I work on a social web application, and I really hesitate between using ACLs or using my own permissions system. I work for several days with ACLs to see their behavior and savoi what I could and could not do.
In my application, members can set permissions on what they have (profile, photo album, etc.). I also need to set permissions for moderators who can check the content of a profile and photo albums, but do not have the right to the modifiers or deleted, however the administrator to all rights .
For the profile, the user can decide their make public, visible only by members or friends. For this, I could create a perfectly ProfileSettings table with different fields to see what information is visible and can access the profile. The problem is if I want to implement a choice according to a list of friends in the way of Facebook. I imagined the scenario with ACL, but I fear that the requested resources are enormous. Create a profile for each aco is not bad especially if requested database include 300 members, not to mention the need to save all the permissions as appropriate and user choice. So I think not allow members to define which users can access their objects, but only groups.
There still remains the question about ACLs. In my case is this a good idea? I also have to set permissions on the forums, eg a moderator can update a thread / post, a forum can be visible only by the admin / moderators etc.
Where I am afraid to use ACL is that the slightest mistake can cause serious damage, but at the same time, it allows me to set up permissions faster.
Thank you for your help and your advice :)
The correct answer is probably "Yes, your use-case makes sense to use Cake's ACL."
However, I've tried a number of times to use ACL. The learning curve was too high/time consuming for me. I used it on an app and a few months in had the problem you mentioned - one small issue, and everything fell apart. And without knowing exactly what I was doing / what I needed to do to resolve, it became a nightmare. Not only that, but when I wanted to extend it or do ANYTHING other than the specific example, I couldn't get it to work.
From then on, I just built my own to the specific needs of the project.
If you have someone you know who uses it regularly and can teach you the the ins and outs of Cake's ACL, then it might be fine to use it. Otherwise, I'd build my own. Even if it's not "better", at least if/when something goes wrong, you'll understand it enough to fix it.
Related
I am using DNN 9.3.2 and Evoq 9.3.7.
I would like to paywall content in a section of the website with teaser content i.e. so that they can read a part of the article but need to pay/ log in to access the content. 'Members' would also need to be able to log in and bypass the paywall. Users would idealy be able to manage their account from here. The paywall would also need to be able to handle a complex pricing model i.e. different prices for different user types, possibly different content available for different user types.
Would anyone be able to advise how best to do this with DNN/ Evoq, and which modules from DNN store (if any) would be useful?
Thanks!
I have never tried this, but in theory any shop solution should give you that functionality. Have a look at OpenStore, which is Open Source and free.
Or a News/Blog module that supports paid content, as EasyDnnNews.
I believe you'll have to brew your own or ask a specialist who knows what they are doing already. The basic principle is as follows:
Protect a page with a role - let's call it Patrons which only paying users will get
Create a page for users to pay on, and if successful, assign them the role
You can also do things like ensure that the role is only given for a certain time, and then the users must pay again.
If you have a subscription model, you would probably run a timer job or something to verify payments have happened again, and if true, extend the role assignment
So I am currently working on this project and I am confused on how to tackle this issue I am having.
I am creating this website that will go behind the scenes and input the data the user is providing us with and checking to see availability on various websites. I am confused on how the logistics of this would work. Would it make more sense to use API's rather than create maybe a bot (I don't even know if this would work) or even if there was a way to code it in myself.
A similar platform to what the general idea behind what operations would be used is vaccines.gov where the system will display the availability of vaccines nearby (a value inputted by user is zipcode). I just need to be pushed in a general direction as I am unsure how to approach this.
Thank you!
I love CakePHP, but cannot wrap my head around the ACL/Auth subject. Everything else comes together nicely, but when it comes to this, I am lost. On top of it, I cannot finish my application if this is not solved. Therefore, I desperately need your help.
Things to note:
I have tried a few of the plugins available, but to no avail.
I have used tutorials online as well as the latest CakePHP book by Mariano, with no success.
I have tried on my own, also to no avail
Why is it so hard to get this accomplished?
These are my questions:
Is there any other way to handle Access Rights in a CakePHP application with Multiple Admin, users, etc?
For the possibility that ACL is the only/best way, how else could I approach this?
What could I possibly be doing wrong?
As you say that you have already tried a few of the available plugins, you have maybe already tried my own one: http://www.alaxos.net/blaxos/pages/view/plugin_acl It is mainly a graphical interface that allows to set the ACL permissions when they are used to grant/deny access to actions.
My point here is that in addition to the plugin itself, I made available a very simple sample application http://www.alaxos.net/blaxos/pages/view/demo_plugins that uses this plugin. It may help you if you install it and look at the code, as the application has some public parts, and some parts protected by the ACLComponent.
This is one of the pains in Cake, the complexity of ACL..
Is there any other way? Well, yes. Yes, in the sense that you can cook up your own access rights management, and simply go around the cake's ACL implementation. For example, you could have a role based ACL where roles would be pretty much a fixed list. This can be accomplished in many ways, one of which was demonstrated with DarkAuth.
Further more, don't try to fit your app into the cake's ACL scheme if it doesn't suit you. Bake your own, cake offers you the option of plugging in your own objects for auth/ACL stuff, so use it!
