Validating mobile screen roles when offline

I have a mobile app that has two roles.  My screens are setup to not allow anonymous access.  When I'm online everything works as expected, but in offline mode trying to access the screen takes me to the login screen.  I made my screen anonymous to avoid the login screen and added an expression to show me the result of $public.Security.checkIfCurrentUserHasRole for my roles.  The result is true, so even offline the system knows that the user had the roles, so why do I get a security exception when trying to access the screen when it's not anonymous?  This seems like an oversight.  I don't really want to make all my screens anonymous.  Is there any way to use the checkIfCurrentUserHasRole against the expected screen roles in the Security Exception handler?

Hi Greg,

User roles are stored locally on the device on login and removed on logout.

So I think you need to be a logged in User first, for which you need to be online.

Then after logged in, the offline role checking should work when not online.

Regards,

Daniel

Hi Greg,

checkIfCurrentUserHasRole should work in offline because, as Daniel said, the roles are saved on the local storage but this should only be used to control the UI. Since this is on the local storage it can be tampered. When you reach the server you should check the roles again.

Regards,

Marcelo

Thanks Marcelo and Daniel,

checkIfCurrentUserHasRole does work when offline, however I don't think I explained myself clearly.  The problem I have is if the app isn't open and you open it while offline, the app considers the user to be logged out, i.e. GetUserId() returns 0, and it sends you to the login screen if the screen isn't anonymous.  However, on an anonymous screen I can still successfully check if the user has a role.  I wonder why there is a discrepancy between checking the roles when offline for screen access vs. checking the roles when offline using the Javascript API.

Here's an example of what I see if the screen is anonymous with a user that has Role A and not Role B.

Online and logged in:

Offline and logged in: 

Offline and logged out (by restarting the app):

If the screen is not anonymous this last image would have been a login screen instead.


Would you consider it best practice to mark any screens that need to be accessible while offline as anonymous, or do you feel validating screen roles while offline is something OutSystems could/should add as a feature?

Solution

Hi Greg, 

the screen validation while offline works as long you are logged in. login in when you are offline is a completely different subject and the only way of doing it is by passing sensitive information to local storage which is not safe. What you can do is force the user to login online the first time than store some information about that user to allow him to access the app offline on that device during the next X days.

Read this post where this was already discussed.

Regards,

Marcelo

Solution

Thanks Marcelo,

Your suggestion and linked post led me down the right path.  The problem was IdP mobile was logging me out because I didn't have the RememberLogin flag set to true.  Now that I'm staying logged in I can open my app while offline and everything is fine, even without anonymous screens.