and if the user being edited is the last user with admin rights, I do not want to be able to remove that right.

So basically, at least one user with admin rights must always exists.

I am using this expression in the Valid If of the field in the table.

This is almost working:

This screenshot is showing the correct behaviour.

The issue I am having now is that if I remove any other role (apart of Admin), I still get the error!

I changed the expression to the following, and it now works as expected.

IF( 
   NOT( IN(  "Admin", [_THISROW].[Roles]  )  ),
   COUNT( FILTER("Users", IN("Admin", [Roles]) ) ) > 1,
   TRUE
)

LIUZheng

My strategy was to disable user from changing his own role, but allowed to change the others with same role level.

Admin can remove another one from admin, but cannot remove him/herself from admin. This guarantees the app always has at least one admin.

takuya_miyai

@StephenSaid @WillowMobileSys @LIUZheng

Interesting subject.
I have been trying to come up with a different approach to the solution.
The approach is to add the app owner as a user, and the app owner must have Admin role.

First, prepare a user record with the App Owner's email address. (I believe this is usually well used)
2nd, add the following Validif setting to the Role column in the user table

IF(Context("OwnerEmail")=[Email],
IN("Admin", [Roles]),
TURE
)

This will require App Owner to have Admin role.
In other words, it avoids losing the Admin user.

StephenSaid

@takuya_miyai

Thanks for this solution. I'll try it out and comment later on. I think it is even better since like this no other Admin user can remove the app owner from an Admin.

Stephen

WillowMobileSys

@takuya_miyai @StephenSaid @LIUZheng

Another approach is to include a "Super Admin" role. Then you can freely remove "Admin" without the need of special logic during editing.

How you manage the "Super Admin" role depends on the app and the nature of admin assignment. It may end up that special logic is simply moved to management of the "Super Admin" role. Personally, I prefer, as App Creator, to simply assign this role in the data directly.

StephenSaid

@takuya_miyai

I cannot get this to work however I tweak it!

The validity never fails!

I am testing as the app owner.

So, if I edit the app owner user, and remove the Admin role, I should get an error.

I tried using [_THISROW] with Email, with Roles and with both. But nothing seems to work.

What am I missing?

IF( Context("OwnerEmail") = [_THISROW].[Email],
  IN("Admin", [_THISROW].[Roles]),
  TRUE
)

WillowMobileSys

Be sure that the [Email] for the App Creator is exactly the same as that used by the App Creator to log into the AppSheet Account. I would recommend capturing CONTEXT("OwnerEmail") value into a field/column and confirm it is the value you expect it to be.

That is the only thing I can see would be a problem, unless there is a mis-match in the spelling of "Admin".

StephenSaid

@WillowMobileSys

Tried this and the email is valid.

Also tried Context("OwnerEmail") = [Email]. Only the valid email came to true.
Anyway, I went with the SuperAdmin option... Working great.

Thanks

LIUZheng

I also tried context("OwnerEmail"), but my case is simple with only one possible role, and it works. I put my expression below:

IF(Context("OwnerEmail")=[Email], [Authority]="Admin", TRUE)

Giangdam089

Thankyou

User roles - Limit user from removing the last admin