How can I "pair" multiple users, and have them access the same data - perhaps some of the users in a group having read only rights? As a use case, think of a family sharing calendars, each using their own login, but being able to see each other's calendar.
You should have a look at Roles and Security in the Parse docs.
I'm no expert, but I would assume that you would create a role for a family and then restrict the access to either classes or objects (depending on your approach) with Access Control Lists. In that way you can have a group/role that has the same permissions for same objects and classes.
Adapted from the docs:
Creating a role
// By specifying no write privileges for the ACL, we can ensure the role cannot be altered.
var roleACL = new Parse.ACL();
roleACL.setPublicReadAccess(true);
var familyRole = new Parse.Role("MyFamilyRole", roleACL);
familyRole.save();
Then
var calEvent = new Parse.Object("CalendarEvent");
var familyACL = new Parse.ACL();
familyACL.setPublicReadAccess(false)
familyACL.setPublicWriteAccess(false)
familyACL.setRoleReadAccess("MyFamilyRole", true);
calEvent.setACL(familyACL);
calEvent.save();
This can of course be done more efficiently by using defaultACLs and other functionality. But these are the basics.
Btw, I reference the JS api, since you didn't specify a platform.
Related
Conveniently this is blank in the JS Docs
Does an ACL have to be explicitly applied when each User is created?
I had the same question. The following appears to work, applied right after new User is created (before calling the signUp method):
var user = new Parse.User();
user.set( userObj )
var acl = new Parse.ACL();
// apply desired ACL methods here..
// by default, public read/write will be restricted
user.setACL( acl );
user.signUp( null, ... )
Initially, I tried passing user into new Parse.ACL() per Parse's docs, but that was not working.
(I'm now reading up on the Cloud Code because perhaps such security logic be better done there?)
I want to download blobs using Shared access signatures, SAS.
I also want to be able to remove active SAS URI's and, if I understand it correctly, I must use Stored Access Policy for this.
What confuses me is how I can remove a policy. I also read you can only have 5 stored access policies active?
My goal here is to be able to remove an active SAS URI. The only way I can think of accomplishing this is to remove the policy that the SAS URI is linked with, right? If I have over hundreds of files in my blob storage, how in the world can I make this work? I can't have one policy for each blob right? 5 is the maximum policies?
This code demonstrates how I add a policy and how I create a SAS URI that uses this policy, which users can download from.
static void CreateSharedAccessPolicy(CloudBlobContainer container)
{
//Create a new stored access policy and define its constraints.
SharedAccessBlobPolicy sharedPolicy = new SharedAccessBlobPolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(10),
Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Write | SharedAccessBlobPermissions.List
};
//Get the container's existing permissions.
BlobContainerPermissions permissions = new BlobContainerPermissions();
//Add the new policy to the container's permissions.
permissions.SharedAccessPolicies.Clear();
permissions.SharedAccessPolicies.Add("PolicyName", sharedPolicy);
container.SetPermissions(permissions);
}
static string GetBlobSasUriWithPolicy(CloudBlobContainer container, string policyName)
{
//Get a reference to a blob within the container.
CloudBlockBlob blob = container.GetBlockBlobReference("file_name");
//Generate the shared access signature on the blob.
string sasBlobToken = blob.GetSharedAccessSignature(null, "PolicyName");
//Return the URI string for the container, including the SAS token.
return blob.Uri + sasBlobToken;
}
One last question, how do I remove a policy? Is it as simple as:
permissions.SharedAccessPolicies.Remove("PolicyName");
My goal here is to be able to remove an active SAS URI. The only way I
can think of accomplishing this is to remove the policy that the SAS
URI is linked with, right?
Partly correct. Removing the access policy is one way to do it. Other would be to change the name of the policy (policy identifier). For example if the policy identifier is mypolicy then changing it to mypolicy1 would have the same effect as removing the policy.
If I have over hundreds of files in my blob storage, how in the world
can I make this work?
As you may already know, access policy is defined at the blob container level and not at the blob level. Removing/invalidating an access policy would make invalidate SAS URL for all blobs in that container.
I can't have one policy for each blob right? 5 is the maximum
policies?
That is correct.
One last question, how do I remove a policy? Is it as simple as:
permissions.SharedAccessPolicies.Remove("PolicyName");
That is correct. Make sure you save it back though. You can use something like:
var cloudStorageAccount = CloudStorageAccount.DevelopmentStorageAccount;
var blobClient = cloudStorageAccount.CreateCloudBlobClient();
var container = blobClient.GetContainerReference("container-name");
var containerPermissions = container.GetPermissions();
containerPermissions.SharedAccessPolicies.Remove("access-policy-id");
container.SetPermissions(containerPermissions);
I need to create a User-Specific content page, I have registered users and I need to create a module/page/menu/feed or whatever that displays articles that are for only one or some users.
