I may be thinking about this wrong, but shouldn't it be a very common thing to need to check if a user belongs to a certain group? For example, if you want to show a certain menu item only to "Administrators", shouldn't there be a way within my view file to easily check if the user belongs to that group?
I see that there is a inGroup() function on the user, but this requires that you first fetch the group object, and pass it into the function, rather than simply passing the group name, for example, $user->inGroup('Administrators');. I also realize I could write my own method to accept the group name, look it up, and then use that in the exiting inGroup() method.
However, the fact that this is not much more obvious in the docs makes me believe I am thinking about it in the wrong way.
Would the preferred way be to give the "Administrators" group an "admin: 1" permission, and therefore just check if the user has that permission rather than checking if they are in the group?
If so, I am struggling to see the value of a group at all since you aren't able to easily use them to determine access; instead, you need to use the individual permissions that the group contains.
You can check to see if a user belongs to a group easily:
$user = Sentry::findUserById(1);
$adminGroup = Sentry::findGroupByName('Admin');
$isAdmin = $user->inGroup($adminGroup);
However the best approach is to use permissions. You can setup an 'Admin' group with permissions to 'manage user accounts'. You then simply check to see if the user has permission to 'manage user accounts' as opposed to checking whether they belong to the Admin group.
In my 'group' table i have a row like this:
id | name | permissions
1 | Admin | {"manageUserAccounts":1}
I can now check whether a user has permission to 'manageUserAccounts' with the following:
$user = Sentry::findUserById($userId);
if ($user->hasPermission('manageUserAccounts') {
print 'You can manage user accounts';
}
else {
print 'Oops, you cant manage user accounts';
}
Note that the 'user' table is connected to the 'group' table via the user_groups table.
See the Sentry documentation for more info on how to fine grain permissions. It's quite powerful.
Related
In CloudCode, is there any utility function which I can determine that the current user belongs to a certain role?
Assume the following role hierarchy Admin->Manager->User
If I added user1 to the Admin role, this means if in cloud code if I query all the roles this user belongs to, then I will get immediate list of roles not hierarchy. I am wondering if there is a utility function that helps with this issue?
How to exclude database row from the select menu ? For example: The admin can create user and append roles to them. The available roles are dev, admin, normal user. But the admin user have to see only the admin and normal user roles. I know I can add them in the BREAD menu but I want to restrict the vision on dev role and when another roles are added to show them automaticaly and not to add them on by one in the BREAD menu.
The simplest solution is to filter the set of roles pulled from the database. Since I am not familiar with your database schema, here is a rough solution that you should be able to tweak to your needs
$rolesQuery = Role::newQuery();
if (Auth::user()->is_admin) {
$rolesQuery->where('role', '!=', 'dev');
}
$roles = $rolesQuery->get();
You can cache this result for admins for future use.
Say, I want to retrieve some users and I have provided both user_filter & group_filter to filter out the specific users that I need.
user_filter = (&(cn=ab*)(sn=cd*))
group_filter = (|(cn=gh*)(cn=kl*))
I know how to write individual queries for user & group. How can I combine the above filters to write a single query such that I get the users whose common name starts with 'ab' and surname starts with 'cd' and they either belong to groups which start with 'gh' or 'kl'?
It depends how you have membership defined. If you have membership on the groups, eg. group1 has member attribute for user1, this combined query is not possible. If you have groups defined on the user, eg. user1 has memberOf attribute for group1, then you may do something like
(&(objectclass=user)(cn=ab*)(sn=cd*)(|(memberof=cn=gh*)(memberof=cn=kl*)))
Out of the box Laravel authorizes users by matching email (default - can be overridden) and password.
Is it possible to authorize user using 3 fields, e.g:
email
password
group
... where 'group' is some additional field from 'users' database.
In other words, user can belong to group:1 and can login to group:1 resources only, but not to group:2 using his group:1 credentials.
If user belongs to group:1 and group:2, then he needs different credentials to login to either group.
Additionally, user can use same email for both groups. In such case it is group number that would act as additional identifier. And of course passwords would be different.
I am thinking setting a database multiple column index on fields 'id' and 'group' would be a good start, but I fail to grasp (yet), what would be required to make Laravel authorization process sensitive to 3 fields, instead of 2.
