i installed and configured rbac in yii2 with DBManager but i don't get the "check" working with:
if (Yii::$app->user->can('waitAccess')) {
echo "yes it is pending.";
} else {
echo "nothing";
}
I made 3 users with my different roles but each of them is able to see the first line despite they don't have the permission. "In my opinion"
This here is my rbacController
<?php
namespace console\controllers;
use Yii;
use yii\console\Controller;
class RbacController extends Controller
{
public function actionInit()
{
$auth = Yii::$app->authManager;
// add "user2View" permission
$user2View = $auth->createPermission('user2View');
$user2View->description = 'user2 view';
$auth->add($user2View);
// add "user1View" permission
$user1View = $auth->createPermission('user1View');
$user1View->description = 'user1 view';
$auth->add($user1View);
// add "waitAccess" permission
$waitAccess = $auth->createPermission('waitAccess');
$waitAccess->description = 'wait for Access';
$auth->add($waitAccess);
// add "seeConfig" permission
$seeConfig = $auth->createPermission('seeConfig');
$seeConfig->description = 'Access to the administrative Config';
$auth->add($seeConfig);
// add "user2" role and give this role the "user2View" permission
$user2 = $auth->createRole('user2');
$auth->add($user2);
$auth->addChild($user2, $user2View);
// add "user1" role and give this role the "user1View" permission
$user1 = $auth->createRole('user1');
$auth->add($user1);
$auth->addChild($user1, $user1View);
// add "pending" role and give this role the "waitAccess" permission
$pending = $auth->createRole('pending');
$auth->add($pending);
$auth->addChild($pending, $waitAccess);
// add "superadmin" role and give this role the "seeConfig" permission
$superadmin = $auth->createRole('superadmin');
$auth->add($superadmin);
$auth->addChild($superadmin, $seeConfig);
$auth->addChild($superadmin, $user2View);
$auth->addChild($superadmin, $user1View);
$auth->addChild($superadmin, $waitAccess);
}
}
Maybe anyone have a clue what I can look for.
Update: This is my DB Structure
Update 2:
I solved it!
The stupidity didn't took a look on the default rules where all users where written down. So everyone had access. Deleting that line and adding pending for standard it resolved it.
Related
I'm trying to use the least privilege approach. I know how to grant directory or app reader privilege, but that would open the whole AAD and I want to be more selective. I also figured that an owner of an app could do that, but that would also allow the principal to read and modify the passwords. Is it even possible to grant access to only read password expiry for specific app/service principal?
resource "azurerm_role_assignment" "secret_checker_monitors_app_pwd_expiry" {
role_definition_name = "Reader"
principal_id = azuread_service_principal.checker.object_id
scope = azuread_service_principal.another.object_id
}
I've tried this, but it complains about invalid scope. What would be the correct scope? I suppose some /aad/scope/.../x-y-z-object-id. What would be the correct role name? Or would I need a custom role? Which permission?
Someone tried something similar here and concluded it was not possible. Still hoping...
Use azuread_app_role_assignment instead:
resource "azuread_app_role_assignment" "secret_checker_monitors_app_pwd_expiry" {
app_role_id = azuread_service_principal.msgraph.app_role_ids["Application.Read.All"]
principal_object_id = azuread_service_principal.checker.object_id
resource_object_id = azuread_service_principal.other.object_id
}
resource "azuread_service_principal" "msgraph" {
application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
data "azuread_application_published_app_ids" "well_known" {}
The azurerm_role_assignment is for Azure resources. azuread_app_role_assignment was introduced in azuread provider 2.4.
I would like to make a setup function to put my bot up, but it has to be usable ONLY by admins.
if (message.content.startsWith("!setup")) {
if (message.auther.admin) {
//my code
}
}
If you want to check if that user has the 'Administrator' permission just use this:
if(!message.member.hasPermission('ADMINISTRATOR')) return message.reply('No Perms!');
Assuming your admin role is named "Admin", the following code should do what you're wanting:
const adminRole = message.guild.roles.find(role => role.name == "Admin");
if (message.member.roles.has(adminRole.id)) {
if (message.content.startsWith("!setup")) {
//setup command code
}
} else {
message.reply("Sorry, you don't have permission to use this command!").catch(console.error);
}
You'll want the if statement for the admin check to be first, that way you can define all of your administrative commands within it. Otherwise, if you have more than one admin-only command you would have to have the admin check multiple times.
