Jackrabbit AccessControll - jackrabbit

I have a issue that I can not find answer for here or in Jackrabbit documentation, hope that any of you can help with it.
I am doing the following:
admin create "someuser"
admin create the above node:
/templates/templateall[
jcr:uuid: a9b629a4-d1dd-4ba3-a602-629e4ca1a7fd
jcr:mixinTypes: mix:referenceable, rep:AccessControllable,
label: templateall
jcr:primaryType: nt:unstructured
/templates/templateall/rep:policy[
jcr:primaryType: rep:ACL
/templates/templateall/rep:policy/allow[
rep:privileges: jcr:all,
rep:principalName: someuser
jcr:primaryType: rep:GrantACE
someuser try to delete /templates/templateall node with the following exception on save()
javax.jcr.AccessDeniedException: /templates/templateall: not allowed to remove item
at org.apache.jackrabbit.core.ItemSaveOperation.validateTransientItems(ItemSaveOperation.java:704)
at org.apache.jackrabbit.core.ItemSaveOperation.perform(ItemSaveOperation.java:216)
at org.apache.jackrabbit.core.session.SessionState.perform(SessionState.java:216)
at org.apache.jackrabbit.core.ItemImpl.perform(ItemImpl.java:91)
at org.apache.jackrabbit.core.ItemImpl.save(ItemImpl.java:329)
at org.apache.jackrabbit.core.session.SessionSaveOperation.perform(SessionSaveOperation.java:64)
at org.apache.jackrabbit.core.session.SessionState.perform(SessionState.java:216)
at org.apache.jackrabbit.core.SessionImpl.perform(SessionImpl.java:361)
at org.apache.jackrabbit.core.SessionImpl.save(SessionImpl.java:812)
After, I try to delete /templates/templateall with admin user and the delete is completed successfully.
Then I try to do the same but I give user "someuser" jcr:all access to node /templates instead of /templates/templateall, then "someuser" is able to delete the /templates/templateall successfully
So my conclusion with the first structure example is: "someuser" can remove any child of node /templates/templateall but not the node itself, is necesary to provide jcr:removeChildNodes acess no /templates to be able to do that.
Is my conclusion correct?
Thanks!!

I think yes. I don't know all the details about Jackrabbit security, but:
Removing a node in Jackrabbit modifies the parent node, because each node contains the list of child node ids.

Related

RegOpenCurrentUser(KEY_WRITE) on newly created user

After i successfully create a new user, add user to built-in admins group, i would like to edit the newly created user's registry (this program is an elevated-as-admin program). I called NetUserAdd(), NetLocalGroupAddMembers(), LogonUser(), and then, finally LoadUserProfile() so the user's directory exists.
Excuse the sloppy code, but this is what I am doing after that:
DuplicateTokenEx(hToken,TOKEN_ALL_ACCESS,&sa,SecurityImpersonation,TokenPrimary,&hNewToken);
ImpersonateLoggedOnUser(hNewToken);
HKEY hKey;
LSTATUS stat = RegOpenCurrentUser(KEY_READ|KEY_WRITE, &hKey);
// stat is 5 (ACCESS_DENIED) when KEY_WRITE is added, it
// returns 0 (ERROR_SUCCESS) when it's just KEY_READ
RegCloseKey(hKey);
RevertToSelf();
CloseHandle(hNewToken);
The error is on the RegOpenCurrentUser() line. It errors out when I ask to write to that user's HKU registry. It works perfectly fine if I use just KEY_READ
Is this even possible what I am trying to do? Is the user's registry hive even created yet? Or does the user have to physically sign on to create it?
Ultimately what i would want to do is create GPO's for the new user.
If you already have the user profile loaded with LoadUserProfile(), you don't really need to use RegOpenCurrentUser() at all. You can instead use the hProfile field of the PROFILEINFO that LoadUserProfile() returns:
hProfile
Type: HANDLE
A handle to the HKEY_CURRENT_USER registry subtree.
...
When the LoadUserProfile call returns successfully, the hProfile member receives a registry key handle opened to the root of the user's subtree, opened with full access (KEY_ALL_ACCESS).

Securing system-generated nodes in firebase

I've been going through the rules guide but haven't found an answer to this.
App users are able to submit "scores" of different types, which are then processed in JS and written to a "ranking" node. I have it set up so that every time a new score is submitted, the rankings are automatically recalculated and a new child is written if the user doesn't exist or updated if the user exists.
My question is how to secure this "ranking" node. Everyone should be able to read it, nobody except the system should be able to write it. This would prevent people from submitting their own rankings and aggregate scores.
EDIT
This is the operation:
Ref.child('rankings').child(uid).once('value', function (snapshot) {
if (snapshot.exists()) {
snapshot.ref().update(user); //user object created upstream
} else {
var payload = {};
payload[uid] = user;
snapshot.ref().parent().update(payload);
}
});
How would I add custom authentication to this call? Also, since I'm using AngularJS, is there any way to hide this custom token or would I have to route it through a backend server?
The key part of your problem definition is:
only the system should be able to write it.
This requires that you are able to recognize "the system" in your security rules. Since Firebase security is user-based, you'll have to make your "system" into a user. You can do this by either recording the uid from a regular user account or by minting a custom token for your "system".
Once you have that, the security for your ranking node becomes:
".read": true,
".write": "auth.uid == 'thesystem'"
In the above I assume you mint a custom token and specify thesystem as the uid.

