Using Laravel Spark, is there a way to -- either via UI or programmatically -- assign a team role to an invited user?
That is, Laravel Spark doesn't allow admins to create users. Instead, a owner user invites them. This creates an entry in the invitations table, and sends an email URL to the potential user. Users can then follow this URL, and sign up for a user account. Once they've signed up, an admin can change their role via UI.
Laravel Spark lets you set a default role for all invited users. What I want to know is: Does Laravel Spark provide a mechanism that would let me invite user A and have them end up with role B, and invite user C and have them end up with role D.
I can think of a number of ways to achieve this myself with custom code, but before I do that I want to know if this wheel's been invented.
Spark Roles is useful as it will allow you to assign user roles/permissions as the user signs up and/or is assigned to a team. https://github.com/centrality-labs/spark-roles
Related
We are trying to create a separate Admin role to assign to users to be able to call the Google Classroom API (domain). If we set them to be 'super admin' it works but we do not want to give these users super admin permissions. Anyone knows any guide or the settings to set on this?
Answer:
There is no role apart from Super Admin that will let a user make all these actions. You can check that by assigning custom admin roles to the user. Even if all possible privileges are checked, if the user is not a Super Admin, the user cannot act as a domain administrator in Classroom API.
What non-Super Admins can do:
Non-super admin users can only access courses they are part of (as teachers, or students), not all courses in the domain.
They can remove students and other teachers from courses they own directly via courses.teachers.delete and courses.students.delete, but they cannot directly add new students and teachers to their courses via courses.teachers.create and courses.students.create. Only domain administrators (Super Admins) can do that. Non-admins must first send an invitation via invitations.create(), and obtain the user's consent.
Update: Service Accounts:
You can also make your application use a Service Account in order to impersonate a Super Admin, so that this account can act on behalf of this admin, and do what the admin can do. To do this, you would have to create the Service Account and delegate domain-wide authority to it, by visiting the Admin console and following the steps specified here.
Beware, granting domain-wide delegation is a very powerful tool, since it gives the Service Account the ability to act on behalf of any user in the domain, so it could be easily abused if not managed carefully (without domain-wide delegation, a Service Account is similar to a regular account, and it can only access resources that have been created by it, shared with it, etc., like a regular account).
Anyway, once the domain-wide delegation is created, using the Service Account in your application is very similar to using a regular account. In the application, you have to build the credentials and then specify which user should be impersonated by the account by writing the user's email address. I don't know which language are you using, but you can find code snippets to do this in Java and Python here, or with Node here.
Reference:
Create custom administrator roles
Manage Teachers and Students
I have a problem authenticating users in my banking application. I want super users to be created and authenticated using email. However, I want that normal users be registered and assigned account numbers. The normal users would then use the account numbers to login. How do you achieve authentication of these different kinds of users with different username fields in one django project.
I have tried overriding the USERNAME_FIELD to account numbers so that normal users would use that to login. It doesnt help to login normal users. For superusers, it prompts for account number when I run
python manage.py createsuperuser
Kindly assist in understanding how to handle this kind of custom authentication.
Django is ready to support your requirement. AUTHENTICATION_BACKENDS support multiple backend as list. For normal user you have to write custom backend and Add that in AUTHENTICATION_BACKENDS.
This link will help you.
We are developing an application using larval spark
A user will be able to invited to multiple teams.
With in each team there are a number of venues, we want each user to have specific permissions for that venue.
I.E User will have the edit-venue-details permission for venue A but not for Venue B
Is there a way of linking Spatie permissions to an ID? So we can validate on a per venue basis.
Otherwise if we give a user edit-venue-details permission it will be valid for all of the sites, users will not have the same permissions on each venue.
Spatie/laravel-permission is more concern with high-level permission/roles over certain features
Where the concept you are referring to is known as Model Policies which Laravel implements by default you may find more details in https://laravel.com/docs/5.8/authorization#generating-policies
Find this example maybe it will make it clearer,
https://github.com/drbyte/spatie-permissions-demo/blob/master/app/Policies/PostPolicy.php
On my parse based application, each user will have a list of notes that are private to him by default.
The user will be able to invite other users (identified by their email address) to view the notes.
I want to use ACL for that, but was wondering what should I do if the invited user is not registered yet as a Parse user on invitation. In that case, the notes creator user cannot add him to the note's ACL since there is no ParseUser object yet.
What is the best solution for this type of invitation?
Can I use ACL for this or do I have to manage the access myself?
If you're familiar with Parse technology called Cloud Code then you should check this https://gist.github.com/mikevansnell/5140654
This code creates future user from the email passed to the function and asign it with some random password. And then an invitation email is send to the passed email with all the info, including password. And when the invited user goes to the app just fill the logi
These are two options I can think of.
1) Use ACL
Modify the note's ACL so that it has read access by the users invited that are already registered. Any users that are not registered, get a new row containing the email and note id in a separate table called NewUserAccess. Whenever a user is created, query NewUserAccess for rows with the registering email. Update those notes with the newly created user's objectId.
2) Manage Access Yourself
The second option is just creating a table called UserAccess. With this, when you invite a user you create a row with their email and the note they have access to. This would cause problems if the user changed emails which would require additional work.
If you want to use ACL in order to control user access to classes, objects
just create a new _Role='registered_user' in the parse built in class "role" .
and when user xyz registers, add them to role 'registered_user'
in the ACL of the classes where you want to restrict READ to the role, use the following:
"ACL":{"registered_user":{"read":true}}
Explicitly setting READ permissions in ACL instead of just wildcarding it using "*" will lock down the access to members of "registered_user" Role.
Its just like groups in the file system.
I created a workflow . My workflow sends e-mails to users who has salesperson security role. But I have big problem. After I export and import customizations in different company users of old company are shown on the e-mail template. How can I create a worflow which sends e-mail to users who has selected security role.
Regards,
Erdogan Uslu
The workflow editor isn't that powerful. You can't select a bunch of users with certain attributes and apply an action to them. You'll have to create a custom workflow activity. Run as the admin user to retrieve the list of users with a certain role. Base it off the SDk article Retrieve the Roles for a User
You would need to reverse this expression, so to speak. Add a condition expression on the role link, to match on the role name. Then you would remove the condition expression from the system user link. Make the role link a child of the system user link (right now the systemuser is a child of the role link). Change qe.EntityName to "systemuser".
You'll then need to create an e-mail. See SDK articles on sending e-mail and creating workflow activities. Hope this helps.
Using a security role like that is quite a weak mechanism for grouping users. CRM has the concept of a Team. Can't you create a Team, then send your email to the team?