Sorry for my english...
In my project I use ACL with SonataAdminBundle, but I can not understand why they did so, you need to have to create a record in the database, even when I want to use only Class-scope without Object-scope.
Also, when you create, for example, comments, SonataAdminBundle automatically creates an entry in acl_object_identities, it clutters up this action database.
I created a role that has the right to full access to all records in a table, regardless of who created the records, but SonataAdminBundle only displays them and prohibits editing.
The documentation for SonataAdminBundle reads:
because the object ACL permission is checked, the ACL for the object
must have been created, otherwise the AclVoter will deny EDIT access
for a non super admin user trying to edit another non super admin
user. This is automatically done when the object is created using the
Admin. If objects are also created outside the Admin, have a look at
the createSecurityObject method in the AclSecurityHandler.
But why? How to avoid this?
Do not want to write hooks.
Thank you in advance for any comments and help on this.
You can generate the object ACLs with php app/console sonata:admin:generate-object-acl
Related
In my Yii2 project previously I had worked on rbac, set it up as in the yii2 doc click here. Now I worked on different modules and I am back on rbac. Initially set it up with just sysadmin and staff. Now I want to add a new role along with the two previous roles. Which I did it auth_item table and assigned the user_id in the auth_assignmnet table to the new role created.
In my controller added the role name for which actions he can access. But still throws Forbidden Exception. Tried different things but unable to work on it..
Any solution for this?
First of all, you should modify RBAC structure using the provided authManager methods.
After adding new RBAC items manually in database or files you need to make sure cache is not keeping the old data.
Flush cache manually or call console method like
yii cache/flush-all
I want to create separate databases for different registrations.
First i was doing it via multiple sub-domain manually but now i want it to be automatic after registration when anyone sign up.
This is what am thinking to implement:
First i'll create a common database "user_databases" to just store "user email" and "user database name". So when any user login with his email then i will fetch its database name and then verify login password from users table of the fetched database.
But the problem is how will i achieve it?
Should i include the code in database.php of Config or in each model i use $useDbConfig (i don't want to use it due to some reasons)?
Are there any better methods for it? Am i thinking right to implement it?
Please help and guide.
database partitioning in cakephp is now a trivial task because of cake's event system. cakephp allows you to talk to its request and response objects early in the app startup process in form dispatch filters. markstory has written nicely about this http://mark-story.com/posts/view/using-cakephp-and-a-horizontally-sharded-database
I created new user - 'exampleuser' and new role - 'examplerole' in JasperReports Server version 5.6.
The new user - 'exampleuser' has 2 roles: 'examplerole' and 'ROLE_USER' that is attached to the user by default in the JR Server.
For every folder in jasper I gave the 'examplerole' and 'ROLE_USER' the permissions - Execute only.
According to my understanding, if I will login with the 'exampleuser' user I won't be able to see any folder, of course not be able to delete any file inside that folder.
What actually happens is that I'm able to see all the files inside any folder, add and delete files as I wish and change permissions to the files.
Could not find any information about it - according to the JasperReports Server manual I'm not doing anything wrong or do I?
The 'exampleuser' doesn't have any permissions to the folder e.g. 'NO ACCESS' permission.
And there were no errors in the logs.
Is someone ran into this situation before? Is it fixable or it is some bug of JasperReports Server?
-----------------------------EDIT---------------------------------------
I've found out that this situation happens only in Google chrome browser. If I use IE for example, everything is as it should be.
Anyone? Any idea?
Edit user(exampleuser) and assign only new role(examplerole) which you created for new user remove ROLE_USER and save.
Now right click on the folder on which you want to give permission to new user(exampleuser) and select "Permission" , there you can see all the roles and there access permission.
Change permission No Access to Read only for examplerole and remove the access form other roles i.e. select No Access option.
Now after that you need to check remaining other directories whether they have ROLE_USER access or not , if they have remove permission from ROLE USER i.e set it to No Access.
Why grails shiro plugin create read only tables in mysql for roles and permissions? i create controllers and actions and add them into permissions for registered role in BootStrap file. but every time when i want to add new action into permissions, I must delete the tables and recreate them via rerun the app. how I can edit permissions table manually or maybe I must not create roles and permissions in BootStrap for prod.
Are you sure these tables are readonly? You couldn't even write to them in the bootstrap...
Try to modify them with .save(failOnError:true) and see if you get an error message.
If you don't get an error, post your code with which you try to modify the roles and permissions and I'll help you to sort this out...
I understand how to restrict entire pages, or even components by implementing <cflogin> and roles. For example:
<cfif IsUserInRole("Admin") OR IsUserInRole("Accounting")>
...You can view this page...
<cfelse>
...You can not view this page...
</cfif>
But how is it recommended to restrict certain facets of a page? Say for example an "Admin" is allowed to send Global Messages to all users, but that option is not available for a regular "User"
I suppose I could use the Session to manipulate my Views (pages). How is this typically handled?
You're right, securing a page and securing elements is different.
In my opinion and in practice, I think tying any code to a role or user is actually the wrong approach. Instead, tie permissions to elements and pages - then tie roles to those permissions. And of course, users are assigned roles.
It is important to have all three :
Users
Roles
Permissions <-- this is what you're missing
Permissions are what secure elements and pages, not roles or users Your code should have no clue (because it doesn't need to) what users or roles there are - just names of permissions.
When a user logs in, I grab their role(s). Then I grab all the permissions that are assigned to those roles (simply a list of string values).
For example, on a page I might have :
Add item
View item
Delete item
When I code that page, I actually secure each of those elements with permission strings named similar ( addItem, viewItem, deleteItem).
<cfif listContainsNoCase( session.permissions, 'addItem' )>
<!--- code to add item --->
</cfif>
(Note: I recommend using a custom tag or function for this, but for purposes of an example, the above works fine).
If you do it this way, it provides maximum flexibility and abstraction. If you secure elements based off of roles, you limit yourself :
Adding new roles will require a lot of code changes!
Changing permissions between roles requires a lot of code changes!
If you do it as mentioned above, you will never need to change your security code within the code base, because "addItem" permission should always be on the "add item" logic, right? :)
Now if you happen to need to create a "manager" type role, that has all the user roles and a select few admin rights, you simply create that role, and assign it the correct permissions (maybe addItem and editItem, but not deleteItem). Bam! Now I have a manager role to assign to users with no code changes!
If I had sprinkled my code with "is user this role" type of stuff - I would have to go edit my code everywhere to allow my new role "manager" - yuck!
Make sense?
=)
Things start going awry when businesses like to change the permissions that a Role has often because they don't know how else to give someone rights to do something.
So lets say a user in Marketing wants "update" rights to do some task. Someone in the business gives them the Update permission. But an IT Manager also has "update" rights which gives him access to things that the Update permission for Marketing should not.
So... I actually go one step further and specify Roles that have Permissions based on what Department that user is in. Yes its very complex and very tedious to manage hence I ended up on this question in my search for a better way to do it.