I have a Post class that contains user posts. The posts should be public readable but unable to write to. However a user(author) should be able to write/delete their own posts. Here are my permission settings on the Post class -
Class Level Permission: Public-Read
Access Control Level: Public-Read, Author(pointer)-Read/Write
I get access denied when I try to delete the post. If CLP always overrides object ACL, what's the point of ACL at all?!!
If that's the case, should my CLP be read/write for Public then?!! How can I get around this or do I HAVE to write Cloud Code?
Thanks a bunch.
The CLP (Class Level Permission) are overwritten by the ACL when they allow an action. If you do not enable the Update CLP, nobody will be able to update any objects on the table, even if they have the right ACL. When you enable the Update CLP for public, the ACL will control what people can update your objects.
So as long as the CPL and the ACL are not allowing any Update/delete for "public" you are "safe".
Related
We have table Transfer Order:
This is the view from admin User.
This is the view of the user to whom I need to give read , write, create and delete access, but the two fields 'To Stockroom' and 'From Stockroom' are not visible to this user.
I have created ACLs like:
how I can make these two fields accessible to some user?
Please help me.
In order to find the specific ACL that is failing the user's request for access, you can simply enable the Debug Security module. Then impersonate the user, visit the record, and scroll down the page. You'll eventually come to a line like this:
This red X indicates that a condition of the ACL was not met. Clicking the ACL (In this case, record/alm_asset.model/write) will take you to the specific security rule. Hovering over the red X will tell you what portion of the ACL was not met; the condition, the script, or the role requirement. That is what you must remedy either in the ACL, or by granting the user the necessary permissions.
I suspect in your case, that the user is able to see the record they're viewing, but does not have access to view the record or table referenced in the reference field. However, only the ACL/security debugger can tell you for sure.
To stop debugging, just click the "stop debugging" module in the app navigator, or log out of ServiceNow.
I would like to create logfiles for my application in an user independent lactation. AFAIK C:\ProgramData is good place for that.
I've tried it this way:
if not DirectoryExists('C:\ProgramData\MyApp') then
CreateDirectory('C:\ProgramData\MyApp', nil);
LogFileStream := TFileStream.Create('C:\ProgramData\MyApp\LogFile01.txt', fmCreate, (fmOpenRead or fmShareDenyNone));
The problem with this approach is that the created filed does not have Authenticated Users nor Everyone in Properties->Security->Group or user names.
This results in other users being unable to modify the created files.
But how can I achieve this, also other users being albe to modify the created files.
I think it must be possible to have files with this permission there. Some files do have this permission e.g. C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone *.wav
Maybe either in
1.) somehow creating a 'MyApp' folder in C:\ProgramData with Authenticated Users or Everyone permission which would result in TFileStream automatically creating files with the same permission or
2.) somehow telling TFileStream to create the files with the required permission or
3.) somehow changing the files permission with some API function after its creation or
4.) some other way??
The default permissions in C:\ProgramData, aka FOLDERID_ProgramData allow any user to create new files and folders. However, only the user who creates the file or folder has permission to write to it.
So, if you wish to allow any user to modify objects under FOLDERID_ProgramData then you need to add a permissive ACL to grant those rights. You would typically do that when you installed your program. Create a folder under FOLDERID_ProgramData and add an ACL to grant rights to whichever class of users you wish to allow full access.
As an aside, clearly you should not be hard coding C:\ProgramData, but instead using FOLDERID_ProgramData with the known folder API. I guess the code in the question is just for testing, and your real program code does it correctly.
i am trying to build an android app with posts and comments
the comments are shown in ListView using custom adapter
different user can comment on any post
each time a comment is saved it is saved with public readaccess and private write access
there is also a delete and edit option for each comment in case user wanna delete or edit the comment
here i cannot understand how can i check if the current user has access control (ACL) over that data so that i may allow him to edit it
USING PARSE AS A BACKEND!
ANY HELP WOULD BE PRAISED
I am using sentry for my application.
but, I am still confused to implements sentry permission to declare the owner of the object.
for example : any authors writing an articles.
my question : how to set permissions by the owner of the article ?
I wouldn't see Sentry as being used for this, as it is a simple comparison of current user id to article author id. To use the default Sentry permissions for this you would need to add a new permission to the user permissions for every article that the user added, as far as I am aware - or otherwise extend the Sentry package with a custom function to handle this.
Another approach would be to use Sentry to check if the user is allowed to add an article in the first place, by adding author permissions to the user, or creating an authors group, and then check if they are the owner by just comparing the user and author id. You could also have an edit permission or group for users that can edit any article. Checks would then be something like:
//see if user can add article via sentry permissions
if ($current_user->hasAccess('author'))
//see if user can edit current article if they are author, or have edit permissions
if (($current_user->id == article->author_id) || $current_user->hasAccess('edit'))
with the hasAccess('edit') part using Sentry to check if user can edit the article even though they are not the author.
You would probably want to abstract out the owner check though if you are checking in multiple places in case you change the way you evaluate ownership at any point.
Anyone please help me on how to disable DELETE option in EF6?
I mean from the application, now record should be deleted (even accidentally)
Thanks.
Create a user/role in the database that does not have permissions to delete/modify records and use it in your application. EF itself is not meant to be a security tool and there are always options to perform a delete operation (e.g. a developer can send any arbitrary SQL query/command to the database bypassing all the 'security' measures implemented in the data access layer)
When getting the entities call with AsNoTracking() option.
eg :- Context.Users.AsNoTracking()
Edit after Stevens Comment
Its true that anyone can still go and change the entity state to Deleted manually. I would recommend, using Repository Pattern for data access and can restrict delete operation. By hiding the DbContext outside of the assembly.