I have a User model, for login and registration, its email field is used (everything vanilla from the devise gem).
I want (other) users to be able to e.g. add Users to a team, with the email-address as the identifier.
That is fine when the User is already existing (pseudo #team.users.add(User.find_by(email: other_users_email))) but I am unsure how to handle situations where the user does not yet exist (did not [yet] register).
When a (new) User sets up a new account, for the example above after successfull registration current_user.teams should show up correctly.
I do not want to force these potentially new users to use the system (e.g. using devise_invitable) and bother them with an email.
I followed the path of creating the User when a user with the given email does not yet exist, but then when the user actually tries to setup an account, it fails (email not unique).
Alternatively, I could remodel the TeamMember-part and let it optionally either store an email-adress or the reference to an existing User. Then what I would need is to check for "open" TeamMembers directly after User-Account-creation (so, TeamMembers with the given email). I could also do this on each requst, but that looks too expensive to me. There might be race conditions, but I could live with that (and check for the every-now-in-a-millenia-gap with a cron-job).
Any pointers? I am sure this is not that unusual.
I'd do this:
When a user A adds user B to a team by email, create the object for that user B, but set a flag, something like auto_created_and_inactive: true
When user B signs up on the site, you just have to handle this in your users#create: first, try to find an auto-created record and update it (set a password or whatever; also reset the flag). Or otherwise proceed with the usual route of creating a new record.
I have to admit that I did not yet tried #sergio-tulentsevs approach (implement RegistrationController#create). But to complete what I sketched in my question:
User model can define an after_confirmation method, which is called after ... confirmation! So, if I store every information about a potential user with a reference to his/her email-adress, once he/she registered I can query this information and e.g. complete Team-Memberships.
# app/models/user.rb
def after_confirmation
# (pseudo-code, did not try)
self.teams < TeamMembership.open.where(email: self.email)
end
Related
I'm using spatie/laravel-permission as ACL system in my project. it's good.
I'm adding payment/accounting/invoice to my project and in this level there is another ACL needed on users works.
for example user A have a feature F1 as our service. until 1 month he/she can use all sections in F1. after that some features in F1 limited until new invoice payed with user.
so in my controller an Edit method I use authorizeForUser just in user ACL level. now I should add another ACL in F model like authorizeForF(F1->id)?!
and another problem is that this is very complicated and if I forgot to add this, I missed some money!!
I have a solution:
seed in a table save all Uri,methods (with foreach on Route::getRoutes()) as a unic row and assign a score for each of them (default 0). in a route middllware, analyze every request uri and compare it with score.(for example uri is /profile/advaence and administrator assign score 2 for that)
if the uri have more than zero score, user's accountant will checked to continue or redirect to payment if needed.
this give the administrator of website abbility to assign each uri score and developer has no Responsibility about that.
just I'm worry about uri. because administrors usually don't undrestand them easyly. so, I need another seed for some uri to explain as title.
is it good?
I`m not sure where the borders of authorization with ABAC/XACML are and where I should use validation.
Example 1
I have a class User and a class Message. When user U1 creates a new message M1 then the creator-attribute of M1 must be U1.
Example 2
I have a class User. When someone creates a new user U2 then the password size should be larger then 8.
Example 3
I have a class User. When someone creates a new user U3 then the username should be unique.
But where should I check that. Should I validate it programmatically or authorize it with a request to the PEP. Especially Example 2 is not really an "your are not allowed to do that"-problem (authorization) and more a "you have done something wrong"-problem (validation).
None of the examples you state are good examples of ABAC/XACML.
Example #1
When user U1 creates a new message M1 then the creator-attribute of M1 must be U1.
This is entirely business logic. The act of creating a message will set the owner attribute of M1 to U1. It has nothing to do with XACML. XACML is about authorization i.e. whether a user is allowed to do an action. In this case, you could write a XACML rule about whether user U1 can create a message; whether user U1 can view or edit a message belonging to U2.
Example #2
I have a class User. When someone creates a new user U2 then the password size should be larger then 8.
This is validation from the PoV of your application. Your app is not about authentication or passwords. It relies on the password manager. The password manager itself (e.g. LDAP, AD...) has policies about password strength / lifetime / format. Those policies could be in XACML though, to-date, I've only seen proprietary formats instead.
Example 3
I have a class User. When someone creates a new user U3 then the username should be unique.
Again, this is about validation. This has nothing to do with your app but rather with the user account management solution you use e.g. LDAP. In there, you could decide to have rules that forbid the same username or forbid certain characters e.g. the # sign. User management solutions could definitely use XACML but from your app's PoV, that's orthogonal.
I'm working with validate_doc_update function. I've heard about userCtx, but simply calling log(userCtx); helps no way: there's no records in the log.
How determine in validation is current user logged or not and maybe perform some checks to verify against user rights (which may be made by simple fields like role:editor in _users database)?
The user context is accessible under req.userCtx.
A common check of the loggedIn-status is if (req.userCtx.name !== null)
The access right roles of a user doc are accessible under req.userCtx.roles. The corresponding settings for a doc can be included hard-coded in the validate_doc_update function or in the doc itself.
I created custom role for some users, and I assigned role to particular user with content tree limitation. Like on this image
Problem is that when that user log in, he get error like on this image. Roles are working, so user can see his assigned content tree and work with it.
How can I solved this first screen? Even redirection on his content tree would do the job.
Thank you :)
Make sure that the user you assigned the role to, also has a basic role to access basic contribution functions. I usually have a "backoffice user" role which is assigned to every contributor (or group), which includes (without any limitation) :
user/login on the admin siteaccess
content/read on at least the root node : you need to be able to get "through" that node (and others if needed) to see the ones under it
ezoe, ezjscore, ezmultiupload, ezfind, ezie etc
content/(edit|remove|...) on contents which is owned by the user himself or its group
Hope this helps
Anyone know how to get a user's short user name, eg. "johnsmith", given their full name, eg. "John Smith"?
Note I'm interested in any user, not the current user, so functions like NSUserName are irrelevant.
Why? I am authenticating a username and password using Authorization Services. This allows people to enter either their short name or their full name, which is nice, but I then need to know who they've actually logged in as (ie. short user name and/or user id).
Nasty hacks like [NSHomeDirectoryForUser(username) lastPathComponent] don't work consistently.
You need to use the Collaboration Framework :).
Link this framework to your project, and then you just need to do the following:
CBIdentity* identity = [CBIdentity identityWithName:#"John Smith" authority:[CBIdentityAuthority localIdentityAuthority]];
NSLog(#"Posix name: %#", [identity posixName]);
And voilĂ !
EDIT: If you need to find only users that are bound on the network, you need to use +managedIdentityAuthority instead of +localIdentityAuthority.
And if you need to find both local users AND network users, use +defaultIdentityAuthority.