With FastComments SSO Access Control, users can be restricted to only access certain pages, or comment threads. Additionally,
users can only
@mention each other in the same group.
Users can be placed into groups, in which case they will only be able to access
there is an intersection of said groups.
For example, if
User A belongs to group
GREEN, they will only be able to see
User B belongs to group
BLUE, then neither user will be able to
@mention each other.
FastComments Access Control works by assigning
Users into the desired groups.
A group is simply a string identifier, like
Pages are not just limited to one group. They are limited to
1000 groups, respectively.
Accessing Unauthorized Pages
If a user tries to access a page they don't have access to, they will see an error message, like below:
The message text can be customized.
Defining how multiple users interact, and testing it, is complicated. Here is the following spec that we follow for access control, which you may use to test your implementation:
Page with null group ids, user with null group ids - should have access. Page with group ids, user with null group ids - should have access. Page with group ids, user with empty list - should NOT have access. Page with group ids, user with group ids - intersection exists - should have access. Page with group ids, user with group ids - intersection does not exist - should NOT have access. Page with empty list of group ids (nobody has access), user with null - should NOT have access. SSO User A = No group ids defined (null = full access). SSO User B = No group ids defined (null = full access). A can @B. SSO User A = No group ids defined (null = full access). SSO User B = Group ids defined. A can @B. SSO User A = Group ids defined. SSO User B = No group ids defined (null = full access). A can @B. SSO User A = Group ids = [a]. SSO User B = Group ids = [b]. A can NOT @B. SSO User A = Group ids = [a]. SSO User B = Group ids = [a, b]. A can @B.
Mentioning Users in Other Groups
If two users belong to two different sets of groups, and there is no intersection, they will not be able to
@mention each other.
If a user manually types an
@mention and submits their comment, it will remain as plain text. The other user will not be tagged.
Maintaining the Groups
Groups are defined using the
SSOUsers API resources, respectively.
Pages API can be invoked to define the set of groups allowed to access the page. By default, all groups, and users that do
not belong to a group, have access.
SSOUsers API can be invoked to define the groups associated with each user.
For both resources, there are no limitations as to when the groups can be set or updated.
If it's only desired to limit users from
@mention'ing each other, then
Pages do not have to be taken into consideration.
Defining and updating the SSO user groups does not require using the API, and can instead be updated automatically by defining the group ids in the SSO payload passed to the comment widget. However, for large lists of groups, this is not recommended as the user would have to submit this payload for every page load.