Programatically check the caller's permission on the client side

On the client side using script it is possible to check the caller's permission on a certain Content Studio object and then take actions accordingly. If you can identify an HTML-element, i.e. the element having a unique ID set, you can hide, disable or format this element according to your needs after that the page has been loaded. You do not need to submit the page back to the server and thus creating a richer end user experience. The idea is that the client prepares data that is submitted to server using the Microsoft.XMLHttp object that can be instantiated by Internet Explorer on the client's machine. The data is recieved by an ASP-page that makes the actual API-call and returns its answer in XML that can be parsed and used by Internet Explorer. Note that this only works on Internet Explorer where Microsoft.XMLHttp is included. On the client side the XMLHttp recieves the result and loads it into a DOM-object that can be used to for example disable a button or a link. In the code below you can see that the ConnectionID and AdminURL parameters are inserted on the server side by using a small snipper of ASP-code. The code should be inserted in the page properties window in the webbitor or you could put the code in a .js script file and include this file in each page that should use the access check functionality. In the latter case you cannot set the ConnectionID and AdminURL parameters on the server side using ASP in the function itself but you can lift out these as parameters to the accessCheck function and set them directly on the calling page instead.

<script language="jscript">
function accessCheck(AccessMask, ObjectID, ObjectType)
{
  var AdminURL = "<%=Application("AdminURL")%>";
  var ConnectionID = "<%=Application("ConnectionID")%>";
  var http = new ActiveXObject("Microsoft.XMLHttp");
  var url = AdminURL + "CSSrv32_SecurityDialogAPI.asp?action=accesscheck&ConnectionID=" + ConnectionID;
  url += "&TrusteID=0";
  url += "&ObjectID=" + ObjectID;
  url += "&ObjectType=" + ObjectType;
  url += "&DesiredAccess=" + AccessMask;
  http.open("GET", url, false);
  http.send(null);
  //Get the returned DOM object
  var dom = http.responseXML
  if(dom.xml.length > 0)
  {
    /*Returned XML
    <root><access>grant</access></root>
    */
   var nod = dom.documentElement.selectSingleNode("access");
   if(nod != null)
   {
    if(nod.text == "grant")
     return true;
   }
  }
 return false;
}
</script>

You can call this function from the onload event of the document. To get the correct values for the desired permission to check for see the access mask values. You can get the ID of the document via the global server side variable CS_InsertedDocumentID. The parameter ObjectType that identifies the type of object to check for can be one of the following string values. "C" (category), "D" (document), "U" (unit) or "R" (site root). It is also possible to check the caller's permission on the server side. See the article Programatically check the callers permission on the server side. The the following java code checks the caller's read permission on the current document and notifies the caller via an alert , true for grant or false for deny.

<script language="javascript">
  alert( accessCheck(0x02, <%=CS_InsertedDocumentID%>, "D")); 
</script>

You can also check a combination of permissions, perhaps the cammer must have both the permission to write and to approve a certain document in order to do something. In that case you can write the following code:

<script language="javascript">
  //combine the 2 permissions by using the | (bit-wise OR) operator
  var mask = (0x04 | 0x100);
  alert( accessCheck(mask, <%=CS_InsertedDocumentID%>, "D"));
</script>

<script language="javascript">
   alert( accessCheck(0x02, <%=CS_InsertedDocumentID%>, "D"));
</script>
        

You can also check a combination of permissions, perhaps the cammer must have both the permission to write and to approve a certain document in order to do something. In that case you can write the following code:

<script language="javascript"> 
  //combine the 2 permissions by using the | (bit-wise OR) operator
  var mask = (0x04 | 0x100);
  alert( accessCheck(mask, <%=CS_InsertedDocumentID%>, "D"));
</script>