I'm testing the Supabase RLS policies and when I try to update a store with an authenticated user I got a 404 error.
But when I try to use insert it works, but the rule of policies is the same!!
Insert policy only works for a new row. You would probably need to create a separate update policy for your table.
This specific discussion might point you to the right direction:
https://github.com/supabase/supabase/discussions/3476
Related
I have opensearch running and keycloak as oidc provider and I get this 403 error after login to opensearch:
{"statusCode":403,"error":"Forbidden","message":"no permissions for [indices:data/read/search] and User [name=demo.demo, backend_roles=[kibana_second], requestedTenant=null]: security_exception"}
As default we have "kibana_user" role which has "kibanauser" as backend role. If my oidc user "demo.demo" has "kibanauser" role attached to it, everything works fine and this user has permission to see dashboards, discover and index patterns.
User [name=demo.demo, backend_roles=[kibanauser]..]
But this role is dangerous to assign to every user because the user can delete an index pattern or change the global setting. I want to have the a role only to view dashboard and discover. At the first step, also i duplicated "kibana_user" role with the new name "kibana_user_copy" and mapped it to the new backend role created by me "kibana_second". The backend role was also attached it to my user in oidc provider. Means:
User [name=demo.demo, backend_roles=[kibana_second]..]
So far good, now as you see the error, my "demo.demo" user has new backend role and it has all permissions that "kibana_user" would have. (because "kibana_user_copy" is a duplicate of "kibana_user". What I'm wondering, all permissions are the same, only backend role is not predefined "kibanauser". But It doesn't work and I see only blank pages for dashboard and discover (403).
Has anyone an idea, what is missing here?
Thanks in advance
Issue was solved by adding tenancy to this duplicated role
I'm fairly new to Amplify and been playing around with it for a couple of weeks now. I've been incorporating it into Next.js, which is pretty nice.
I originally created a new User table/record using lambda function: after a user signs up and confirms their email, it should automatically create a new record in the User table with some information. I only did this because I thought Amplify only provided a few attributes, but until recently I found out that you can pretty much create custom attributes.
So, because of this, would there be an argument to create another User table? I would like to know how people are handling User information in big applications.
I guess one thing I can think of is making relationships with other tables. I haven't gone too far into figuring this out, but is it possible to still make connections if I don't have User table in my graphql schema?
Yes I have the same issue and was thinking to have a Users table where I enable owner authorization. This Owner-based authorization allows you to tie a data record to a user. Owners can read, create, update, and delete the record.
Allow the owner to perform these operations on their own records:
Create
Read
Update
Delete
I want to be able to disable certain users in my laravel 7 app. I therefore created a column "active" in the "Users" table and when set to active = 0 the user isn't able to login anymore.
The issue I have is the "Remember Me" function, since already logged in users still have access to the app after I disabled their accounts, because they don't have to pass the login form.
Will deleting the "remember_token" in the "Users" table have any effect on this? I tried this with a user (deleted the users remember_token in table) but it had no immediate effect, since autologin still worked after that. But maybe I'm missing something here.
Additional Info: I'm using Laravel Passport for authentication.
I decided to go with the middleware solution, as I didn't want to reduce the overall SESSION_LIFETIME.
I created an extra middleware called "VerifyUserState", because I didn't succeed in reading the users "active" value via Auth::user() or $this->auth inside of the authenticate/handle function in Authenticated.php middleware.
I followed this tutorial to achieve this:
https://www.itechempires.com/2019/08/how-to-create-configure-and-use-custom-middleware-in-laravel-5-8/
Now it works as needed.
I am trying to modify accounts in LDAP(ODSEE) from SailPoint. When I view the attributes of the account in LDAP using a browser, I don't see any attributes that suggest if an account is enabled or disabled.
How can I find out an attribute of an account that carries information as to whether an account is enabled/disabled, locked/unlocked?
Do I then update my provision policy in SailPoint to include these attributes and update the values to perform the operation in LDAP?
I am fairly new to this and I am stuck so any help would be immensely appreciated.
The attribute used traditionally to lock account in Oracle is nsaccountlock, ns stand for netscape, check if this attributs exists in your ldap Schema, and create it otherwise.
src: https://docs.oracle.com/cd/E19225-01/820-6551/bzaoe/index.html
Together with #spawnia and #lorado we are creating some examples for Laravel Lighthouse and we have some different opinions on sanctum role-based security practices.
Can you please review my following statement and tell me if I am wrong on what is the best way to move forward.
My idea:
Now for the tricky part, once I create a login mutation, I need to verify that the user has the corresponding role and generate a token ability based on that check, also when the app goes offline or enters PWA mode.
I need to revoke any tokens with:
create
delete
update
I couldn't find in the docs any solutions to this problem, that is a real-world necessity.
I can only leave the show and index abilities active.
What I am thinking:
Create a custom arg resolver for the mutation somehow bring the middleware and generate a token based on roles
Bad idea: To store the role within the token.
Thanks for any insight into this.
Aren't those tokens cryptographically signed in order to be tamper-proof?