FastComments.com

What is Access Control? Internal Link

With FastComments SSO Access Control, users can be restricted to only access certain pages, or comment threads. Additionally, users can only @mention each other in the same group.

In Detail

Users can be placed into groups, in which case they will only be able to access Pages where there is an intersection of said groups.

For example, if User A belongs to group GREEN, they will only be able to see Pages that include group GREEN.

Additionally, if User B belongs to group BLUE, then neither user will be able to @mention each other.

How it Works Internal Link

FastComments Access Control works by assigning Pages and Users into the desired groups.

A group is simply a string identifier, like GREEN or abc-123.

Users and Pages are not just limited to one group. They are limited to 100 and 1000 groups, respectively.

Accessing Unauthorized Pages

If a user tries to access a page they don't have access to, they will see an error message, like below:

Authorization Failure Example
Authorization Failure Example

The message text can be customized.

The Spec Internal Link

Defining how multiple users interact, and testing it, is complicated. Here is the following spec that we follow for access control, which you may use to test your implementation:

Page with null group ids, user with null group ids - should have access.
Page with group ids, user with null group ids - should have access.
Page with group ids, user with empty list - should NOT have access.
Page with group ids, user with group ids - intersection exists - should have access.
Page with group ids, user with group ids - intersection does not exist - should NOT have access.
Page with empty list of group ids (nobody has access), user with null - should NOT have access.

SSO User A = No group ids defined (null = full access).
SSO User B = No group ids defined (null = full access).
A can @B.

SSO User A = No group ids defined (null = full access).
SSO User B = Group ids defined.
A can @B.

SSO User A = Group ids defined.
SSO User B = No group ids defined (null = full access).
A can @B.

SSO User A = Group ids = [a].
SSO User B = Group ids = [b].
A can NOT @B.

SSO User A = Group ids = [a].
SSO User B = Group ids = [a, b].
A can @B.

Implementation Internal Link

Mentioning Users in Other Groups

If two users belong to two different sets of groups, and there is no intersection, they will not be able to @mention each other.

If a user manually types an @mention and submits their comment, it will remain as plain text. The other user will not be tagged.

Maintaining the Groups

Groups are defined using the Pages and SSOUsers API resources, respectively.

The Pages API can be invoked to define the set of groups allowed to access the page. By default, all groups, and users that do not belong to a group, have access.

Similarly, the SSOUsers API can be invoked to define the groups associated with each user.

For both resources, there are no limitations as to when the groups can be set or updated.

If it's only desired to limit users from @mention'ing each other, then Pages do not have to be taken into consideration.

Note!

Defining and updating the SSO user groups does not require using the API, and can instead be updated automatically by defining the group ids in the SSO payload passed to the comment widget. However, for large lists of groups, this is not recommended as the user would have to submit this payload for every page load.