I'm currently developping a new website for an artists organization. The administrator role is allowed to create accounts and some other node content, the created accounts have the same default role called "artisan". Administrators are Artisans as well. Artisans can create and edit their own content. Both administrators and artisans should be able to edit user profile (all for admin, only their own for artisan). The fact is admin can create a user but nobody (except user1) can save user profile after edit (but it works great for other nodes). Permissions have been scanned multiple times. I have been searching everywhere with no success, what am I missing ? I made very few changes, the only related code I wrote is the following :
<?php
function canardesign_system_form_alter(&$form, &$form_state, $form_id){
global $user;
switch ($form_id){
case 'oeuvre_node_form':
$form['actions']['submit']['#submit'][] = 'canardesign_system_oeuvre_redirect';
if (in_array('artisan', array_values($user->roles))){
$form['field_auteur']['#type']= 'hidden';
$form['field_auteur']['und']['#default_value']= $user->uid;
}
break;
case 'user_profile_form':
if (in_array('artisan', array_values($user->roles))){
$form['actions']['submit']['#submit'][] = 'canardesign_system_user_profile_form_submit';
}
break;
}
}
function canardesign_system_oeuvre_redirect($form, &$form_state) {
$type=$form['#node']->type;
if(isset($type))
{
$node = node_load($form_state['nid']);
$uid=field_get_items('node', $node, 'field_auteur')[0]['target_id'];
$form_state['redirect'] = 'oeuvres/'.$uid;
}
}
function canardesign_system_user_profile_form_submit($form, &$form_state) {
drupal_goto('artisans');
}
/*default role when administrator (who is artisan as well) creates an account*/
function canardesign_system_user_insert(&$edit, $account, $category) {
global $user;
if (in_array('artisan', array_values($user->roles))){
$account->role = 'artisan';
}
}
?>
Thank you for your help.
I'm not sure if this is the cause of your issue, but calling drupal_goto() inside a submit hook is definitely problematic. It essentially shorts out the handling of the form.
This may be causing the issue by preventing other necessary code from executing.
You should instead set the redirect key of $form_state to the destination you would like the user to end up on.
Once the form handling is complete, Drupal will send the user there.
function canardesign_system_user_profile_form_submit($form, &$form_state) {
$form_state['redirect'] = 'artisans';
}
Well, thats a trouble. The code is simple:
public function action_index()
{
$post = $this->request->post();
if ($post) {
// if I type it like this, manually - it will work
$success = Auth::instance()->login('admin','password');
}
if (isset($success) and $success) { echo "Пользователь залогинен"; }
}
Unfortunately it log in only a first record in the database, which is admin as by default config was in the table, If I create a new user. Like this:
$auth = Auth::instance();
$user = new Model_User();
$user->username = "Victor";
$user->$auth->hash_password('psw123');
$user->email = "me#email.com";
$user->save();
And than use it like I said, only with a real data as
$post["email"] or $post["username"] with $post["password"]
code:
if ($post) {
// the values from posts: 'Victor' or 'me#email.com` & 'psw123'
$success = Auth::instance()->login('me#email.com','psw123');
}
it will not log in me.
upd I can't login as admin, but all working perfectly if I'll change the role to login (it's 1 in the database). But if the role will be set to 2 (it's an admin role) it will not accept me, even do not make an instance of Auth.
$post = $this->request->post();
$success = Auth::instance()->login($post['email'], $post['pass']);
if ($success)
{
echo "SUCCESS!";
}
Once again, if the role will be 2 (it means admin) this is not will Success me instead of login role.
What can be a reason of this trouble?
I'm assuming you're using a default ORM auth driver. You don't need to hash your password when saving a new user - it is done automatically by a filter in the model. So saving a new user should look something like that:
$user = ORM::factory("user");
$user->username = "Victor";
$user->password = "psw123";
$user->email = "me#email.com";
$user->save();
How can I check a user in a trusted domain exists and after that how can I check that the same user is not enabled?
Since this was posted on SO, I will assume you want a programming solution.
Since you didn't specify a language, I will also assume that Powershell is acceptable.
Test if user exists in domain:
$netbiosdomainname = "DOMAIN"
$username = "johndoe"
try {
[adsi]::Exists("WinNT://$netbiosdomainname/$username,user")
}
catch {
... user does not exist ...
}
See this article for why this needs try/catch.
Test if user enabled:
$user = [adsi]"WinNT://$netbiosdomainname/$username,user"
if ($user.AccountDisabled) {
... account is disabled ...
}