Is it possible to grant permission for user in table, but only for a specific row in that table. I have a table named PrivateUserInfo where I store users' emails and nicknames: Granting permissions like that: r.db('dbname').table('PrivateUserInfo').grant('testuser', {read: true}); allows them to read everyones data. I want to allow them to read only the row where the id is their username. Setuping a webserver to handle this type of things will defeat the purpose. If I am going to create a webserver then I wouldn't even use permissions in first place and just handle the requests with the web app logged as admin. Which I really want to avoid. This was the main reason I want to use this database.
Related
I'm trying to grant access so that users can access all user information about themselves + non-sensitive information about others in the user table.
I thought user would inherit permissions from anonymous user which would give them access to the non-sensitive data of all users. This doesn't seem to be the case.
Is there a simple way to do this?
Figured out to create an SQL view for the private user info and set permissions for those columns. Set the remaining columns as public.
I have the following business problem to solve in a big legacy application written in PL/SQL and Oracle Forms 6i:
Not allow users to log in using their database accounts.
The whole application has around 50 users who use their database accounts. The audit department doesn’t allow that users know their database accounts passwords.
Rewriting the application to use a new user rights logic (using a table like USERS, only 1 database user, etc.) is out of the question as it’s too much work.
I thought about the following solution to use the existing database users:
Create a table USERS with usernames and new passwords, and somehow use a proxy user. In a package the application will check if the provided password is in line with the table USERS, and then connect as 1 of the 50 database users – so all application logic and user rights can stay the same.
But there is one problem with this workaround – you can’t use „connect” in a package. So I can’t use it.
begin
IF
p_in_user == USER2 AND p_in_pass == XXX
THEN
EXECUTE IMMEDIATE 'conn USER2/Password123'; -- doesn't work, using a proxy neither
END IF;
END;
Does anyone has any ideas?
The audit department doesn’t allow that users know their database accounts passwords
You can use encripted passwords.
Oracle allow to use encripted passwords through profile settings.
You can use a function to encript a clear password:
the clear password is given to end user
and on oracle database the user account is created/changed with the encripted password.
The user use his/her clear password to login and during login Oracle conver this to a encripted password for authentication.
Please confirm is this solution is ok, so I can post an example.
I am trying to set roles with parse.com
My aim is to set role to get all the data only for login users.
can you please proved step by step how should it be done with parse.com,
I tryed to play with it and read the tutrial but I am all the time getting accecss to data even if I am not logined.
thnx for helping!
When you create your data object you should be adding an ACL to it, created with the current user and limiting read and write to that user. This is done before you save the data object. You don't need to use a role. A role would be used where you had a group of users who all needed access, then you would add the users to the role and create the ACL for the role instead of a user.
On my parse based application, each user will have a list of notes that are private to him by default.
The user will be able to invite other users (identified by their email address) to view the notes.
I want to use ACL for that, but was wondering what should I do if the invited user is not registered yet as a Parse user on invitation. In that case, the notes creator user cannot add him to the note's ACL since there is no ParseUser object yet.
What is the best solution for this type of invitation?
Can I use ACL for this or do I have to manage the access myself?
If you're familiar with Parse technology called Cloud Code then you should check this https://gist.github.com/mikevansnell/5140654
This code creates future user from the email passed to the function and asign it with some random password. And then an invitation email is send to the passed email with all the info, including password. And when the invited user goes to the app just fill the logi
These are two options I can think of.
1) Use ACL
Modify the note's ACL so that it has read access by the users invited that are already registered. Any users that are not registered, get a new row containing the email and note id in a separate table called NewUserAccess. Whenever a user is created, query NewUserAccess for rows with the registering email. Update those notes with the newly created user's objectId.
2) Manage Access Yourself
The second option is just creating a table called UserAccess. With this, when you invite a user you create a row with their email and the note they have access to. This would cause problems if the user changed emails which would require additional work.
If you want to use ACL in order to control user access to classes, objects
just create a new _Role='registered_user' in the parse built in class "role" .
and when user xyz registers, add them to role 'registered_user'
in the ACL of the classes where you want to restrict READ to the role, use the following:
"ACL":{"registered_user":{"read":true}}
Explicitly setting READ permissions in ACL instead of just wildcarding it using "*" will lock down the access to members of "registered_user" Role.
Its just like groups in the file system.
In magento , I can create a sub-admin giving access to limited resources. But if I allow any sub-admin to create new sub-admin user then he is allowed to give all the access to the new sub-admin even which are not available to him..
Sub-admin should only allow the access, whatever he is holding.
For eg. : If sub admin is not having access to reports, he can not allow the report access to the other user he is creating from his access.
Any Suggestions.. ?
You can change into table admin_role, change the number in parent_id and tree_level columns of your user.