I'm building an internal web app and struggling with some DB design theory.
I've already got roles & permissions set up with Laravel & Entrust, but i'm trying to add extra functionality of Scopes and Groups and i'm not quite sure how to achieve it.
Given the following scopes:
Company
Team
and these roles:
Admin
Editor
Author
and these groups(teams):
Sales
Development
Design
I've already added scopes functionality which works great, so I can have a permission assigned to an admin in the company scope, but I want to be able to assign permissions to admins in a team scope according to the team they belong to.
The application will be quite expansive, but to keep it simple here i'll focus on a couple of use cases that I need to satisfy: Team and employee profiles.
Team profiles
All employees can view all team profiles
A company admin can edit all team profiles
A team admin can edit their own team profile
Employee profiles
All employees can view all employee profiles
A company admin can edit all employee profiles
A team admin can edit employee profiles within their own team
An employee can edit their own profile
What's the best way to achieve this? Every time i try and approach it the solution feels overly complex and i bury myself in nested foreach loops. Is that just the bed i've made for myself or is there a better way to check for a permission against a role, scope & group at the same time?
Related
I'm doing this project these days and for that, I'm using firebase with React. In my project, I have two types of users 1. Student and 2. teacher, so in my site I want to use the same email id to create an account of both the stakeholders from one user, but firebase is not allowing me because I can create only one account using CREATEUSERWITHEMAILANDPASSWORD() method. so how can I create a teacher account if I already have a student account with one email id??
I know this question sounds childish but I am still learning.
so please help me out.
If you go to https://console.firebase.google.com/project/your-project-name/authentication/providers and scroll down to advanced, you can find a setting for allowing only one or multiple accounts per email.
You cannot, however, create multiple accounts with the same login method. So you cannot have users create two accounts with email & password. One account could be with email & password and another could be Facebook login, for example.
We are using Drupal Commerce in our website.
We have multiple roles in this website ex. Customer, Customer representative, Content editor and Admin.
Users with "Customer" roles will be allowed to purchase product and make orders, Edit profile.
Users with "Customer representative" roles will be allowed to manage all users that are having "Customer" role. Which will include profile edit of any customer, edit customer's orders etc.
We are not sure how to make this functionality working with Drupal7 and Workbench module.
Any suggestions/ideas?? Thanks in advance!
This module allows site builders to set up fine-grained permissions for allowing "sub-admin" users to manage other users based on the target user\'s role.
The module defines new permissions to control access to edit/delete users - more specific than Drupal Core\'s all-or-nothing 'administer users'. It also provides and enforces a 'create users' permission.
https://www.drupal.org/project/administerusersbyrole
so this is my first question here in stackoverflow, i always find the answer by looking here... so.
I have this issue, I have a Model named Company, which can have many users, which would be the "best approach" to create and activate a user account within this newly created Company.
Here is the process i am following:
Platform Admin creates a company, the company serves as a grouping account in which i will have a number of users, but i need to send an Email after company creation to the Company admin in order to have him create his account so that he can manage the other company users, this email needs to have a hash so that it has some kind of reference to the company (avoiding the company selection in the form).
Im using Rails 4.2.6 and Angular 1.5
so im stuck after the company creation form.
In an email send the angular route url which got the company hash that just created. When admin user clicks on that link your angular route gets called and then before it render the view , i mean use resolve in angularjs route, get the list of all the user and company that just got created where admin user can select user that he or she want to activate.
I'm starting out with force.com development, and I'm currently a little hazy about what the above terms all mean. Could someone give an overview, and if possible explain how permissions are defined on each one (if at all)?
User: a user who can login to Salesforce. Also includes customer and partner portal users.
Account: a business account, which usually represents a company and usually has child contacts (i.e. people in the company)
Role: a hierarchical group users in an organization that is used as part of the sharing model. Users in higher roles have rights to see the records owned by users in lower roles (assuming their Profile allows it). Users do not have to belong to a role.
Profile: a collection of permissions and access rights for a user including CRUD permissions. A user must belong to exactly one profile. Also see about Permission Sets, which are a many-to-many relationship with users and augment profiles.
Owner: A user or group (queue) that owns a record. Record ownership along with the role hierarchy (and a few other things) control who can see the record.
To put it all together, you could say something like:
John Doe is a salesperson for ABC, Inc, and is a user in their organization. He is the owner of the Acme account. He has the Salesperson role, which is subordinate to the Sales Manager role, so his manager can see all his records. He has the Standard User profile, so he cannot perform administrative functions in Salesforce.
I'd also recommend that you take a look at the API doc, which explains all the entities and has relationship diagrams.
I've been diving into CakePHP this year and I'm loving it! However, I've just run across a problem that I'm not sure how to handle. My database design is this--
USER can belong to one or more WEBSITE
A WEBSITE can have many USER
So I have a many-to-many relationship which is tracked in MEMBERSHIP
MEMBERSHIP also tracks what group_id the USER has for that WEBSITE.
For example, if user1 joins website3 as an administrator and website5 as a editor, then the MEMBERSHIP table has an entry reflecting both those roles.
Basically my problem is Cake's ACL. In the above-mentioned model, user1's group_id would change depending on which WEBSITE he's selected after logging in. (And he could subsequently change to even more websites within the dashboard by changing the group_id again and again). Cake's ACL appears to only handle 'user belongs to one group' period.
Can I trick the ACL by giving it the group_id from the session every time its changed and then reload the AROs? Would it make more sense to scrap ACL and create my own permissions module?
Any suggestions or ideas to point me in the right direction would be GREATLY appreciated!
i think it will be the best way to create your own permission module.
the reasons are quite simple:
you can modify/extend it in any way YOU want
you will not break any cakePHP specifications