For example, in my site, I show to public some projects (articles redacted as some architecturing project) for example: news, finished projects, etc, some people register and can access to other content that is intended for registered users, for example: new projects that only registered clients would be interested, so far, I managed to make this work, but now, I have work that is for a specific user and he/she only can see it in his/her feed, for example: status of their project made by us, some galleries with photos of the work in progress, etc.
So, This feed must be a module/page/menu that shows articles with a specific category and for registered users. But I want to be able to post an article that is only intended for a specific user or a set of users and shows in this feed (module) or at least a whole new module that shows user-specific content without having to create a category and an access level for each user.
Is there an extension or plug-in that helps me do this?
you need to make do two things:
Make a new user-group (Users->User group) as a sub-group of
registered. Add the users that need the special permission to this
group.
Make a new access-level (Users->access-levels) and add you
new user-group to this access level
Set the access-level on the article(s) that you want to restrict access on.
The module should check the access-level before it displays it to the users, and only display the restricted articles to those that have the correct privileges.
The system don't really support what you ask for, but you could use the following setup:
Make a content-plugin (http://docs.joomla.org/J2.5:Creating_a_content_plugin). In the event onContentPrepareForm, you modify the created_by_alias-field to use it for your special user allowed to view this content article.
function onContentPrepareForm($form, $data){
// first check that context is right
// Then change the type of the field. This should allow to select
// the user when you create the article.
$form->getField('created_by_alias')->__set('type', 'user');
}
In the event onContentPrepareData, check if the data in the created_by_alias references a valid user in the user group your users shoud be in
public function onContentPrepare($context, $article, $params, $page){
// first check that context is right
//Then fetch the user data:
if(is_int($article->created_by_alias)){ // ( Optionally check if the article is in a specific category )
$db=JFactory::getDbo();
$currentuser=JFactory::getUser();
$allowedgroup=2; // the registered users group
$sql="select u.id from #__users inner join #__user_usergroup_map ug (u.id=ug.user_id) where ug.group_id={$allowedgroup}";
$db->setQuery($sql);
$user=$db->loadObject();
if($user->id==$currentuser){
$data->user=$user;
}
else{
//Unset the article content to prevent unothorized users from seeing the content.
unset($article);
}
}
Finally, create a module (http://docs.joomla.org/Creating_a_simple_module) that feeds articles for a particular user, containing at least:
$list=array();
$user=Jfactory::getUser();
if($user->id>0){
$sql="select * from #__content where created_by_alias={$user->id}";
// ( also add sql to check that the user has access,
// the article is published, the correct category etc)
$db=Jfactory::getDbo();
$db->setQuery($sql);
$list=$db->loadObjectList();
if(!count($list)) return;
}
else return;
print_r($list); // Prints the content articles
This scheme should protect unauthorized users from viewing the content of the articles ment for a specific user. The module should (after nicely outputting what you want to display) display a list of articles for the logged inn user. The module can link to the article in the normal way, and the authorized user will have access. So it should be "safe enough", and provide the functionality you need without too much hassle.
I'll try anotherone here:
You could just install a messageing system on your site. UddeIM is one such system. This will allow you to make specific content for your users. UddeIM can be configured so only administrators can send messages. There is also some modules for this component to show latest messages etc.
I have a question on how to revoke access to all objects (documents, emails etc) from all users leaving READ access only, in Documentum. Having being searched around the internet, no answers were found. Thanks for your help.
As part of the test, I was trying to do this on one user ONLY. My attempts involved changing Security Permissions in DA (Documentum Administration) and change owner_name in DQL. But none of these attempts seems to work.
Any suggestions? Much appreciated
The short of it is that you need to remove or change access on the objects themselves (folders, documents, etc.).
You can create a new permission set (ACL) that contains the permissions you want (in this case, READ permission) under the Security section in Documentum Administrator. You can either create a group and assign them the READ permission, or just use the dm_world group and assign it READ. Remove the other access permissions you don't want.
If you use a group other than dm_world you will need to assign all the users to this group under User Management.
Then, use DQL to apply your new permission set to all of your folders and documents.
You can create an ACL with READ permission using API as below:
create,c,dm_acl
set,c,l,object_name
sample_acl_name
set,c,l,owner_name
dm_dbo
set,c,l,description
Sample ACL
grant,c,l,your_group_name_1,3,execute_proc
revoke,c,l,your_group_name_1,ExtendedPermit,,change_location
grant,c,l,your_group_name_2,3,execute_proc
revoke,c,l,your_group_name_2,ExtendedPermit,,change_location
.
