Adding ACL to a CakePHP Application - mysql

So I've been working on an application that has woeful access control up till now, and needs a proper solution ASAP. I've added in the CakePHP Auth and Acl components as per the tutorial in the Cookbook, and it all works pretty well, insofar as if I add a user manually, it creates an entry in the aros table appropriately, SHA1-hashes the password appropriately, all the good stuff.
Now for the bit that's proving a little beyond my skill level. We have 1000+ names in a database that need to become Users under the new system. I tried dumping them into the Users table with a MySQL query, but there are two issues:
(1) Doing things this way is not creating entries in the aros table. I'm pretty sure I can rig this up to work given time, but are there any shortcuts I might want to know about?
(2) This is the one that's causing me to scratch my head. When I add a user manually, their password is automagically SHA1-hashed. When I log in from the users/login page, the password I enter is correctly matched to the hashed password in the db, and I get access. However, no matter what I do to the passwords I dumped directly into the database, I can't get the log in page to grant access to them. Initially I hashed them with the MySQL SHA1 function; I understand this may not be a good idea, because Cake sprinkles in extra salt. I tried hashing them through Cake's Security::hash function. I tried letting Cake save each password into the Users table itself, letting it do whatever hashing it wanted behind the scenes without interference from me.
In none of these cases am I able to log in using one of these username/password combos. The passwords look good and hashed, and they match the passwords I'm entering after I apply Security::hash to them. What am missing that will enable me to get this working?

If I were in your position I'd build a Shell to handle doing this for you, that way you can utilize all of the stuff Cake has through that such as automatically adding a new ARO record and using Security::hash to handle the hashing prior to saving the record.

For the record, it wasn't a problem with hashing. I wasn't specifying the usergroup_id at the point of saving (was planning to set it later!). I guess you can't log in with an account that isn't part of a usergroup, even if your username/password combo is correct.

Related

PHP script for front-end management of MySql tables

I'm looking for a PHP script that will allow me to easily manage 'MySql' tables. By managing I mean not their creation but the possibility of adding new records, modifying and deleting them.
It must be possible to specify for each user which tables he will have access to and with which modalities (insertion only, modification only, etc.).
For each user I will also have to specify whether he will be able to see all or some of the columns in the table and with which permissions.
Also I'll need to know who did what, a sort of global change LOG.
My idea was to have a back-end in which I specified the users and how to access the various tables/columns and a front-end for the users.
In the front-end users will be able to add/modify/delete records and data they are allowed and the ability to filter and/or sort the various records.
I know I could use some PHP frameworks or rely on CMS but I have to write a lot of code by hand and it seems hardly credible that such a product is not already available.
Does anyone know if there is something like this?
I had tried starting with PHP frameworks but implementing everything from scratch stopped me.
I expect there is already something available.
Thanks.
Davide.

Best way to store admin credentials on a node/express/react app

I am currently recreating my portfolio, which is powered by a node/express backend. I want to have some pages where I can update/add projects to my portfolio, and I know that I will be the only admin on this site. I want to protect these pages with admin credentials. I think a user table on my database (mysql) is overkill though... is it a good idea to store user/(hashed)pass in process.ENV? I feel like theres a better way.
A database can be anything, text file, sql db, json file, even a variable in your program. A database it's just something which store data.
So, for me, you can without any issues store your credentials in the process.env. The only constraint is that you have to restart your server whenever you wan't to change password and you have to inject yourself the credentials in environement variables.
But if you're already have an sql database in your project, the best way is effectively to use a table User with hashed password. With this method you can change your password without restarting your app (but in your case is this really usefull ?) and if you're adding some users, the system will be already in place (but YAGNI)).

How can I find the phpmyadmin SQL password encryption type?

I am very sorry if this has been answered before, but I have searched for 2 days and cannot find the answer. I have 2 databases and I need to import users from the current database to a new one. The new database is for a chat system that has recently bee installed and I would like all users to be added to it.
So I thought I would simply manually add the users in the new database using information from phpmyadmin. But the encryption for the password is a different format and will not work.
For example in the first database the encryption is:
z70I9QINffX2Hh7FxQ==
In the second database the format is:
3eb5c61f784aa3c2e11d879382387d420f7c4ebf
Neither seem to be MD5 and I can't find out which type it is.
I know this is a stretch but does anyone know of a way to detect the type of encryption and how I can take a password, such as 'password' and encrypt it using the correct encryption type?
Thank you
You could try using a generic password for the root user, or logging into mysql as the root user & creating another user manually. Not sure what kind of access you have, but that's been the best bet in my experience.
Hope it helps.
The password encryption mechanism would be stored in the application's code. The 1st example looks like Base64 but can't be sure without comparing others. The 2nd example appears to be SHA1/MySQL5 Sha1(Sha1(pass)).
You're going to have to research the apps that are using these databases and to determine how it's creating and storing these account passwords in the database. Either way, you are trying to link 2-dbs that have different password mechanisms, that might require standardization of the passwords which might mean a password resets.
There is a harder way, you have a database of one-way hashed passwords. It will require a bit of focus in scripting... You would have to generate hashes for the cryptographic hashes used and compare to your users passwords to get the plaintext password. Then you recreate their accounts in the new DB using their passwords to create the new user with same credentials.

How to sign data in MySQL database revision safe (trusted timestamping)?

I am currently planning a project in which revision safety of the database data is important. This means: we want to be able to proof that the data in the database was not tempered with since it was imported - no user changed the value, no db admin logged into the database and changed it.
What is the best way to achieve this?
Till now, I like the idea of signing the database row best: I create a MD5 hash of all the fields in the row, then send it to a timestamping signing server (have a look on wikipedia) and store the created signature with the row. From this time on, we can prove that no one changed the row since this stamp was created.
Any better ideas? And, if you like the idea as much as I do, what timestamp server should I use and how can I access it? The Verisign Timestamp Server seems to be used a lot, but I could not find any documentation on how to use it "raw", e.g. without the Microsoft code signer tools etc.
Thank you!
Time stamp servers are usually not free-to-use.
Alternatively you may use an HMAC-MD5 (or HMAC-SHA1) instead and use a password that is only known to the authorized user. The password is of course not directly used, better via PKCS#5 or at least hashed with a seed. Without the password noone can verify or recreate the HMAC-MD5

Is there any way to identify a unique user in Flash/Actionscript 3?

I'm trying to make a vote/poll application in Flash using Actionscript 3. Is there any way to generate a specific ID that is unique to each user?
The only other option I can think of is using the IP address, which is less than ideal in many cases (college campuses, shared Internet access, etc.).
It needs to be the same number every time it is run on the same PC, but different for each user.
You have two options:
1) A Remote Shared Object, which is a fancy way to say a Flash Cookie, which will remember the browser every time.
Alternately, you can set up some sort of back-end login system (since you want unique to every user, even on the same computer, this sounds like what you'll have to do). This is more than just flash - you'll need to integrate with a server-side scripting language like PHP (integration is easy with AMFPHP or ZendAMF, I believe you can find some tutorials on http://www.gotoandlearn.com) and handle your user stuff there.
You're going to have to wire this up to some sort of login - there has to be a way for users to identify themselves, or the whole thing is pointless.
If I were you I'd put a login screen first, tie to a PHP back-end and use cookies to remember that you have someone logged in - but give them the option to log out. Then you simply associate the logged-in user with some sort of unique key - like the user index in a MySQL database - and you're all set.
Depending on how comfortable you are with technologies beyond flash that may either sound simple or complicated, but it really shouldn't take you too long. If you don't know anything about PHP or MySQL you can google "PHP User Login" and that should get you started. Let me know if you have any specific questions!