I created a permission for my system and by this extension others working fine. As example I set permission for Page module then I used below code
if(\Yii::$app->user->can('page_module')){}else{
throw new ForbiddenHttpException("You are not authorized to perform this action.", 403);
}
and it provides me restriction. I used these lines pf code in extension controller, then it restricted but it vulnerable cause if I update extension then code will remove. And i didn't understand how I extend all controller and set permission. If there is another way its unknown to me.
Once you have setup the mdmsoft/yii2-admin extension access is denied to all the routes until you grant it. Rather than hard coding yii::$app->user-can('permission') utilize the RBAC which should be the only reason you installed mdmsoft/yii2-admin.
As Access Setup
Hopefully your using Yii2's advanced template.
Initially, setup the as access in your frontend/config/main.php :
'as access' => [
//This access behavior must be in frontend and backend.
//The 'as access' behavior will interfere with migrations if put in common.
'class' => 'mdm\admin\components\AccessControl',
'allowActions' => [
'site/*', //Allow by default to all.
'debug/*',
//'admin/*', //Leave commented out, unless setting up admin roles initially.
//Allow guests to do:
'ticket/ticket/index',
]
],
Setup RBAC
Go to the admin URL, something like ... app:port/admin
The RBAC hierarchy is like this:
User->Roles->Permissions->Routes
Example
-Joey
--Admin_Role
---- Admin_Permission
-------- app/controller1/*
-------- app/controller2/view
Setup RBAC
First add your routes.
Add your permissions.
Assign routes to your permissions.
Create your roles.
Assign permissions to your roles.
Assign roles to your users.
Related
I try to understand how it works - no way
I only can see the routes beginning with /rbac/ .. and some with /gridview/ ... and /dynagrid/ ...
But no route related to my contoller actions
I thought that yii2mod/yii2-rbac worked like RBAC in Yii1 where I had permissions defined and checked in controller.
When - as before - I insert something like this :
INSERT INTO `auth_item` (`name`, `type`, `description`, `rule_name`, `data`) VALUES ('createCompany', 0, 'createCompany', NULL, 'N;');
and assign it to a user Admin it appears as a permission and not as a route in the permission view of Admin (rbac/permission/view/Admin)
The readme file did not help me - so how can I use yii2mod/yii2-rbac ?
The yii2mod/yii2-rbac package what it provides is a web interface, but it is not an alternative to the native implementation of the RBAC in Yii2:
Yii2-RBAC provides a web interface for advanced access control and
includes following features:
Allows CRUD operations for roles, permissions, rules
Allows to assign multiple roles or permissions to the user
Allows to create console migrations
Integrated with yii2mod/base
The base of this package is the RBAC Yii2 that can review part of its implementation here (only as an example).
Making a raw INSERT to the auth_item table does not make much sense as a way to understand how the RBAC works. The auth_item table keeps the records of the permissions and/or roles which are separated by types: 1=Role, 2=permission.
Installed and configured yii2mod/yii2-rbac in your project you could enter the different options to create roles, permissions, routes and assign them to your users as they inidcan them:
http://localhost/path/to/index.php?r=rbac/
http://localhost/path/to/index.php?r=rbac/route
http://localhost/path/to/index.php?r=rbac/permission
http://localhost/path/to/index.php?r=rbac/role
http://localhost/path/to/index.php?r=rbac/assignment
or if you have enabled pretty URLs, you may use the following URL:
http://localhost/path/to/index.php/rbac
http://localhost/path/to/index.php/rbac/route
http://localhost/path/to/index.php/rbac/permission
http://localhost/path/to/index.php/rbac/role
http://localhost/path/to/index.php/rbac/assignment
If you want to understand better how the YB2 RBAC works, you can review it from here.
I can't manage to block user's creation using FeatherJS.
I want only authentified users to create a new user.
I've tried a before hook :
create: [
auth.verifyToken(),
auth.hashPassword(),
gravatar()],
I've tried to use :
all: [
auth.verifyToken(),
auth.populateUser(),
auth.restrictToAuthenticated()
],
but I still can access to the signup.html page (I think that is normal because the route is not "blocked") and I still can create a valid new user (that is not normal I think).
Of course, I'm new to FeathersJS...
What you are doing is correct. The issue is that the user creation from the demo is using a middleware and .create is called from that middleware so the actual call looks like it comes from the server itself. You have two options. Either removing the middleware and moving the new user creation to the client (this is what we will change the new guides to as well) or upgrading to feathers-authentication 1.0 and protecting the endpoint with the new authenticate middleware.
Following scenario:
I have a multi tenant web application in Yii2' advanced template.
This application has three portals:
- backend
- dashboard
- frontend
Each portal has its own user table for authentication.
