LogoFastComments.com

What is Access Control? Internal Link

With FastComments SSO Access Control, users can be restricted to only access certain pages, or comment threads. Additionally, users can only @mention each other in the same group.

In Detail

Users can be placed into groups, in which case they will only be able to access Pages where there is an intersection of said groups.

For example, if User A belongs to group GREEN, they will only be able to see Pages that include group GREEN.

Additionally, if User B belongs to group BLUE, then neither user will be able to @mention each other.

How it Works Internal Link

FastComments Access Control works by assigning Pages and Users into the desired groups.

A group is simply a string identifier, like GREEN or abc-123.

Users and Pages are not just limited to one group. They are limited to 100 and 1000 groups, respectively.

Accessing Unauthorized Pages

If a user tries to access a page they don't have access to, they will see an error message, like below:

Authorization Failure Example
Authorization Failure Example

The message text can be customized.

The Spec Internal Link

Defining how multiple users interact, and testing it, is complicated. Here is the following spec that we follow for access control, which you may use to test your implementation:

Page with null group ids, user with null group ids - should have access.
Page with group ids, user with null group ids - should have access.
Page with group ids, user with empty list - should NOT have access.
Page with group ids, user with group ids - intersection exists - should have access.
Page with group ids, user with group ids - intersection does not exist - should NOT have access.
Page with empty list of group ids (nobody has access), user with null - should NOT have access.

SSO User A = No group ids defined (null = full access).
SSO User B = No group ids defined (null = full access).
A can @B.

SSO User A = No group ids defined (null = full access).
SSO User B = Group ids defined.
A can @B.

SSO User A = Group ids defined.
SSO User B = No group ids defined (null = full access).
A can @B.

SSO User A = Group ids = [a].
SSO User B = Group ids = [b].
A can NOT @B.

SSO User A = Group ids = [a].
SSO User B = Group ids = [a, b].
A can @B.

Implementation Internal Link

Mentioning Users in Other Groups

If two users belong to two different sets of groups, and there is no intersection, they will not be able to @mention each other.

If a user manually types an @mention and submits their comment, it will remain as plain text. The other user will not be tagged.

Maintaining the Groups

Groups are defined using the Pages and SSOUsers API resources, respectively.

The Pages API can be invoked to define the set of groups allowed to access the page. By default, all groups, and users that do not belong to a group, have access.

Similarly, the SSOUsers API can be invoked to define the groups associated with each user.

For both resources, there are no limitations as to when the groups can be set or updated.

If it's only desired to limit users from @mention'ing each other, then Pages do not have to be taken into consideration.

Note!

Defining and updating the SSO user groups does not require using the API, and can instead be updated automatically by defining the group ids in the SSO payload passed to the comment widget. However, for large lists of groups, this is not recommended as the user would have to submit this payload for every page load.

Example API Calls Internal Link

Here we'll walk through calling the FastComments API to setup access control.

Before we begin, note that we don't have to explicitly create a Group structure. Groups are simply identifiers added to Users and Pages. Adding a group to a user or page automatically "creates" the group.

First, let's create two users, User A and User B, we'll start them out in Group X:

Create User A cURL Example
1
2curl --request POST \
3 --url 'https://fastcomments.com/api/v1/sso-users?tenantId=demo&API_KEY=DEMO_API_SECRET' \
4 --header 'Content-Type: application/json' \
5 --data '{
6 "id": "user-a",
7 "username": "User A",
8 "email": "usera@example.com",
9 "groupIds": ["GROUP-X"]
10}'
11
Create User B cURL Example
1
2curl --request POST \
3 --url 'https://fastcomments.com/api/v1/sso-users?tenantId=demo&API_KEY=DEMO_API_SECRET' \
4 --header 'Content-Type: application/json' \
5 --data '{
6 "id": "user-b",
7 "username": "User B",
8 "email": "userb@example.com",
9 "groupIds": ["GROUP-X"]
10}'
11

Now let's create a Page. We'll call it our Confidential Page, and so far none of these users will have access to it as it will be in the group CONFIDENTIAL:

Page POST cURL Example
1
2curl --request POST \
3 --url 'https://fastcomments.com/api/v1/pages?tenantId=demo&API_KEY=DEMO_API_SECRET' \
4 --header 'Content-Type: application/json' \
5 --data '{
6 "title": "Confidential Page",
7 "url": "https://mysite.com/confidential",
8 "urlId": "https://mysite.com/confidential",
9 "accessibleByGroupIds": ["CONFIDENTIAL"]
10}'
11

Users A and B currently DO NOT have access to the new page. However, since they are in the same group, GROUP-X, they can @mention each other.

Let's update User B so they can now access the page:

Update User B cURL Example
1
2curl --request POST \
3 --url 'https://fastcomments.com/api/v1/sso-users?tenantId=demo&API_KEY=DEMO_API_SECRET' \
4 --header 'Content-Type: application/json' \
5 --data '{
6 "groupIds": ["GROUP-X", "CONFIDENTIAL"]
7}'
8

User B now belongs to both groups. Our users can still @mention each other, but only User B can view our confidential page.

Let's make it so User B can only view the confidential page:

Update User B cURL Example
1
2curl --request POST \
3 --url 'https://fastcomments.com/api/v1/sso-users?tenantId=demo&API_KEY=DEMO_API_SECRET' \
4 --header 'Content-Type: application/json' \
5 --data '{
6 "groupIds": ["CONFIDENTIAL"]
7}'
8

Now they can view the confidential page, but neither of our users can @mention each other, as they are in different groups.

However, any user that is not part of access control will be able to access our page. To prevent this, ensure no SSO Users have their groupIds set to null. For example, let's create User C, which has access to everything:

Create User C cURL Example
1
2curl --request POST \
3 --url 'https://fastcomments.com/api/v1/sso-users?tenantId=demo&API_KEY=DEMO_API_SECRET' \
4 --header 'Content-Type: application/json' \
5 --data '{
6 "id": "user-c",
7 "username": "User C",
8 "email": "userc@example.com",
9 "groupIds": null
10}'
11

By setting groupIds to null, we say they are not limited by access control.

Now, let's create a page that everyone has access to:

Page POST cURL Example
1
2curl --request POST \
3 --url 'https://fastcomments.com/api/v1/pages?tenantId=demo&API_KEY=DEMO_API_SECRET' \
4 --header 'Content-Type: application/json' \
5 --data '{
6 "title": "Public Page",
7 "url": "https://mysite.com/public",
8 "urlId": "https://mysite.com/public",
9 "accessibleByGroupIds": null
10}'
11

By setting accessibleByGroupIds to null, we say this Page is not controlled via access control, and both users can access it.

This completes our API walk-through for Access Control.