Remove all ACL from user access of content using IBM WCM API - ibm-wcm

Is there a way to remove/reset user access from content item when we restart workflow of that content item using ibm WCM API?

You don't need to use custom work flow actions to reset it. Once you restart the work flow, the content will take the access from the current work flow stage.
Avoid giving administrator defined privileges to work flow content:
keep all privileges as work flow defined
you can use API's to rest access for content c as below
c.removeMembersForAccess(Access.EDITOR, c.getMembersForAccess(Access.EDITOR));

Related

How to have a safe admin handling with reactjs and firebase

I would like to add functionalities depending on whether or not the user logged in is the administrator but I don't really know which condition (for conditional rendering with delete buttons etc) I should use to check if the user is the admin or not. Is it safe to do it based on the id of the user ? In the first place, I thought about testing the user in every component I want him to have functionalities, with a state called "user" using recoiljs to get access to the user in the whole app but I'm afraid people could change the state with the react tool extension and then pretend they are the admin and so delete articles and stuff... What's the best way to test if a user is the admin or not using firebase authentification in a react project ?
It's never safe for client code to assume admin responsibilities without absolute enforcement from your backend. It's unsafe because client code can be compromised and might not work the way you expect. And it's running on a device that the user controls fully.
Client code can check some indicator to see if the user is admin (in whatever way you find suitable), but the final check needs to happen on your backend, either through security rules (if you're using Firebase products like Realtime Database, Firestore, or Cloud Storage), or in code running on a secure backend, including products like Cloud Functions.

how to prevent the clients from debugging the code in javascript using developer tool

We have the angularjs application where we have different roles associated to the users. For ex: the two roles are Admin and Local. Based on the role, we show some menu items for the Admin and adds more features/screen to the Admin .
The userInfo with the Admin Property is returned from the login response and based on what we decide which all menu and screens to be rendered .
But if we user the developer tool, and the set the break point where the admin property is used, and set the admin property as true the user even he is a local user would be able to access admin privileges .
In short who has some idea about the javascript code can get the admin privileges . Is there any idea other than minification of the code to prevent this kind of security threats
Thanks
As the front-end of your application will run on the client machine there is actually no way to stop a user from debugging or modifying the code. Thus it's impossible to prevent someone from tricking their local instance of the application to think it's signed in as an administrator.
If you simply want to hide the admin interface, one possibility is to have separate (or additional) templates for administrators and restrict access to these based on the user's privilege. If there is anything to be gained from this is up to you. You will still need to validate the rights to execute any privileged action on the server anyway. Obtaining administrative privileges on the client must never be the same as obtaining them on the server side.

How can I automate applying permissions for a JCR node?

For the CQ5 environment I work on we have a farm of publisher servers. Some of the content on these servers is restricted so only users who belong to certain groups can see the content. I'd like to script the setting of permissions for the folders (nodes) that are to be secured so I don't have to manually repeat the steps of applying security using the Access Control Editor of Content Explorer (This Adobe documentation has instructions for doing it manually via Access Control Editor). The scenario is that sometimes new folders are to be created to hold secure pages, and we want to apply permissions to the folders prior to activating any content into those folders.
Since the environment has several publishers, it is repetitive, manual, and error-prone work to open Content Explorer and set the permissions on each one. I'd like to do be able to automate this so I could roll out permissions to all the servers via a script--perhaps via a curl command or some other mechanism (perhaps a package?) that can be automated.
I found the Sling jackrabbit-accessmanager bundle that seems like it will facilitate automation of this, but it seems like it opens a security hole. If I put this bundle on my publishers, it seems like I would be providing an REST interface to let anyone modify the permissions and grant access to folders/nodes that should be secured or to add security restrictions on nodes that should have none.
How can I automate the creation/modification of node permissions via a script--and do so in a way that only allows an administrator to apply the permissions changes?
This tool lets you manage permissions in a centralised way, they can also be installed automatically at deploy time:
https://github.com/Netcentric/accesscontroltool
Regarding permissions applied to new folders, the solution is setting permission properly on their parent folder. CQ/AEM will automatically apply the same permissions to all children unless another rule break the inheritance.
I found one alternative I hadn't considered before: using the Day CQ ACL Setup Service. It is mentioned at http://dev.day.com/docs/en/cq/5-5/developing/security_model_changes.html.
AclSetupService allows one to add permission to a single path or a given user/group. This will be applied on each restart of CQ to guaranteed a certain permission state within CQ. For example, "allow;inherit;everyone;/" prevent everyone from accessing CQ (i.e. it forces all users to login first). As noted in the description of AclSetupService, you will need the following pattern per entry:
( "allow" | "deny" ) ";" ( privileges | "inherit" ) ";" principal ";" path
Choose either "allow" or "deny" for the first part.
Next enter one of the privilege below or set it to inherit permission from ancestor.
Then enter a single user/group.
Finally enter a single path to apply the permission to.
Using this will replace permission set within the repository when you restart CQ. These could be scripted by using the process outlined here and here.
Privileges can be:
jcr:read
rep:write
jcr:all
crx:replicate
imp:setComplete
jcr:addChildNodes
jcr:lifecycleManagement
jcr:lockManagement
jcr:modifyAccessControl
jcr:modifyProperties
jcr:namespaceManagement
jcr:nodeTypeDefinitionManagement
jcr:nodeTypeManagement
jcr:readAccessControl
jcr:removeChildNodes
jcr:removeNode
jcr:retentionManagement
jcr:versionManagement
jcr:workspaceManagement
jcr:write
rep:privilegeManagement
If you would like to use the Sling jackrabbit-accessmanager bundle on a publish instance it is possible. You would want to make sure your dispatcher which sits in front of the publish instance does not allow the permission requests (/.modifyAce., .deleteAce., etc) and the publish instances can only be accessed directly from inside your network. It's standard practice to deny all requests in the dispatcher and specify what is allowed.
Is there are reason you are not just replicating the permissions when the folder is activated? There should be a rep:policy node underneath the secure folder which gets replicated.