But do note that any feature-rich ACL system you want to create yourself might end up looking much like cake's ACL..so first decide exactly what you need, and then look for a way to do it.
In any case, good luck!
I just recently wrote the probably most simple Auth - I called it "Tiny":
http://www.dereuromark.de/2011/12/18/tinyauth-the-fastest-and-easiest-authorization-for-cake2/
It should be just about what you need.
It does need the roles to be present in the Session Auth, though and that you manage user roles yourself.
So you might have to add this to your login method if you want to use multi role Auth.
I am building an GAE app that allows users to share documents over different contexts. Nothing too fancy.
I want to use Gdata in such a way that it is the app that owns the documents, and not the users. This way, I shouldn't need any kind of tokens --one would think.
This is the main idea:
App user creates doc --> App creates doc and owns it --> user can RUD & share the doc
Is there any recommended way to authenticate using just a hard coded user & password?
The ClientLogin, up to now, seems to be the way to go.
http://code.google.com/apis/gdata/docs/auth/clientlogin.html
But I still have some doubts about the following:
Am I putting myself in a scenario of possible restrictions over other alternatives?
Is really ClientLogin the best way to go?
Could really use advice from others' experience here. Procrastination is killing me.
Cheers,
A.
If this is a personal project, and you've only got a very small group of users, the design might be OK.
One really good reason to use OAuth is that you won't need to store the account password somewhere. Instead you'll be able to implement a simple 'setup' process to get and store an access token. OAuth is also nice since you'll be able to restrict the access scope.
However, I must say, I find your question very vague -- so more specific answers are difficult.
The ways I can think of are:
Measure the time between actions.
Compare the posts' content (if they're too similar to each other) or, better yet, only the posted links.
Checking the distribution over a period of time the user is active (if the user is active, say posting once every hour, for a week, then either we have a superman or a bot here).
Some special activity expected: like in stackoverflow, I would expect users to press their user name link (top middle) to see their new answers, comments, questions etc.
(added by chakrit) Number of links in a post.
Not heuristic. Use some async JS for user login. (Just makes life a bit harder on the bot programmer).
(added by Alekc) Not heuristic. User-agent values.
And, How could I forget Google's approach (mentioned down by Will Hartung). Give users the ability to mark someone as Spam, enough Spam votes means this is a Spam user. (calculating what is enough users, is the work here).
Any more ideas?
I might be over estimating the intelligence of bot creators, but number 6 is completely useless against any semi decent bot creator. Using the C# browser control to create your bot would pretty much render 6 useless. From what I've seen with that type of software that's a pretty common approach.
Validating on the useragent is pretty much useless too all of the blog spam I use to get was from bots appearing to be valid web browsers.
I use to get a lot of blog spam. I would literally be deleting hundreds of comments a day. I made use of reCaptcha and now I might get 1 a month.
If you really try to make something like this. I would attempt by doing the following:
User starts off with no ability to post a url.
After X number of posts have been analyzed in relation to the other posts in the thread then give them access to post urls.
The users activity on the site, the post quality, and what ever other factors you deem necessary will be a reputation for that users IP.
Then based the reputation of the IP and the other IPs on the same subnet you can make other decisions on whatever you want.
That was just the first thing that came to mind. Hope it helps.
The number of links in a post.
I believe I've read somewhere that Akismet use the number of links as one of its major heuristics.
And most of spam comments at my blog contains 10+ links in them.
Speaking of which... you just might want to check out the Akismet API itself .. they are extremely effective.
How about a search for spam related keywords in the post body?
Not a heuristic but an effective approach: You can also keep up-to-date with the stats published by StopForumSpam using their APIs.
Time between page visits is common I believe.
I need to add a comment section to my personal site and am thinking of asking people to give me their email address; I'll email them a "publish comment" link.
You might want to check if they've come from a Spam blacklist IP address (See http://www.spamhaus.org/)
There is another answer that suggests using Akismet for detecting spam, which I completely endorse.
However, they are not the only player on the block.
There is TypePad AntiSpam which uses the same heuristics as Akismet, as well as the same API (just a different URL and api key, the structure of the calls is the same). It can be safe to say they pretty much take the same approach as Akismet.
You might also want to check out Project Honeypot. From what I can tell, it can do a lookup based on the IP address of the user, and if it is a known malicious IP, it will tell you (harvester or something like that).
Finally, you can check LinkSleeve which approaches comment spam with what it claims to be a different way. Basically, it checks the links that are being linked to in comments, and based on where the links are going to, makes a determination.
Don't forget the ultimate heuristic: The "Report Spam" button that users can click. If nothing else, this gives you as administrator a chance to update your rule base for stuff that may be slipping through. Of course, you can simply delete the offending post and user right away as well.
I have some doubts about 4° point, anyway i would also add User-Agent. It's pretty easy to fake, but in my experience, about 90% of bots are using Perl as UA
I am sure there is a webservice of some kind that you can get a list of top SEO keywords, check the content for those keywords. if the content is to rich in keywords suspect it as being spam.