How to grant user User Points after publishing content, while content's default is unpublished?

I'd like to grant users User Points when their added content of the content type 'Content', which is unpublished by default, is published. I tried this with the Rules module: - Event: After saving new content - Elements: * Content is of type: Content * Content is published - Actions: Grant points to a user
So, when a user adds 'Content' content, they don't get any User Points and their content is unpublished. My idea was that they'd be granted the points after I - as moderator - had published their content. But apparently, they don't get points after I've done that with the rule I set up. What did I do wrong and how can I solve this?
Please check the flag module as my friend told to
STEP1- make a flag module named(Publish node and grant points to user)
and after that make a event in
STEP2- Configuration--> workflow-->rules--> and make an event over there selecting the flag you just made i.e.,(A node has been flagged, under "add points on publish article flag")
after that set action as ( Grant points to a user) Data Selector:flagged-node:author
Points:5
Point Category value:(Select your category)
operation value: flagged-node:author
automatically approved
and you are done now..
when the user post the article it will be unpublished and when admin make it published when the user will click on flag this iten the points will be granted to user.
You could create flag and give flag name as Publish node
and grant points to user
Then add new rule with event A node has been flagged, under
"Publish node and grant points to user"
For actions publish this node and grant points to user use
this data selector: flagged-node:author

way to script an export of all AD users vcards

i'm looking for an easy way to export all active directory users info into unique vcards for each. there is some info i'd like to leave out of the vcard like home phone, and emergency contact. i've looked around the web and have little luck finding anything. any help would be appreciated.
I doubt there will be a very easy way. Ultimately, you need to
enumerate all your users (or a subset therefore)
iterate over the resulting list of users
export each user's data to a VCard
For the searching & iterating part, you can use a PrincipalSearcher to do your searching:
// create your domain context
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
{
// define a "query-by-example" principal - here, we search for a UserPrincipal
// this "QBE" user would give you the ability to further limit what you get back
// as results from the searcher
UserPrincipal qbeUser = new UserPrincipal(ctx);
// create your principal searcher passing in the QBE principal
PrincipalSearcher srch = new PrincipalSearcher(qbeUser);
// find all matches
foreach(var found in srch.FindAll())
{
UserPrincipal foundUser = found as UserPrincipal;
if(foundUser != null)
{
ExportToVCard(foundUser);
}
}
}
And now all that's left to do is create the ExportToVCard function :-) See e.g. this blog post with code samples and further links for help.
If you haven't already - absolutely read the MSDN article Managing Directory Security Principals in the .NET Framework 3.5 which shows nicely how to make the best use of the new features in System.DirectoryServices.AccountManagement. Or see the MSDN documentation on the System.DirectoryServices.AccountManagement namespace.
If you just want the data itself, I would take a look at Softerra's free LDAP Browser, found here.
Setup a profile for your directory server - once it's connected in the browser, you'll see the default schema for the BaseDN you've provided during the initial setup. On the server icon, right click, and hit "Export Data".
The export wizard will walk you through most of the process, but the important part is Step 3. If you want to find all users, just set your search filter to (objectClass=user), make sure your search scope is SubTree, and then then edit what attributes you want to return.
You'll have to process the results into VCards, but this is the easiest\fastest way of getting all the users and attributes that you want.

How preventing editing a node when this node has a specific workflow status

I use Drupal 7 and I would like to prevent the edition of some nodes for specific user roles when the node has a specific workflow status.
For instance, if the node has the workflow status "validated", the user having the role "contributor" is not able to edit it but the user with the role "validator" well.
If the workflow status is "to validate", both user roles can edit it.
Is it possible to implement this kind of process with the modules "Rules" and "Workflow"?
You probably want to use hook_node_access($node, $op, $account). Create this hook in one of your modules. To potentially deny access on edit first add a check for $op == "update" then add your validation logic. To deny access return NODE_ACCESS_DENY otherwise return nothing or NODE_ACCESS_IGNORE.
A simple example would be as follows:
function MYMODULE_node_access($node, $op, $account) {
if (($op == "update") && ($node->type == "node_type_to_check")) {
// Add your extra validation checks here
// ...and if you then want to block access return the following
return NODE_ACCESS_DENY;
}
}
You will find more information about hook_node_access() in the Drupal 7 API docs.
WARNING: If you are logged in as the admin user (user 1) then you will be able to edit the node regardless of your hook_node_access() rules, so make sure that you test this with a "normal" user.

Resources