ExtJS: best way to configure GUI for permissions at startup?

I'm working on a 100% ExtJS application; the browser downloads all the JavaScript and a single HTML file once; everything runs in the browser after that.
When all the panels are rendered at startup (i.e., when Ext.onReady() fires) I need some panels to be hidden depending on the user's permissions. Is there a common/best practice for configuring the GUI at startup depending on user permissions?
I think one solution might be to have some panels hidden by default. An AJAX call could be made at startup to get user permissions, and then panels could be un-hidden depending on those permissions. However, I suspect there are better solutions.
Any tips would be greatly appreciated.
Note: I understand that the front-end javascript can't be trusted as the sole mechanism for security checks and that the backend application would need to verify all the actions received from the front-end.
Why not just write a server-side script that outputs privileged client-side code based on the user's authentication status? Instead of having your client-side code fetch permission data and branch on them, just have the client-side hit a script that outputs the appropriate javascript.
So if you've got a special "SuperAdminPanel" component, the only way the client ever sees the code is if they hit your authentication-aware user-js script, and are recognized as a super-admin.
In the general case, such a script could just echo out the appropriate script for the currently-authenticated user's level. It could easily be extended to pass code or configuration specific to individual users, as well.

Authenticate and GetRoles of ActiveDirectory users in a disconnected WPF application via MembershipProvider

I have a project requirement where I need to authenticate against ActiveDirectory in a remote/disconnected WPF application.
There is probably several ways to attempt to do this, but what would be the best approach using ActiveDirectory's MembershipProvider?
I need to:
Authenticate that the user exists.
obtain the AD user's groups and roles.
This needs to happen from a remote location, outside of the network Active Directory resides on.
From within a WinForms or WPF application you can now take advantage of "Client Application Services" (thanks MS for a very generic name, searching for help is now very painful!).
This allows you to connect to a WCF service that can validate the logins. The link above has a walkthrough that shows how easy it is to get it all working, once you have a working app you can modify your config to point to a different MembershipProvider and/or RoleProvider.
It's worth noting that the out-of-the-box solution includes a MembershipProvider named ActiveDirectoryMembershipProvider, but there's no RoleProvider for Active Directory.
If you do require the ability to get Roles (or Groups) and you are working with .NET 4.0 then you can take advantage of the new Active Directory API added that makes everything much easier, namely System.DirectoryServices.AccountManagement. For the most basic of Membership and Role services you'll want to have the following to create your own basic MembershipProvider and RoleProvider:
MembershipProvider.ValidateUser() - should use PrincipalContext.ValidateCredentials()
RoleProvider.GetAllRoles() - use a new GroupPrincipal() as a source to a new PrincipalSearcher()
RoleProvider.IsUserInrole() - use UserPrincipal.FindByIdentity() method to get a user, use GroupPrincipal.FindByIdentity() to get the group, then use the IsMemberOf() method on the user to see if they're a member of the group.
You can implement as little or as much of the API as needed, you should find everything you need in the new AccountManagement namespace to do this.

Resources