(-frontend_user,
-dashboard_user,
-backend_user)
Frontend and dashboard can reached with the tenant's name at the end, e.g.:
When a user tries to login to dashboard or frontend I have to check if they have a right to login.
This happen via contingency table (e.g.: dashboard_user_tenant)
Now I want to build a rbac for the dashboard application.
But roles should not hang at the dashboard user but at dashboard_user_tenant (the contingency table),
because rights can change in each tenant's dashboard.
Yii2 has its own rbac system, but as I understand so far, it doesn't fit on my needs.
Any chances to customize Yii2's rbac or is it better to build my own custom solution? Maybe my own component?
I hope my description is clear enough :)
I had a similar desire in one of my projects, but I didn't create my own full RBAC system, instead I overwrote a way of checking for the roles
In my User component class, I extend the \yii\web\User, and also overwrite the can() function of that class. That lets me use my own way of checking for the appropriate permissions. For example
<?php
namespace app\modules\users\models;
use Yii;
use yii\web\User as WebUser;
use app\modules\users\models\UserPermissionManager;
class User extends WebUser
{
public function can( $operation, $params = [], $allowCaching = true )
{
if(Yii::$app->user->isGuest)
{
return false;
}
return ( new UserPermissionManager() )->has( $operation );
}
}
In the UserPermissionManager class, it queries a database table that is full of permissions such as "users:access", "users:edit", etc
They all have a certain user level assigned to them which relates to the user level I have set in my Users database table.
All the can() function needs to do is return true or false, depending on if this user has the permission to do what it's being asked. You can handle this however you like really.
It's quite a big system to explain fully in one post but I hope it's helped slightly, feel free to let me know if I can explain anything any better!
I am using yii2-user module on top of the standard Yii2 advanced demo.
Yii2-user provides it's own login function at /user/security/login and linking directly to that works perfectly.
However the advanced demo overides that and directs the call to /user/login probably using the internal routes but I cant track down where that is happening.
I need to tell my Yii2 site not to chip in its own login ( which I have deleted ) and to retain the route to /user/security/login.
config file is directing user to the dektrium yii2-user module and it all seems to be working, it's just the default action into the backend page that reroutes to user/login when a visitor is a guest instead of a registered admin.
Backend has its own configuration, you should simply modify user component loginUrl in backend/config/main.php .
Inside your backend config.php add one more component
'user' => [
'loginUrl' => ['user/security/login'],
],
It helps me out in frontend
I'm checking if this is a sitecore bug, or if I'm missing something obvious.
EDIT FOR CLARIFICATION: The problem I'm having is that I'm trying to set up the configuration settings in the Domains.config file so that Sitecore shouldn't be creating (and/or returning) an anonymous user for a domain set up this way. However, if I use the Domain.GetUsers() function on the domain, I still get the anonymous user returned.
The membership provider is a custom built and connects to LDAP in read only mode.
Details
Using Sitecore 6.4.1 and given the following domain configuration in App_Config/Security/domains.config
<domain name="DOMAINNAME" ensureAnonymousUser="false" anonymousUserName="" everyoneRoleName="" />
and these comments in that domain.config file
anonymousUserName: <snip> Set to blank to disable the anonymous user for the domain. Optional
ensureAnonymousUser: Indicates if the domain should ensure that an anonymous user for the domain exists in the Membership database. Optional - default value: false
everyoneRoleName: <snip> Set to blank to disable the everyone role for the domain. Optional - default value: Everyone
If I use the following code,
List<Sitecore.Security.Accounts.User> users = new List<Sitecore.Security.Accounts.User>();
var domain = Sitecore.Security.Domains.Domain.GetDomain(DOMAINNAME);
users.AddRange(domain.GetUsers().ToArray<Sitecore.Security.Accounts.User>());
I get the anonymous user included in users list. I assumed from the comments in the domain.config file that I shouldn't get the anonymous user if I set up my domain as above.
Is there something obvious that I'm missing?
Just a guess as I have not used 6.4 yet or tweaked any of those types of setting before... but I believe Sitecore always comes pre-packaged with the Anonymous user in the membership. By setting ensureAnonymousUser to false you're just telling it not to ensure its there, but its already there by default. Why don't you try this test:
Set ensureAnonymousUser to true then delete [*] the Anonymous user from the user manager.
Log out and back in and see if it's there again. If so then the "ensure" aspect of that worked. So...
Set ensureAnonymousUser to false then do the same thing. Does the user come back?
This is really just a hunch on how it works -- I don't have an environment like that setup right now to play with, but its worth a shot.
[*] - to delete a user form the User Manager, go to Sitecore > Security > User Manager
I think it's more question to membership provider you use. Take a look at Active Directory Module
Maybe this is something that could help you.