I have used the Parse JS API to setup Roles and Objects
I have secured those Objects with ACLs of the roles
I have attached Users to the Roles in the _Users Relation
... but I can't find any API method in the JS client library's Parse.User class to list the roles that a User is related to.
Am I supposed to approach it the other way round - look through all Roles and filter those that have a relation to my user? I would have thought there was a method on the user object it?
Yes. You will have to create a cloud code functions to search in the roles. Something like this:
Parse.Cloud.define('getCurrentUserRoles', ({ user }) => (new Parse.Query(Parse.Role)).equalTo('users', user).find({ useMasterKey: true }));
Related
I'm using this line in some controller's __construct
$this->middleware('auth');
This results, that every not logged user will be redirected to login page. It's of course, ok, but there is a problem.
I have two groups of users. In database I have a column called "role", which is boolean. 0 means basic users and 1 means admins. How can I treat, that entrance to some of controllers will be allowed only for admins? I really don't know how to do that in pretty way.
You can pass things to the middleware, like
$this->middleware('auth:1');
Now in the middleware you can check to see if the authenticated user has a role that you passed (in the example, 1). If they don't have the role that you require, then you can redirect them to the login screen or however you want to handle it.
you can use the following code to get the authenticated user and then write custom logic.
if(Auth::user()->role==0)
{
//you are basic user
}
esle if(Auth->user()->role==1)
{
//you are admin
}
you can also Gates and Policies for this type of work.
I want to return a list of files linked to a User in my database through REST.
For example, return response for user with id of 1 through:
http://localhost:8000/api/files/1/ --> {"file info 1", "file info 2", ...}
However, what I want to ensure is that OTHER users cannot access the above information, since their ID is not 1, i.e If another user has an id of 2, the above URL should respond with Permission Denied.
I understand that DRF has the IsAuthenticated permission, however this lets ALL logged in users potentially have access to other user's file information.
What is the best method to achieve this?
If you are using DRF Generic Detail View, you could override get_object() and add check there
def get_object(self):
user = super(ViewClassName, self).get_object()
if self.request.user != user:
raise PermissionDenied
return user
DRF View has "permission_classes" property. It will be better to prevent this request as a permission.
I'm building a stateless REST-based app with JWT auth. I can get (question relates to GET requests) all the users posts by implementing a variable server side that takes an ID parameter passed from the client:
http://example.com/api/v1/posts?user_id=1
$q = $q->where('user_id', '=', $data['user_id']);
Or, I could check the user ID server side, and create a new route to get only the logged in users posts:
http://example.com/api/v1/me/posts
$q = $q->where('user_id', '=', Auth::user->id());
When would I use each approach and why?
This will depend of the level of access that you want for give a user to Post resources.
The first approach is give the any user the ability to access to resources of ANY user, for example:
- Tweets of a Twitter public user.
- Posts made by an author in a public magazine
- etc
The second approach is often used when yo want to restrict a user to only see his/her resources. For example:
- To see or edit his/her profile.
- Access historic data (like order details, likes, invoices)
- etc
Protecting endpoints this way to prevent of user A modify or access content that he/she may not have permission to make/see.
The use of any of those approaches will depend of the use case.
Is it possible to combine MeteorJS collections and sessions? I can't find any information about it.
Template.search.helpers({
transToEnT: function(){
var try = TransToEnT.find();
Session.set('mySession', try);
var sessionDataToLog = Session.get('mySession');
return sessionDataToLog;
}
});
this is my attempt. Unfortunately, unsuccessful.
I think if you want to distinguish different user, it is better to use meteor original user and account (Meteor user and account) rather than manipulating session.
Meteor sessions and collections are different.
Collections are basically database, by default it's mongodb. AND sessions are the state of data-source for a particular client.
In meteor, if you want to apply reactivity of one component to other
component then we use sessions. Example: On change of one facet if you want to update other facet and reset data-source to the view, we can use Sessions and return session from the helper function of the template.
If you want to distinguish between users data. Use pub and sub for different users. Don't subscribe all the data for a user. Use Dynamic pub and sub.
Only user specific data should present for a particular user/client.
I want to process user privileges (edit , read,new) in my website , I am thinking about passing additional parameter byte MyRoles which has user privileges code i.e.: 0-read only , 1 - full control , 2-edit and read
So how I can override Html.ActionLink razor method to work with that , and is my method the best way to process this issue (User privileges) ?
and is my method the best way to process this issue (User privileges) ?
No, passing roles as parameters to your actions would represent a security flaw as the user could pass any role he likes.
The correct way to do this is to use the Role provider. You associate roles to your users and then define in which role the user need to be in order to access a particular action.
For example:
[Authorize(Roles = "Readers")]
public ActionResult SomeAction()
{
// only users belonging to the readers role will be able to access this action
}
Once you have properly secured the server side you could conditionally show/hide anchors and stuff in your Razor views:
#if (User.IsInRole("Readers"))
{
#Html.ActionLink("read the news", "SomeAction")
}
And to avoid writing those ifs you could write a custom HTML helper:
#Html.RoleActionLink("read the news", "Some Action", "Readers")
The default Membership and Role providers use the default aspnetdb but you could of course extend or write custom ones in order to query your own data.