I made an app and created an authentication scheme that creates an account every time a new employee is inserted. Now I'm looking at how to set all new users as contributors. I found this PL/SQL code somewhere.
IF v('APP_USER') = 'username' THEN
apex_util.set_session_state('F_IS_ADMIN','Y');
END IF;
Now i don't know how to specifically say "all the accounts" but i came up with something:
IF v('APP_USER') IS NOT NULL THEN
apex_util.set_session_state('F_IS_CONTRIBUTOR','Y');
END IF;
I know it's probably wide of the mark as I'm having trouble understanding what 'F_IS_ADMIN' is and where it comes from but this is the best I can do at the moment (newbie). Anyone has any idea how to do this and if I went in the right direction or not?
And where do I stick this code? in the authorization scheme or in the authentication scheme?
All help and pointers very much apriciated!
First of all... what is the code you posted supposed to do ? It is setting an application item to control authorization - it doesn't have anything to do with the "Contributor" role you are talking about. Controlling authorization with application items isn't a good practice. Don't blindly copy code. Instead try to understand what it does and then implement your own version of the code you use as basis.
Now to answer your question. There are a couple of possible solutions (only one needs to be selected - pick your favorite and test first on a copy of your application):
If you insist on the user having the actual role, then you can immediately grant the role to the user when the new account is created by invoking this API.
But... if all users need the "Contributor" role - that just means that any user needs to access components that are currently protected by the "Contribution Rights" authorization scheme. Just remove that authorization scheme altogether and all those components will be unprotected.
If the option above scares you, then it's also possible to modify the "Contribution Rights" authorization scheme so it always yields true. That has the same effect as every user having the role. To do so, edit the "Contribution Rights" authorization scheme:
Scheme Type: PL/SQL Function returning Boolean
PL/SQL Function Body:
RETURN true;
A similar question was asked earlier this week: How to automatically assign USER ROLES in Oracle Apex
Related
I am currently trying to migrate Forms' Applications developped ten years ago to Oracle Apex. For some context, the database in which Forms applications are currently running is the Oracle EE 6i, and will be soon upgraded to the 12.2g, hence the need for migration. The data stored within the tables is to big to migrate (like 4To) so we need an alternative to Forms, but we cannot change the DB, and cannot keep Forms (which is let's be honest, outdated a little). I am currently on Oracle XE for my tests and on Apex 20.2.0.00.20 to start my migration (before upgrading).
The thing is, I have some issues with how Apex and Forms are working differently.
I am really blocking on the following issue since my migration:
In Forms, it was really easy to change the color of a button for exemple by calling a Forms method in a certain way depending on a condition (for exemple a SELECT return). Here, in Apex, I am trying to do the same.
I know that there are ten other ways of doing the same, with JS for exemple which I already succeedly do, but when I tried to create my second appplication I realised that compared to Forms, Apex cannot reference/generalise parts of the code(or applications) for different applications (and certainly not for different workspaces). So Javascript is a good solution but not as efficient as PL/SQL which is easier to generalise and will (in my opinion) use less exchange between the db and the client, since stored on the db.
That is why I decided to rely on PL/SQL Stored Procedure which will be specified in the database and called directly in each application where I need the process/computations.But I cannot find the same as in Forms, with my graphical methods helping me do what I need.
I am open to alternative of PL/SQL package/procedure/function if it can keep the same propreties (generalisation and minimum echange between client and db). These are important point since I have around 200 applications to migrate, starting with what we can call 'brick' which will compose the other simpler applications.
Btw: CSS is an option I studied, like HTML with PL/SQL dynamic content but I read that it was either not simple enough to integrate, or that it could be deprecated, so if it is the solution you are using, I could use a really detailled explaination or an exemple.
To give you an instance:
I click on a button triggering a PL/SQL stored procedure
Procedure checks some conditions in the db (like if a process is currently running)
PL/SQL update a table, change a variable in procedure and returns 'green'
The button becomes green, a message is displayed ('You have permission to do this!')
PS: if there are Apex Method modifying the graphical aspect, could I have a documentation ?
Thank you a lot for helping me resolve this issue, I have been stuck for days...
I tried Javascript bu the generalisation was too much a problem. I tried the HTML injecting but didn't work, I tried updating CSS but was not what I expected. I tried different PL/SQL method but couldn't find a way to connect PL/SQL with Apex/CSS/HTML...
It takes a bit of getting used to how APEX works, but everything can be done and once you get up to speed, you'll find there pretty simple ways to get things done. To achieve what you describe, this is what you'd do.
