Search code examples
javascriptquickbase

Quickbase usertoken to supersede current user credentials/permissions

I have a custom button which is to query and possibly update an Administration App in Quickbase, which the current user doesn't require access to.

I have JS code which is executed on a button click by the user to check the admin app, etc...

my API call to check the app has the appropriate apptoken and usertoken. However, the browser still has the current user's session cached, so the API call errors out with an access denied error message.

I'm looking for either a way to make a hidden incognito window, to then execute this code, or a way to problematically force the usertoken to supersede the current user access/permissions.

I've seen where chrome extensions can use chrome.windows.create... but I have no experience with extensions, and Ideally, I don't want to have to have an extension for just this functionality, and have to possibly install it on every user's PC for this to work...

Here is a snippet of my current code... This code does work if someone has permissions to the Administration App... but this code is residing in a different application:

    PreProcURL = "https://<domain>.quickbase.com/db/<dbid>?a=API_DoQuery&apptoken=<>&usertoken=<>&query={'3'.EX.'1'}";
    PreProcQuery.open('GET', PreProcURL, 'async');
    PreProcQuery.send();
    PreProcQuery.onload = function(){
        console.log(PreProcQuery.responseXML);
        RunBit = (PreProcQuery.responseXML.documentElement.getElementsByTagName("runbit"))[0].innerHTML;
        SupportData = (PreProcQuery.responseXML.documentElement.getElementsByTagName("supportdata"))[0].innerHTML;
    if(RunBit != "1"){
        $.get("https://<domain>.quickbase.com/db/<dbid>?a=API_EditRecord&rid=1&_fid_6=1&_fid_7="+rid+"&apptoken=<>&usertoken=<>");
    }else{
        if(SupportData == rid){
            alert("This PreProc File is already in progress... please wait.");
        }else{
            alert("Another PreProc is already in progress... please wait.");
        }
    }        
    };

Thanks in advance for any assistance on this.

Solution

  • API calls executed in JavaScript that is hosted within quickbase.com (button, pages, etc.) will run as that logged in user that triggered the script. The usertoken gets ignored.

    The most common way to accomplish what you are after is to write the API_DoQuery code on a server side location and then trigger it from your JS code.