I'm beginner to yii2, I want to FOLLOW a suggermento Which way to create two users with different capabilities. Can you give me an example of how to create two types of users? Thanks so much
In yii2 for manage the proces for verifying that a user has enough permission to do somethingthere there are ACF and RBAC
ACF Access Control Filter is a simple authorization method implemented and is best used by applications that only need some simple access control.
RBAC Role-Based Access Control provides a powerful centralized access control yet simple to mnanage.
Yii implements a General Hierarchical RBAC, following the NIST RBAC model.
RBAC can be based on PHP files or directly on database table ..
you can find useful info in this guide http://www.yiiframework.com/doc-2.0/guide-security-authorization.html
Please folow yii2 starter kit for reference RBAC config. With feature RBAC with predefined guest, user, manager and administrator roles.
Yii2 starter kit
You can use user roles and give specific permissions to each of roles
Related
I'm about to develop a management web app with Laravel.
I need that my users have different roles with different permission.
In details: some users can add customers, some users can write pieces of a paper related to the customer, some other users can just read that paper and some other users can read just some pieces of that paper.
So I decided to use an RBAC approach in order to gain a certain flexibility.
I'll use this DB schema (just an example schema, but represent the needings of my application):
dbexample
My answer is: since there is a direct relationship between users and paper, customer, attachs etc., how are RBAC rules expressed? I have to check user's permission in frontend when he request an operation or a resource? Or there are ways to express this rules even at backend level? Maybe using some GRANT options?
Hope sby can help.
Thank you!
I would recommend using one of the RBAC packages already available to you, there are a few out there but a couple noteworthy mentions include:
Spatie Permissions
Laratrust
You define roles such as User and Customer, permissions such as can-write-paper, can-read-paper and assign them to either roles or individual users depending on your use case.
I have to provide some functionality that will let me create users with a custom set of permissions by assigning them some combination of existing roles for couchbase.
For example I want to have role X that will be equal to those couchbase roles: query_select, fts_searcher and data_monitoring.
The problem is that I couldn't find way to conclude which roles will be inherited. This is only shown with browser API when you choose Admin or Cluster Admin role, but there are more of those cases.
When I'm creating those roles in Python SDK or using couchbase-cli there is like 0 verification on that, so then even Admin role does not exclude the ones it inherit (see u01).
There is some info in documentation that helps me deal with that but it doesn't cover all of it.
RBAC for Administrators and
RBAC for Applications
Is there any faster way than testing it out manually?
Any help would be greatly appreciated!
How can I make role based access in yii ?
I need to provide features for the users based on the role. I need to give role based access to different users. Any suggestions ?
You can use yiisoft/yii2/rbac module
very easy to use and configure and complete
see
http://www.yiiframework.com/doc-2.0/guide-security-authorization.html
for a brief guide
What is the difference between advanced application and basic application in the Yii framework?
Does they have any differences regarding security?
The following table shows the similarities and differences between the basic and advanced templates:
Source: https://github.com/yiisoft/yii2-app-advanced/blob/master/docs/guide/start-comparison.md
As you can see, the main differences are:
Advanced template supports front- and back-end apps;
Advanced template is ready to use User model;
Advanced template supports user signup and password restore.
There is no difference as the underlying core framework code is the same.
The difference is the structure of the project - the most obvious difference is that advanced one already has a "backend" set-up for you, which you can see for yourself:
https://github.com/yiisoft/yii2-app-basic
https://github.com/yiisoft/yii2-app-advanced
There is no much different.
but you already have administration panel(backend) in Yii 2 advanced application template.
backend and frontend work as separate application while using common models and configuration. you can create your own number of apps under root folder.
lets say you want to create RESTFull API in same project. simply you can create another directory call 'api' same as backend or frontend, and it'll contain folder structure same as backend except assets, views, widgets etc.
you have to decide structure of your project based on requirement.
Setup RESTful API in Yii2(budiirawan)
One of the main differences (other than the folder structure to handle the fontend/backend thing) is that the advanced template has a working user authentication system, whereas the basic has the users hardcoded in the user model. The Advanced template has working SignUp/Forgot Password functionality.
There is no difference in the core framework, the difference between the templates is the folder structure, you have the backend, frontend and the common.
Usually I use the backend to make the admin area, and the frontend to make the user area, but if need you can create another directory to make an api as Chanuka Asanka already said. The commonconfigs will be merged with the backend and frontend config files.
The advanced template as some features like signup, password reset and User model ready to use, besides that you dont have any difference, the core still the same so don't have any security difference.
I am rolling my own blogging system and I am wondering how to determine permissions and implement them in a blogging system?
What should be the permissions for a commenter, a blogger and an admin?
What is the best way to implement them?
You didn't mention what language/framework you're using. Django includes a very useful and complete set of permissions that you can get up and running with. I'd assume that there are a number of other web frameworks that do the same.
Therefore, my advice is to find a web framework that you like and think is fun (this sounds like a personal project after all) that will handle these kinds of things for you.
I'd go with a combination of a decoupled authentication component, that you can ask if the current user has the role X, and if so allow them to do the thing. That way you can leave the specifics of groups and expiry etcetera to the authentication component.
You could combine this with some specialized authentication for your blogging engine, eg. having a list of posters in the blog object, and always allowing those persons to make posts.
Give each user a "privilege" value and store it in the users table in the database.
for example:
0: plain user (can comment)
1: writer (can write new posts and modify his own posts)
2: moderator (accepts/deletes comments)
4: admin (access to all)
Use a combination of serverside sessions and cookies for logins.
For "advanced" user privileges, use bitmasks and create groups.
Bitmasking: for example, using previous values, user level 3 (2+1) would have both writer and moderator privileges.