Create a dynamic action on click of button
Add the following actions to the dynamic actions
an action of type "execute pl/sql". This is your "Procedure checks ...". In this pl/sql code you can set page item values (make sure to reference those in "items to return" so the new values is set in the session. There is no reason to have 2 different pl/sql procedures, you can just put them in 1 block. This procedure would return the "green" - but more about this later.
an action to add a class to the button under certain conditions.
Note that the "green" is not something you should decide. In apex, there are a lot of layout modifier classes pre-defined. In your case, it makes sense to use the "success" modifier (which happens to be green).
To check how you want the button to look, there is a tool called the "button builder", you can use that to see what classes you should add/remove to change the look of the button.
Note that 20.2 is not a recent version. It was released in 2020. Since then 4 more releases have been made available: 21.1,21.2,22.1 and 22.2. It is advised to be on the latest version.
Here is a basic example. I have a page with a select list (P117_SELECTLIST), a hidden item to hold the button status (P117_BUTTON_STATE) and a button (MYBUTTON). The select list has 2 static values:
The dynamic action for serverside code is :
Note the items to submit and return values. P117_SELECTLIST is submitted so the pl/sql process picks that up from the client and P117_BUTTON_STATE is returned to the client so it is available for any future use.
Then I have 4 classes to set the button style. One to add success class, one to remove success class, one to add warning class, one to remove warning class. Below is the first one. The only think different in those 4 actions in the class name and the client condition. It can probably done with javascript directly as well with only 1 action.
I'd strongly suggest to update the db version to a version that supports the latest version of apex. It will save you a lot of development worries. Most people of forums only have the latest version available.
I'm using spatie/laravel-permission as ACL system in my project. it's good.
I'm adding payment/accounting/invoice to my project and in this level there is another ACL needed on users works.
for example user A have a feature F1 as our service. until 1 month he/she can use all sections in F1. after that some features in F1 limited until new invoice payed with user.
so in my controller an Edit method I use authorizeForUser just in user ACL level. now I should add another ACL in F model like authorizeForF(F1->id)?!
and another problem is that this is very complicated and if I forgot to add this, I missed some money!!
I have a solution:
seed in a table save all Uri,methods (with foreach on Route::getRoutes()) as a unic row and assign a score for each of them (default 0). in a route middllware, analyze every request uri and compare it with score.(for example uri is /profile/advaence and administrator assign score 2 for that)
if the uri have more than zero score, user's accountant will checked to continue or redirect to payment if needed.
this give the administrator of website abbility to assign each uri score and developer has no Responsibility about that.
just I'm worry about uri. because administrors usually don't undrestand them easyly. so, I need another seed for some uri to explain as title.
is it good?
I have a User model, for login and registration, its email field is used (everything vanilla from the devise gem).
I want (other) users to be able to e.g. add Users to a team, with the email-address as the identifier.
That is fine when the User is already existing (pseudo #team.users.add(User.find_by(email: other_users_email))) but I am unsure how to handle situations where the user does not yet exist (did not [yet] register).
When a (new) User sets up a new account, for the example above after successfull registration current_user.teams should show up correctly.
I do not want to force these potentially new users to use the system (e.g. using devise_invitable) and bother them with an email.
I followed the path of creating the User when a user with the given email does not yet exist, but then when the user actually tries to setup an account, it fails (email not unique).
Alternatively, I could remodel the TeamMember-part and let it optionally either store an email-adress or the reference to an existing User. Then what I would need is to check for "open" TeamMembers directly after User-Account-creation (so, TeamMembers with the given email). I could also do this on each requst, but that looks too expensive to me. There might be race conditions, but I could live with that (and check for the every-now-in-a-millenia-gap with a cron-job).
Any pointers? I am sure this is not that unusual.
I'd do this:
When a user A adds user B to a team by email, create the object for that user B, but set a flag, something like auto_created_and_inactive: true
When user B signs up on the site, you just have to handle this in your users#create: first, try to find an auto-created record and update it (set a password or whatever; also reset the flag). Or otherwise proceed with the usual route of creating a new record.
I have to admit that I did not yet tried #sergio-tulentsevs approach (implement RegistrationController#create). But to complete what I sketched in my question:
User model can define an after_confirmation method, which is called after ... confirmation! So, if I store every information about a potential user with a reference to his/her email-adress, once he/she registered I can query this information and e.g. complete Team-Memberships.
# app/models/user.rb
def after_confirmation
# (pseudo-code, did not try)
self.teams < TeamMembership.open.where(email: self.email)
end
I want to extend Ion Auth to only allow certain email addresses to register.
I'm fairly sure I could hack this together and get something working, but as a newbie to codeigniter and ion auth I wish to find out if there is a "proper way" to be doing what I need?
For instance can I "extend" ion auth (so I can update ion auth core files without writing over my changes?).
