I am CakeNoob so please accept my sincere apologies for this question.
After users Added their account in my Webapp, they are redirected to users/view where they can see their account details and edit them.
From here, there are links to achievement/add where people can add achievements to their profile. The User and Achievement model are nicely coupled through belongsTo and HasMany associations. Once a user adds an Achievement, it will be displayed in the users/view page via related Achievements.
Problem: Once I manually add an Achievement through achievements/add (and select the current user from the list(all)), it works fine.
But I want that achievements can only be added when users come from users/view, so I need to transport the user-id to achievements/add and then tell Cake that this is the user-id (foreign key) to use.
All users are logged in once they reach users/view so I guess the Auth session may help me.
I have tried many things but my knowledge is just too minor to solve this. Your solutions are appreciated!! Thanks
if you use "Auth" to register and login, you can use $this->Auth->user('id'); to get the user id throughout your application
You can save it with:
$this->data['User']['id'] = $this->Auth->user('id');
$this->User->save($this->data);
Related
For Django-reactjs project, I have a user model in django which has 3 boolean fields (is_admin, is_moderator, is_normal_user), and I also have 3 other models, I want to set permissions for each user type. The user can only create objects for 1 model only, the moderator is the only one that can edit a certain model field, and admins can do everything.
It might be a trivial question but I am a newbie in Django and React so If you could please tell me how can I handle it with custom permissions(some steps to follow) and also how these permissions are handled from React.
Thanks in advance!
You need to check if the user has permission every time he is making an action, so when the React app calls your Django API, it will provide an authentication token right? That tokens corresponds to a unique user, so you can just do an if statement:
if request.user.is_admin:
do_everything()
elif request.user.is_moderator:
do_other_stuff()
While in the react app you would need the information if the logged in user is a moderator, admin or a normal user, so you can display the pages accordingly. To get that info, you may want to implement a '/me' endopoint that returns info about the logged in user, containg his status.
If you have no idea what Im talking about, I strongly recommend you to take a look at this video: https://www.youtube.com/watch?v=0d7cIfiydAc
The whole subject is too long for a stackoverflow answer.
Contact me if you still have any doubts.
I've got a small review system built in AngularJS and Firebase and the only way to identify which review is made by which user is via the uid of the user. The idea is when you then click on the user's name, you should be taken to the profile of that user.
So I would then create a route looking like /profile/{{review.author.uid}} which could translate into /profile/facebook:123234243 for example.
My question is, does it pose a security threat showing the uid in the url like this? Can it be used for any malicious actions against a user's third party account etc?
I've tried looking through their website but I can't find anything on this subject.
EDIT: Note that I need a Firebase specific answer, not a generic one about database id:s.
I am exposing a page with a standardcontroller="account" to a force.com site facing the public. This page displays account specific data to the clients. Now when a customer logs in to my website I want him to have access to his account's data and only his account data. Here is the problem; the url for a page with a standardcontroller has a Id field, such as "https//www.myforcesite.force.com/AccountViewPage?Id=a82347dod". If a user changes a few keys on the Id, it is very easy for him to access other people's account page and bypass the login process. How can I prevent that.
I opened a ticket with salesforce but they told me its working as intended. I don't think a vulnerability to a trivial brute force attack should be intended so I want to know if there are any fixes?
Create one StandardController extension and check if the logged user in your website has the permission to view that account.
http://www.salesforce.com/us/developer/docs/pages/Content/apex_pages_standardcontroller.htm
What you are looking for is URL rewriting for force.com site.
For example, let's say that you have a blog site. Without URL rewriting, a blog entry's URL might look like this: http://myblog.force.com/posts?id=003D000000Q0PcN
With URL rewriting, your users can access blog posts by date and
title, say, instead of by record ID. The URL for one of your New
Year's Eve posts might be:
http://myblog.force.com/posts/2009/12/31/auld-lang-syne
I've been diving into CakePHP this year and I'm loving it! However, I've just run across a problem that I'm not sure how to handle. My database design is this--
USER can belong to one or more WEBSITE
A WEBSITE can have many USER
So I have a many-to-many relationship which is tracked in MEMBERSHIP
MEMBERSHIP also tracks what group_id the USER has for that WEBSITE.
For example, if user1 joins website3 as an administrator and website5 as a editor, then the MEMBERSHIP table has an entry reflecting both those roles.
Basically my problem is Cake's ACL. In the above-mentioned model, user1's group_id would change depending on which WEBSITE he's selected after logging in. (And he could subsequently change to even more websites within the dashboard by changing the group_id again and again). Cake's ACL appears to only handle 'user belongs to one group' period.
Can I trick the ACL by giving it the group_id from the session every time its changed and then reload the AROs? Would it make more sense to scrap ACL and create my own permissions module?
Any suggestions or ideas to point me in the right direction would be GREATLY appreciated!
i think it will be the best way to create your own permission module.
the reasons are quite simple:
you can modify/extend it in any way YOU want
you will not break any cakePHP specifications
i use auth componnet in my cakephp project
I add type field into users Mysql table
that enum type: admin, client
i need auth component to redirect admin's to CP page, and client to their profile page and only can access one conttroller..
ofcourse without using ACL or any others related
I'd recommend taking advantage of the isAuthorized() function that you can add in the controller, or the model. Set the AuthComponent::authorize = {'controller'|'model'} to choose which you want to use.
Then you write an isAuthorized() function in the model|controller that returns t/f on auth/not auth for each action. You can do some row-level checking as well, if you'd like.
Now, if instead you just wanted to redirect an admin to their correct pages on login/etc, you can add code to the beforeFilter() method (either in a specific controller, or in app_controller.php). In that, just check to see if the admin value set by the app is the same as the user's admin value (which will be stored by AuthComponent in the Session data, accessible by $this->Auth->User()). Then route appropriately to the admin/non admin areas.
isAuthorized() is the best choice.
i would recommend to separate the users from their groups in the database, so User habtm Group... but It is not a problem if user belongs to one and only one group
I do not recommend ACL for non record-level-based permissions system
Just something to pay attention to, but unless something has changed recently CakePHP does not support ENUM column types.
Your best bet is a Group model ( groups mysql table ) and a group_id field on the users table.
Then you can $hasOne = array( 'Group' ); in your User model.
From there you can follow any one of a HUGE number of group access control tutorials for the Auth Component via an easy google search for "CakePHP Auth User Group"