I have Owner, admin and user roles.
There's only one owner and that's me.
How can I deny admins from editing or deleting me?
Owner has id 1 so if I'm going to check in isAuthorized() if the admin is not the owner I do this: $user['id'] != 1.
Now how I'm going to check if the user being edited or deleted is the owner. I know how to get the user id with this: $this->request->params['pass'][0] but not the user role.
I don't think I'd have "owner" as a Role. It's much easier to allow someone to be a normal Role-type, then keep an owner_id field in the items table.
That way, you can leave Roles deal with the higher-level authorization, and in the individual items action/method, you can check for ownership (often done with a custom isOwner() function to keep your code DRY).
In your PostsController->edit($id) function as an example, you can do a find() on the Post, then compare it's owner_id against $this->Auth->user('id') to make sure they can only edit if they're the owner.
If you want to retrieve Role and keep it available, you can do so in the AppController's beforeFilter with a normal find on the roles table based on the role_id field of the Auth->user.
Related
I need to check the roles and grants given to users, but from the metadata tables.
Basically, I need the metadata table, where I can query this, using multiple roles, eg. XXX, YYY,ZZZ. I need this to get the hierarchy of the roles that might have been granted.
I can do show grants OF role XXX - This'll give me all the users/ roles to which this role is granted, but I have to do for one role at a time.
If I do
SELECT *
FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS
WHERE ROLE='XXX'
AND DELETED_ON IS null;
It gives me only the users who have been granted this role, not the roles itself.
If I check on GRANTS_TO_ROLES table - it gives me the actual privileges given for that role, but not the other roles to which the particular role is granted to.
What you can do is use the SHOW syntax rather than select:
show roles in account;
will give you the full list of roles (still coming from metadata). Not sure what exactly you want to do with them further, but in case you'd actually want to proceed the results as a query you can follow it by
select * from table(result_scan(last_query_id()));
and use to join with other tables or just to copy into some sort of temporary table and join further from there
You mentioned the hierarchy - I suspect you want to see which roles are granted to other roles..
Try this:
show grants of role Your_Role
In the table returned you will see that some roles are assigned to other roles and to users..i.e. column granted_to
I am trying to get all the roles a user is part of. In my case, the user is part of an admin role which inherits another role ingestor, this inherits another role analyst. If I query from snowflake like as follows:
show grants to user <userid>
This lists only the admin role but not other two roles (ingestor, analyst). If the same user logs into snowflake, he could see all three roles available for him in the role dropdown.
Need help to get all explicit roles irrespective of role inheritance.
As a start, the views "SNOWFLAKE"."ACCOUNT_USAGE"."GRANTS_TO_USERS" and "SNOWFLAKE"."ACCOUNT_USAGE"."GRANTS_TO_ROLES" in combination have the information you need,
but are only accessible to ACCOUNTADMIN
You also have:
SELECT * FROM "MY_DATABASE"."INFORMATION_SCHEMA"."ENABLED_ROLES";
SELECT * FROM "MY_DATABASE"."INFORMATION_SCHEMA"."APPLICABLE_ROLES";
The latter looks like a good place to start.
Edit primo 2023:
If you want to make your own near-instant expanded GRANTS_TO_ROLES, you can follow these lines:
Get roles with SHOW ROLES; RESULT_SCAN()
Iterate over roles above with SHOW GRANTS TO ROLE <role>; RESULT_SCAN()
Iterate over ALL_USER_NAMES() with SHOW GRANTS TO USER <user>; RESULT_SCAN()
Finally create a SELECT statement with a recursive Common Table Expression expanding the nested roles
i found the best way to find all roles with inherited roles.
just run below SQL.
SELECT CURRENT_AVAILABLE_ROLES()
I need a help. I have three tables (admin, teacher, student) and I want to log in them from one login form. And I need also distinguish them as roles that for example student can't go to some page as teacher.
I created three radio buttons for every table in login form.
Like * admin * teacher * student.
With using this:
<?= $form->field($model, 'role')->inline()->radioList(array(1 => 'admin',2 => 'teacher',3 =>'student'))->label('You are: '); ?>
How can I make to find and log in the user when the user put there username and pass word and click on one from the radio buttons who he is? I generated three models for each table with using gii. So what and where I must write to make it work? Thank you for help!
If you have table/model per each role and you want to login from the same form, then on your login form except of usual username and password fields, you'll also need a role field (some radio button where user will have to specify what role they are). Otherwise, you won't know which table to query for username/password. Of course you can query all of them step by step, but what if there are teacher or student with the same username? Username has to be something unique, if you have one login form and it is not possible to achieve in case you have 3 tables for every type of user.
Another option would be to use one User table/model for all roles by simply adding extra column role. I think there's role column inside user table out of the box if you use Yii2 Advanced Template. Probably this is where you can start from.
As for permission to access specific pages per role. What you need is ACL (Access Control filter in Yii2).
I found few existing articles on how to achieve what you need.
http://yii2-user.dmeroff.ru/docs/custom-access-control - this is
simple example
http://code.tutsplus.com/tutorials/how-to-program-with-yii2-user-access-controls--cms-23173 - this is a bit more advanced
Hope that helps.
Is it possible to restrict access to records that are owned by a user by filtering out recors with a certain criteria?
For example, I have Contacts set to private and I want to hide certain contact records that have a specific field value (criteria based sharing rule). This works fine for other sales users that don't own the record, but I need to remove visibility to these records from the actual owner of the record. Is that possible or a way to accomplish that?
Thanks for any help.
You could change the owner of the Contact record to a placeholder user. Then the same mechanism the prevents other users from seeing the Contact will hide the record as well.
If required, you could also create a lookup field to track the relationship to the user who can no longer access the record.
Separately, there is a dedicated salesforce.stackexchange.com site for asking Salesforce related questions.
I've seen this a lot on forums, or having a membership somewhere, so my question since a user can be banned by admin which depends on the situation. This situation might be like not returning the item or he did not follow the forum rules, or there is a situation where the forum or a shop does not need his service anymore. So obviously you can be banned forever or it can be temporary, where also this can be changed by admin. Would I have to make a new table ? since the ban can be more than one type and it can be changed my admin, how would I make a table ? not sure how to have an attribute for different types of bans...
You could add a field 'statusId' in the User table, and have all the possible statuses listed in a UserStatus table. No need for user_ID in the Userstatus table.
You could then use simple join queries to retrieve the status of a user, or a list of banned users, etc.
Hope this helps :)