I noticed there are also hooks including this one (in the register function):
$this->ci->ion_auth_model->trigger_events('pre_account_creation');
Where do these resolve and can I use this one in order to intercept registrations from email addresses which don't match a list of those I wish to register?
If so, how would I do it? I would need access to the $email variable from the register() function.
Or is it just a case of altering the base code from ion auth and not updating it in the future?
Thanks for any help you can give me. Don't worry about the email bit, I'm capable of working out whether an email address matches the required email domains, I'm more interested in what is the best way to go about extending the library.
Tom
EDIT: Hi Ben, thanks for your answer, and thanks for taking the time to have a look at my issue. Unfortunately this hasn't helped.
I guess what you're trying to do there is add a little bit to the sql query a "where in" clause? I guess that the where in bit is incorrect as there isn't a column name.
Also, at this point I can't modify the sql query satisfactorily to produce the required output. e.g. I can add a hook to a function which is literally $this->db->where('1=1') and this outputs this sql in the next query:
SELECT COUNT(*) AS `numrows` FROM (`users`) WHERE `1=1` AND `email` = 'rawr#rawr.com'
The AND email = 'rawr#rawr.com' bit will always still return no rows. It should be OR email = 'rawr#rawr.com', but without editing the Ion Auth core code then I won't be able to change this.
I am starting to suspect (from the last couple of hours of tinkering) that I may have to edit the ion auth core in order to achieve this.
Check out this example: https://gist.github.com/2881995
In the end I just wrote a little form_verification callback function which I put in the auth controller of ion_auth which checked through a list of allowed domains. :)
When you validate your form in the auth controller you add a callback:
$this->form_validation->set_rules('email', 'Email Address', required|callback_validate_email');
You create a method in the controller called validate_email:
function validate_email() {
if (strpos($this->input->post('email'), '#mycompany.com') === false) {
$this->form_validation->set_message('validate_email', 'Not official company email address.');
return false;
} else return true;
}
This will cause the creation of the user to fail, since all rules must pass. You also provide an error message. Just make sure to have this line on the form view side:
echo validation_errors();
I want to be able to show or hide certain elements in a view based on ACL. For instance, if a user is looking at my Users/index view, I don't want to show a 'Delete User' element if he doesn't have permission to delete users. If he does have permission to edit users, I do want to show a 'Edit User' link.
I can hack this together, but being very new to Cake I'm hoping that there is an elegant solution. The best I've done involves keeping logic in two places, so it's hell to maintain.
Thanks!
I know this is an old question now but for anyone looking for a way like I was...
In AppController::beforeFilter you can assign the ACL component to a view variable and then use it in your view:
$this->set('user', $this->Auth->user());
$this->set('acl', $this->Acl);
And then in you view just juse it like thie:
if($acl->check(array('User' => $user), 'controllers/groupd/admin_delete')) {
This is't necessarily the most correct way to do it but it does work nicely
There is no generic "elegant solution" :) I've always wanted to make such thing as well. Anyway how you could do it:
Overwrite the Html Helper in your app directory - make a copy from /cake/libs/views/helpers/html.php to /app/views/helpers/html.php and made some changes in the Html::link function.
For example you can check if the url contain action edit or delete.
The other part is to pass the proper parameters from the controller. In AppController::beforeFilter you can read the rights of the user (it's better to be cached) and to pass it in a special Auth variable to the View.
So when you have the rights in your View it's easy to modify the link. :)
As I said I haven't did it in real example, but this is the way I would do it.
There is 1 bad point in that - if the original Html helper is changed, your one will remain the same. But I believe that Html helper is mature enough so for me is not a big issue.
I do it like this in app_controller.php, although you could just as well do it in specific controllers. The view variables $usersIndexAllowed and $configureAllowed are then used in conditional statements in the view.
function beforeRender()
{
if($this->layout=='admin')
{
$usersIndexAllowed = $this->Acl->check($user,"users/index");
$configureAllowed = $this->Acl->check($user,"siteAdmins/configure");
}
$this->set(compact('usersIndexAllowed','configureAllowed'));
}
In case you don't want to mess around with overriding core helpers and you want a more automatic way of checking (without hard-coding user group names and users or setting separate link-specific variables) here's my suggestion:
Store all user permissions as session vars when the user logs in (clear on logout) and create a permissions helper to check if logged on user has permissions for a specific action.
code and example here
hope that helps
There's multiple approaches to this scenario. As Nik stated, using a helper to do the checks for you is a quick way to "outsource" the logic and centralize it for ease of use.
Actually, have a look at the AclLinkHelper - it does exactly what you're looking for, however restricted to links only.