Is it a good approach to make relationship with all the User in the system with a Post when a user create it with visibility as everyone? Like one(Post) to many(User) mapping.
Or what will be the best approach?
Related
I'm currently working on a project where a user can have many roles, and each role has assigned one or many permissions. Permissions describe the actions that a user can apply to ressources. For example let's consider that I have three ressources that I can interact with using my API : users, books, payments.
I'd like to have all users able to update their personal informations like phone number... etc. This led me to give update permission on user's ressource for all users. But the problem is that I want them to be able to updates their own profiles only. Furthermore, some users have admin permissions and can change other users permissions, therefor they have another kind of update permission on user's resource.
So my question is : what's the best way to design the permission table. Below you can find my schema design. Thank you for your answers in advance.
User(firstName string, lastName string, roles Role[])
Role(name string, description string, permissions Permission[])
Permission(name string, effect 'Allow' | 'Deny', resource string, action string)
Well I am not entirely sure what you meant by resource and action. If you meant URI template and HTTP method, then ok. Otherwise you might need a different solution or somehow add parameters to your design if you want to allow or deny individual resources per id.
If we are talking about a REST API, which I assume, then you can do something like PATCH /api/v1/current-user/profile {...} for updating your profile and PATCH /api/v1/users/{user-id}/profile {...} to update somebody else's profile. If you meant controller classes and their methods, then you can do the same with two different controllers, something like CurrentUser.partialUpdate(params) and User.partialUpdate(params).
As of updating user permissions, I wonder how to do it, because you can update only role permissions and give or take away roles for the users in your model.
Another thing I don't understand that why do you need the allow|deny flags. If roles collide because users can have multiple roles or permissions collide, because you can both allow and deny the same thing, then how do you resolve it without a hierarchy? And if you don't have a hierarchy, then this flag is completely useless and just deny all and allow what is added to the role.
As of the one user multiple roles approach it is not a great idea, at least in places where people take security seriously a single account or at least a single session can have only a single role. Since this would make a lot of repetition I would solve this on a role level and make composite roles or support role inheritance. So for example the Administrator role would be the composite of the OwnProfileEditor and ProfileEditor sub-roles, which I would rather call Features or Capabilities or PermissionGroups rather than Roles.
Usually RBAC is not that flexible, so people tend to add per User Permissions to override Role Permissions. I would not do it, because you will end up with a mess if you follow that approach.
I have a question regarding an application that I am developing, I try to implement a Kanban solution.
I have separated the IdentityServer (Users, Roles, etc), from the module/app that I am implementing. (Tiered)
I would like to know how I should do to have user data in the module/app.
I mean, it should have the "duplicate" users table or from the module/app can refer to the context of the identityServer database...
I am a bit lost...
For trying to give an example.
IdentityDbContext { Users, Roles, etc }
ApplicationDbContext { Board, Columns, Tags, Cards, CardUser, ¿User? }
In CardUser I would like to have the users related to Card (an N-M relationship).
But I don't know if I should create an entity/DbSet in the ApplicationDbContext or just save the UserId and then for each UserId query data to db or do call to api to the IdentityServer.
I think it's hard for me to explain myself, I'm sorry if it doesn't make sense, I appreciate any kind of help/comment.
Thank you very much.
As per best practices, aggregate root can be referenced by its id, but it is recommended not to reference it with the navigation property.
We have implemented a similar case for EventHub. You can see how we implemented it from the links below.
https://github.com/abpframework/eventhub/blob/e19c32731655df8c78d082a84cb336263c5f081a/src/EventHub.Domain/Events/Speaker.cs#L10
https://github.com/abpframework/eventhub/blob/e19c32731655df8c78d082a84cb336263c5f081a/src/EventHub.Application/Events/EventAppService.cs#L366
You can try to create an Event to better understand the requirements of EventHub.
https://www.openeventhub.com/
I am using Titan Graph DB. I want to implement "follow" button in my page i.e I a page update something, it should be know to all follower. I dont know how does this follow mechanism work.
In social networking when we follow something we keep getting all updates from that page. How does it work? What is the idea behind implementing this in Graph DB.
Suppose I am following a page XYZ and there happend one update on XYZ. then how does it sends its update info to all followers.
Is it something that it will store update info for all individual
user in graph DB
OR Is it like when a user login it will check all page that it follow
for any new update?
OR something else
The process to trigger the notification has nothing todo with the underlying database you use. This is part of your business logic, how you design your application and how you notify all the listeners about the change.
A graph database will give you the opportunity to store the information about your users and theire tweets, or your sites and the follower in a more natural and semantic way.
In a graph database, you can store your Persons, e.g. John and Doe as Vertices and a relation or edge between them, labeled with follows. In your SQL database, you would store them in a separate table plus a table for your joins to store all the followers.
If you now have a new tweet, you have to join your tables in your SQL table to find all followers to notify. In a graph database, you just have to check the incoming edges on the person who wrote the tweet. Also, in the graph database, you could store the tweet as well, where an extra edge from the person who wrote it goes to the tweet, to have all the necessary informations for your notification at one place, instead of lots of lookups in SQL tables.
I am building a simple website that needs 3 user levels (member, mod, admin) and am currently using ACL that sets permission on a per-group basis. Now, this is all working out fine, but I am wondering if it would not be better to just have a role column in the users table that would contain a tinyint and go with that.
Why I am considering this is the following. Say I wanted to have an "admin bar" on the top of the page, I'd have to check in which group the user is, but group names can change and are not static, the role column would be. This raises the question, is ACL suited for websites that have such a simple permissions scheme?
Funny - I just recently wrote a simple Auth for scenarios like that - I called it "Tiny": http://www.dereuromark.de/2011/12/18/tinyauth-the-fastest-and-easiest-authorization-for-cake2/
It should be pretty much exactly just about what you need.
It does need the roles to be present in the Session Auth, though and that you manage user roles yourself. So you might have to add this to your login method if you want to use multi role Auth.
As you said - the core one is way to powerful and a real overkill for simple use cases.
Just one thing: call the field "role_id" and not "role".
This is what i use http://bakery.cakephp.org/articles/watermark86/2010/09/23/user-permissions-based-on-a-routing-prefix
Though acl is the right way but for small/simple cases like urs you can use this
I've been diving into CakePHP this year and I'm loving it! However, I've just run across a problem that I'm not sure how to handle. My database design is this--
USER can belong to one or more WEBSITE
A WEBSITE can have many USER
So I have a many-to-many relationship which is tracked in MEMBERSHIP
MEMBERSHIP also tracks what group_id the USER has for that WEBSITE.
For example, if user1 joins website3 as an administrator and website5 as a editor, then the MEMBERSHIP table has an entry reflecting both those roles.
Basically my problem is Cake's ACL. In the above-mentioned model, user1's group_id would change depending on which WEBSITE he's selected after logging in. (And he could subsequently change to even more websites within the dashboard by changing the group_id again and again). Cake's ACL appears to only handle 'user belongs to one group' period.
Can I trick the ACL by giving it the group_id from the session every time its changed and then reload the AROs? Would it make more sense to scrap ACL and create my own permissions module?
Any suggestions or ideas to point me in the right direction would be GREATLY appreciated!
i think it will be the best way to create your own permission module.
the reasons are quite simple:
you can modify/extend it in any way YOU want
you will not break any cakePHP specifications