I would appreciate some pointers.
This sounds like you're trying to achieve a form of tenancy on data belonging to certain groups only. Have a look at this package:
https://github.com/HipsterJazzbo/Landlord
In essence, you would add a group_id field to the tables where you wish to restrict access and then using middleware, apply an additional where('group_id', Auth::user()->group_id) clause to any database queries. This works very well for retrieving subsets of data belonging to specific users by their role, for example.
I'm making an ASP.Net MVC 3 application in VS 2010. I have a task to create a settings page which would make the columns from the tables in my database with specific permissions (read, read/write etc.).
It's the first time I have a task of this kind and I have no idea on how to make this.
I tried going right click on the project in VS and then go to Settings. There was a link which says that my project didn't have a settings page, so I clicked it to create one. There appeared a table with settings but there are just public/internal access modifiers. I can't seem to find write/read.
Is this the right way of creating a settings page? Or is there another?
I'm sorry Andrew. I answered your question in quite a rush previously. So, I think my answer became quite unclear. I'm so sorry. I will try my best to answer this more clearly. My answer can be quite long and I hope you are patient enough to finish reading this. :-)
Actually, your problem can be solved in very easy way. Believe me! You actually don't need a Setting page for this.
I suppose you will have a Users table in your database, for storing user accounts for your system. Right! And again, I suppose that Users table will have at least these following fields.
UserID [ This must be the primary key for the table. Right! ]
UserName
Password
Email [ This is kind of optional. ]
I only suppose your database has this kind of schema. Or else, there must be other ways to set the permissions for your users in the table.
Alright, create another table called Permissions in your database. That Permissions table will handle the permission rights for your users in the above Users table. Ok! Then, you have two tables. One is your original Users table and another is Permissions table.
Ok! Our new Permissions table will have at least following fields:
ID [ This is the primary key for this table. ]
UserID [ This will come as foreign key from your previous Users table. ]
PermissionRead [ this field will hold boolean data type, or bit data type. True or False for Boolean and 0 or 1 for bit. This is entirely depends on the type of DBMS you use. ]
PermissionWrite [ again, same as PermissionRead. ]
Alright, now you have two tables. These Permission read and write fields are for holding the permission rights for your users.
If you have the exact db schema as I described above, then you will have the following kind of relationship like this:
Users table
UserID | UserName | PW
U-001 | Tim | timpassword
U-002 | Jim | jimpassword
Permissions table
ID | UserID | PermissionRead | PermissionWrite
1 | U-001 | True | False
2 | U-002 | True | True
So, you can see that, User Tim which is UserID U-001 has Read-only permission and User Jim who is U-002 has both read-write permissions.
So, you can check the condition of these fields when a particular user login to the system. If he or she has PermissionRead value True and PermissionWrite value false, then that user has read-only permission right. Or else, if both values are true then that user has read-write permission. Ok!
I tried my best to explain this, and I really do hope you can understand my answer. I really do...!!!
My suggestion is that, you should try this method first. And, if you are alright with this, I can explain more how to set group level permissions from this method. Ok! 'Cause my answer became quite long, and I fear you become bored reading this... ;-)
You don't actually need a setting page for tasks like this. Easiest way to give permissions to the users in ASP.Net is that, you need to create a table in your database. Let's just call it Permissions. Then create these fields in that table:
PermissionID (datatype something you want)
UserID (this must be the foreign key from your Users table)
Read (boolean or bit type)
Write (the same as Read)
Both (the same as Read)
You have a table which is linked to your user table. You can set permissions for the users in the Users table in this Permission table, by setting these boolean (true or false), or bit (0 or 1).
Then, when your user login to the system, you can check these "read", "write" and "both" values from that Permission table, and allow that particular user based on these true or false values.
For instance, if a particular has only Read value true and the other values false, then you can tell that, that user has "read-only" permission.
That's the basic idea for creating user permissions with databases. O'course, you can do some advanced features from database tools. But, I think this is the simplest way to do so. And you can add many permission types you want in that table.
You can even create groups with this method. Like, giving permissions to a particular group will give permission all users belong to that group.
Wish you good luck...!!!