I have a table in my SQL2008 DB for Users and one for Roles and then the UserRoles bridging table. I am at the point where I have to RoleProvider to work and have decorated some of my Actions with [Authorize(Roles = "Administrator,Developer")]
I actually build the navigation on my site per user so the RoleProvider is just to prevent a lower level user from getting the URL from his Admin buddy and going to a page that he is not supposed to.
We build the site navigation on a per user base and have a mapping between the user, his role and the pages that the role he is in is allowed to see. I just want to know if there is any way to change the [Authorize(Roles = "")] to get the list of roles with permission to that action dynamically from my database? That way I do not have to go decorate all actions that I have, it will just be pulled from the DB as if by magic.
A simple example will be appreciated, thank you.
Jack
I basically wrote my own CustomAuthorize class that inherits from AuthorizeAttribute and in the OnAuthorization I did the look-up for access. If the user does not have access I basically do:
filterContext.Result = new HttpUnauthorizedResult();
filterContext.Result = new RedirectResult("/accessDenied");
Works, and I decorate my methods with: [CustomAuthorize]
Related
Need suggestion for database for our social network app
So we have a "GroupChat" class where we have an array of "_Users" class objects.
Now in this "_Users" array we want to add invited user aswell.
Example: "John" is a user who invited "Dave/dave#blah.com" but dave is yet to sign up.
But when we open the GroupChat and see the list of users, it should include the invited users as well.
So we are wondering if we should
1.create a new class "InvitedUsers" for invited users or
2.we should directly add invited users to "_Users" class with a flag signedUp=false. And when they signup we check if they already exists and overwrite the data.
Now Problems,
if we create new class "InvitedUsers" then we will have to fetch both the classes everytime which is make the app a bit slow
if we create these invited users directly into user class then parse-server automatically sends email to newly created users(which we dont want to until they sign up)
if we create these invited users directly into user class then we will have to check if the invited user already exists before signing up, if exists then just overwrite. which is doable without any problem?
Thanks
Your question has 2 votes to close as primarily opinion based by now. And indeed the answer is, whatever you like more.
To address your "problems":
I really don't see why this would make your app a bit slower
Well, why don't you adjust your parsing so that the signedUp=false is considered?
Why on earth should that be a problem? That's what databases do all day. Either do it in a transaction, or if your dbms has a built-in functionality use it (like MySQL's INSERT ON DUPLICATE KEY UPDATE)
I have created an integration profile CORE_AKTANA_DI through which data for objects will be loaded into my Salesforce instance through a third-party user. I have provided "View All" permission for all objects to that profile. However, since this is a global Salesforce org, hence, there is data for other countries as well in this instance.
I want the user with the profile to see only data of France i.e with country "FR". In this case, my only choice is to:
Remove the "View All" permission of the profile from all objects.
Give the user a role such as "FR-Corp".
Create sharing rules for all objects with "Private" OWD and share with this role.
The problem is that since this is an integration profile, I cannot assign a role to the user with this profile. Also, it is not plausible to create sharing rules since there are a lot of objects with private OWD.
Same problem occurs by assigning the user to a public group, i.e a lot of sharing rules need to be created.
In this case, please suggest me the easiest possible options.
Actually, how to solve your issue is dependent on business process you are trying to implement. There are few ways:
sharing by hierarchy: setting proper roles and checking 'grant access using hierarchy'
sharing rules: setting proper sharing rules, owner/criteria based
manual sharing: using button
sharing using apex: using share object of any corresponding object
I think, this document will be useful for you.
I don't think what you say is correct:
"The problem is that since this is an integration profile, I cannot assign
a role to the user with this profile."
In my org we have a few integration connections. Each connection is anchored by a SF user license which has both Role and Profile. You should likely give the integration it's own user license and name the user something like "Integration (Fr)" Set the Roll up with appropriate hierarchy position, permissions and sharing rules and once you've done all the token resets needed set as API login only & password never expires. That should do it unless I'm missing something.
