i want to provide role based route access e.g there is two types of user 1.Admin and 2.normal user.
if normal user try to access admin pages through url then user will redirects to dashboard page and same case for admin.
This is quite a lot of code you're asking for.
One thing you need to look into is Route Guards which let you protect access to routes based on your own written criteria:
https://angular.io/guide/router#milestone-5-route-guards
You also need to pick a way to manage your roles and users. A popular way for Ionic is to use Firebase:
https://firebase.google.com/
A great tutorial for setting this all up is over at AngularFirebase.com (currently rebranding to Fireship.io).
It's a long tutorial, and you will need to follow an additional tutorial for setting up the login system as well, but it will get you to where you want to be.
Role Based Authorization With Firestore and Angular
Related
I'm playing around with the CakeDC/Users plugin and I can't for the life of me figure out how to give permission for non-logged in visitors (lets call them 'guests') to access things like my /pages/home, or if I was to do a Blog plugin, allow guests to see posts etc (but not edit).
Is this possible using the 'permissions.php' file? Seems to only work for user groups (admin and user) rather than guests? Or do I have to play around with $this->Auth->allow() and $this->Auth->deny() as in this post which seems to make the permissions.php file kinda pointless...
RBAC permissions defined in CakeDC/Users are checked in the authorization step, which means you have a user already logged in (authenticated) requesting access to a specific controller/action.
All these checks happen in the core CakePHP AuthComponent per the plugin configuration.
You want to exclude specific pages from Auth, which is something managed outside of the plugin (for now). The right way to do that is using
$this->Auth->allow('yourAction');
In the controller's beforeFilter function.
This question comes from the following post:
OWIN cookie authentication get roles on client side
I've created a separate thread for the question since it is more general than one in the post above.
In short:
Let's say we have a web application with javascript as client side + ASP.NET web api as server side and also an identity server. Only authenticated users can access web api endpoints, some of them accessible only for specific roles of user.
Now the client side of application should show specific items based on what role user is in. For example: user in administrator role can see an extra tab: manage items. There are two approaches to achieve this:
When rendering client side application, one could call an endpoind in web api which would return what roles user have. Based on that result, show/hide items in html.
When application loads, an endpoint, which returns how the structure should look like (for example: json string) would be returned, and based on that structure client application would be rendered. No show/hide html on client side based on roles in such case.
Now regarding 1st point: some could argue that there is a security leak, since malicious user can modify html to see elements that he is not supposed to see. But in this case he will not see any content from database and will not be able to load/update it since he will not be authorized to do that based on his role which is checked in server side.
2nd point seems more valid since we keep all identity related information logic on server side. And also all unnecessary content is not in html (while in 1st point it's hidden) - so that leads to better performance? In this case though if for example developing angular application, the json structure of application should include such information as name of angular controller and route for example. Would that not add complexity to developing application?
Assume that the application itself have a lot of roles and a lot of items should be visible/not visible based on these roles.
Pros/cons between 1st and 2nd? Thanks!
I stick always with the first suggested point.
As you mentioned the second choice will add more complexity for developing. For the 1st there is no security leak. If you don't want your users to modify the html and to access forbidden areas in your application simply use ng-if instead of ng-show. If you are not familiar - ng-if will not just hide the content with display: none;. It will completely remove it from the DOM and this leading the user unable to show that content as it is not in the DOM.
Read this for more detailed explanation for ng-if and ng-show: what is the difference between ng-if and ng-show/ng-hide
I usually have an endpoint getting information about the user - including it's role and save that user into a service (factory). This gives me the flexibility to use it everywhere in the application and check if the user has access or not to certain parts of it.
I want to create a script that runs on a Google site. The script would perform a specialized calculation for a given user and then display the answer for the user. The script would depend upon user input, but the code itself should not be viewable by the user. I want the code to exist in a "black box" so that the calculation formula can be kept secret. Is this possible?
I searched the documentation, but only found this, which does not address this question:
https://developers.google.com/apps-script/guides/services/authorization#permissions_and_types_of_scripts
Whether your App script is embedded in a site or written as a standalone script does not change a lot of things... the only difference will be the way you include it on a page as a gadget.
If it is embedded it will be available from a list of scripts in the page editing, if not you'll have to use the .exec url of the deployed webapp.
Anyway, that does not change the way people will have access to the app.
You can define these parameter when you deploy the app (which is mandatory in both cases), allowing for anonymous access or requiring to be logged in.
If I understood you correctly, you would like to restrict the access to some people but not share the code.
Depending on how you defined the access mode above and wether you are using a Google Apps inside a domain or not, you will be able to do it using 2 ways :
in a domain you can get the logged user identity and use that to accept/deny showing the app.
in a "normal" gmail account you will have to implement some sort of logging feature to request a user name and password to give access to the active part of the app.
In both case you never need to share the script itself, this sharing parameter is independent from the webapp access.
I hope I understood your question correctly... if not, feel free to comment.
You might check out the Private Functions section of the following page.....the example is similar to what you're referring to, I think.
https://developers.google.com/apps-script/guides/html/communication?hl=ru
I don't fully understand how they work and haven't used them myself, but I bookmarked it to figure out later. Maybe another user who understands Private Functions better can explain...
I have developed a web application using Google scripts UIApp class which will collect the data of work done by each associate and writes data to my spreadsheet.
Problem I'm facing is I have to share my spreadsheet to all the associates with write permission where it enables them to see others data. I want to hide this sheet from all but they should also be able write data using the web application I shared.
Please let me know for more details or any code snippets
Note: I have Not used Google Form because I need change the list values dynamically based on the selection and the type of user.
You can deploy the app you have built with UiApp to be executed as "you" and allow access to anyone. The spreadsheet won't need to be shared anymore but as it is anyone (even anonymous if you are not in a domain) will be able to use it...
You'll have to implement an access control yourself, again this will be different in a domain or in a "normal" gmail account (in a domain you can get the user email, in a gmail account you can't)
(since apparently I can't comment.. but to follow up on this question.)
Is there a best practice for running as something other than really-yourself?
Say a team is managing it, or your a contractor who won't stay with the company, and so you're account and access is likely to go away.
I assume it results in creating a shared account, or perhaps a groups or something? You start getting into all sorts of ACL issues. And a simple ``run as yourself'' doesn't seem like a good long term solution.
We are creating a back end admin system and want to allow users in roles such as finance and membership to have access to certain areas. Ideally we would like to show only areas that you have access to in the navigation.
Using umbraco 4.7+ and razor. We are using the Microsoft role provider.
I was wondering if anyone knows how I could access the currently logged in users role?
DynamicNode has two methods that will be your friends here, HasAccess() and IsProtected(). Here's an example of how to filter and show nodes that the user only has access to. Here's another one.
Using those methods you shouldn't need to have to get the roles of the currently logged in user, but that's not hard to do as well. Roles.GetRolesForUser() returns an array of the currently logged in user's roles. For more information, refer to the documentation.