.
.
grant,c,l,your_last_group_name,3,execute_proc
revoke,c,l,your_last_group_name,ExtendedPermit,,change_location
save,c,l
or
you can modify the existing ACL using API as below:
retrieve,c,dm_acl where object_name = 'existing_acl_name'
grant,c,l,your_group_name_1,3,execute_proc
revoke,c,l,your_group_name_1,ExtendedPermit,,change_location
grant,c,l,your_group_name_2,3,execute_proc
revoke,c,l,your_group_name_2,ExtendedPermit,,change_location
.
.
.
grant,c,l,your_last_group_name,3,execute_proc
revoke,c,l,your_last_group_name,ExtendedPermit,,change_location
save,c,l
I have faced a similar situation and I found to ways to approach it . One way which is an easy way would be to create a new acl with all the permissions and group you wish to have access which can be done as follow :
String aclName = "your_acl_name";
String aclDescription = "your_acl_description";
//create your acl object :
IDfACL acl = (IDfACL)_session.newObject("dm_acl"); acl.setObjectName(newAcl.toString());
acl.setDescription(newAcl.toString());
acl.save();
IDfPermit permit = new DfPermit();
permit.setAccessorName(your_groups);
permit.setPermitType(IDfPermit.DF_ACCESS_PERMIT);
//you may need to change the value of the next line based on your objectve
permit.setPermitValue(IDfACL.DF_XPERMIT_CHANGE_FOLDER_LINKS_STR);
//Finally grant the permit you've created above :
acl.grantPermit(permit);
acl.save();
then update the acl name of your previous object to the one you've just created as follow (DQL) :
Update dm_folder set acl_name = 'your_acl_name' where object_name = 'your_object_name'
or use the more straight forward way which is by using DFCsas below :
//First you must fetch the acl you're going to edit ==>
IDfACL acl = session.getObjectByQualification("dm_acl where object_name='" + "your_acl_name" + "'");
//This will produce a dql for fetching your acl based on it's name from dm_acl object table
acl.revoke("The_group_you_want_to_limitate_to_only_view","execute_proc");
acl.save();
I hope that this would help you as it worked for me :)
I have to implement access controls in my application and I am using spring ACLs for it. My model has User, groups, permissions.
The problem I am trying to solve is to get permissions on a domain object for a user. I was able to get all the access control entries for that user (principal sid, and group sids), and using that I was able to get a final set of permissions by taking a union over all the permissions. Lets say the combined mask is 111, which would be Read, Write, and Create permissions going by the permissions defined in BasePermissions.
The problem I am facing now is I cant find any way to get a list of all defined base permissions so that I can compare the mask to individual permissions. The base permission class does not seem to provide any such method. I do not want to hardcode cases in an if-then clause, since the number of permissions might increase in future.
Any pointers would be appreciated. Thanks.
You can check for the permission by using the AclPermissionEvaluator by passing an array of Permission instances to hasPermission method as a parameter. Check the source in the given link for implementation.
#Autowired
private PermissionEvaluator permissionEvaluator ;
........
Object permission = new Permission[]{permissionFactory.buildFromName("READ"),permissionFactory.buildFromName("WRITE"), permissionFactory.buildFromName("CREATE")};
permissionEvaluator.hasPermission(authentication, oid, permission);
And as mentioned in this answer do not forget to register the AclPermissionEvaluator in your spring context.
UPDATE: To get all the permission that a user has on a domain object --
private SidRetrievalStrategy sidRetrievalStrategy = new SidRetrievalStrategyImpl();
.......
List<Sid> sids = sidRetrievalStrategy.getSids(authentication);
// Lookup only ACLs for SIDs we're interested in
Acl acl = aclService.readAclById(oid, sids);
List<AccessControlEntry> aces = acl.getEntries();
List<String> permissionsList = new ArrayList<String>();
for (AccessControlEntry ace : aces ) {
permissionsList.add(ace.getPermission().getPattern());
}
As #Ravi said: use the method readAclById from the class JdbcAclService will not work if you use the BasicLookupStrategy.class. Becasuse the LookupStrategy.readAclsById (ignored the second paramter sids). I suggest you write your custom lookupstragey.
What you are trying to do is check if a CumulativePermission has a specific permission. You can do it using this method:
public static boolean containsPermission(Permission cumulativePermission, Permission singlePermission) {
return (cumulativePermission.getMask() & singlePermission.getMask()) == singlePermission.getMask();
}