Logical Question
Backend implementation
I am implementing User Management Module in Web application. I have three table User, Role and UserInterce. The user table has ManyToMany relationship with role table and Role table has ManyToMany relationship with User Interface table. So whenever Server return user object, the system will verify it's role and that role has access right to which user interface.
this is background overview of backend implementation.
Front End implementation
Whenever user login into the system,server will return user object. I want to implement access control in form basis. e.g. emp role do not have access right to add button where admin role has access right to add button. To implement form based access control i would require to create another table at server side which has information about ui fields and that will be has relationshiop with User Interface table.
can some one provide better way of doing same thing logically ?
If you don't need to have possibility to edditing role's permissions in runtime, the best way is to use spring JSP tag library and build your frontend using spring security tags
http://docs.spring.io/spring-security/site/docs/3.0.x/reference/taglibs.html
Otherwise, using some table for storing your permisssions is the only option to do that
I hope you're fine, this is my first question and I really don't know where to start from, so here it is,
I've been trying to build a sample with Microsoft Web api Template where I have to authorize users based on roles for example "Admin, Moderators, etc..." so, the thing is the I don't want to put all those roles on the top of the controller like
[Authorize ( Roles ="Admin, Moderators, etc...")]
I see this as not a good practice because What happens if I create another role in my db? I will have to modify the controller to add the new Role xD, really bad, isn't it? so the question is. How to extend some class like AuthorizeFilter to get the roles from database and validate with the controller? I mean if there is a user who is in the role admin authorize it and viceversa?
the other question is How to build a great authorzationfilter which can manage something like if a user if in Moderator Role but the only right he has is to user the Create action in the controller?
I hope you can help me with an example...
Thanks in advance
Ps. Sorry for my english
I agree role based authorization is somehow limited and authorize attribute is a bit rigid.
In some scenarios role based authorization is not enough, you need to extend it. You can introduce the permission concept. Instead of be a requirement that you have to be a member of a specific role to execute an action, you could state that to be authorized to execute an action you need a specific permission. So instead of authorize attribute you use RequiredPermisionAttribute. Of course you need to write RequiredPermissionAttribute as an authorization filter.
In the database you have the Permissions Table, the RolesTable, the RolePermissions table and UsersInRole table.
So a user can be a member of one or more roles. A role can have one or more permissions. A user has a specific permission if he/she is a memeber of a role that has that permission.
The required permission filter checks if the logged in user is a member of a role that has the permission, if not, then returns 401 not authorized.
This is a more flexible approach, actions are not tied to roles and roles don't have a fixed number of permissions.
i use auth componnet in my cakephp project
I add type field into users Mysql table
that enum type: admin, client
i need auth component to redirect admin's to CP page, and client to their profile page and only can access one conttroller..
ofcourse without using ACL or any others related
I'd recommend taking advantage of the isAuthorized() function that you can add in the controller, or the model. Set the AuthComponent::authorize = {'controller'|'model'} to choose which you want to use.
Then you write an isAuthorized() function in the model|controller that returns t/f on auth/not auth for each action. You can do some row-level checking as well, if you'd like.
Now, if instead you just wanted to redirect an admin to their correct pages on login/etc, you can add code to the beforeFilter() method (either in a specific controller, or in app_controller.php). In that, just check to see if the admin value set by the app is the same as the user's admin value (which will be stored by AuthComponent in the Session data, accessible by $this->Auth->User()). Then route appropriately to the admin/non admin areas.
isAuthorized() is the best choice.
i would recommend to separate the users from their groups in the database, so User habtm Group... but It is not a problem if user belongs to one and only one group
I do not recommend ACL for non record-level-based permissions system
Just something to pay attention to, but unless something has changed recently CakePHP does not support ENUM column types.
Your best bet is a Group model ( groups mysql table ) and a group_id field on the users table.
Then you can $hasOne = array( 'Group' ); in your User model.
From there you can follow any one of a HUGE number of group access control tutorials for the Auth Component via an easy google search for "CakePHP Auth User Group"