I am using sentry for my application.
but, I am still confused to implements sentry permission to declare the owner of the object.
for example : any authors writing an articles.
my question : how to set permissions by the owner of the article ?
I wouldn't see Sentry as being used for this, as it is a simple comparison of current user id to article author id. To use the default Sentry permissions for this you would need to add a new permission to the user permissions for every article that the user added, as far as I am aware - or otherwise extend the Sentry package with a custom function to handle this.
Another approach would be to use Sentry to check if the user is allowed to add an article in the first place, by adding author permissions to the user, or creating an authors group, and then check if they are the owner by just comparing the user and author id. You could also have an edit permission or group for users that can edit any article. Checks would then be something like:
//see if user can add article via sentry permissions
if ($current_user->hasAccess('author'))
//see if user can edit current article if they are author, or have edit permissions
if (($current_user->id == article->author_id) || $current_user->hasAccess('edit'))
with the hasAccess('edit') part using Sentry to check if user can edit the article even though they are not the author.
You would probably want to abstract out the owner check though if you are checking in multiple places in case you change the way you evaluate ownership at any point.
Related
I want to convert my existing app to multi-tenant and don't want to use multiple databases. just read that the given package is allowing that.
https://github.com/spatie/laravel-multitenancy
I have read the single database documentation here: https://spatie.be/docs/laravel-multitenancy/v2/installation/using-a-single-database
But what's next ??
Let's say right now users are storing into users' tables, and by using this package I want to store users tenant-specific.
I don't found the real example anywhere. so better if anyone already implemented Spatie Multi-tenant by using a single Database, please help me here.
Thanks in advance.
Although spatie/laravel-multitenancy supporting single databases, it doesn't come with query scopes (and seems like there are no plans to add them, as you can see here: https://github.com/spatie/laravel-multitenancy/issues/124), so you would need to create them manually.
So, you need to:
add the tenant_id to your tenant-specific tables
add an observer to save the tenant_id when creating a new register in the table
add a global query scope to always filter the data using the current tenant id
You can see something similar in this video: https://www.youtube.com/watch?v=nCiNqboYFVQ
The difference is that you will use the current tenant returned by spatie/laravel-multitenancy instead of the logged user id to get the tenant data.
If you want a package that already brings the query scopes ready to use, you may try Tenancy for Laravel: https://tenancyforlaravel.com/docs/v3/single-database-tenancy
Or, if your application has a very simple multi-tenancy strategy (for example, the tenant is the logged user or his team) you can just create some query scopes without the need to use packages, exactly as the video above teaches, as it is much more simple to identify the tenant by the user_id or team_id, even in terminal commands and queue jobs (but seems that is not your case, as you need the users to belongs to a tenant).
I hope it helps you to select the correct package and strategy for your project.
We have table Transfer Order:
This is the view from admin User.
This is the view of the user to whom I need to give read , write, create and delete access, but the two fields 'To Stockroom' and 'From Stockroom' are not visible to this user.
I have created ACLs like:
how I can make these two fields accessible to some user?
Please help me.
In order to find the specific ACL that is failing the user's request for access, you can simply enable the Debug Security module. Then impersonate the user, visit the record, and scroll down the page. You'll eventually come to a line like this:
This red X indicates that a condition of the ACL was not met. Clicking the ACL (In this case, record/alm_asset.model/write) will take you to the specific security rule. Hovering over the red X will tell you what portion of the ACL was not met; the condition, the script, or the role requirement. That is what you must remedy either in the ACL, or by granting the user the necessary permissions.
I suspect in your case, that the user is able to see the record they're viewing, but does not have access to view the record or table referenced in the reference field. However, only the ACL/security debugger can tell you for sure.
To stop debugging, just click the "stop debugging" module in the app navigator, or log out of ServiceNow.
I am trying to find a list of users that are DISABLED ( no locked )
This users must have a home folder mapped and the folder starts with \\userdatasrv\
I manged to find the custom filter for the home folder:
(&(objectCategory=user)(objectClass=user)(homeDirectory=\5c\5cuserdatasrv*))
also I found some examples for disabled users on the internet but I can't make them work together.
Please advise.
Thank you.
I think you should be able to use a search filter that looks something like this:
(&(objectCategory=person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2)(homeDirectory=\5c\5cuserdatasrv*))
Also remember to use objectCategory person. The objectCategory for a user object is not user it is person and objectClass is not enough since computer class is a sublclass of user. objectCategory will give you both user objects and contact objects.
This will only include accounts that are disabled. For more information about using bitwise filters see this page: http://support.microsoft.com/kb/269181
i am trying to build an android app with posts and comments
the comments are shown in ListView using custom adapter
different user can comment on any post
each time a comment is saved it is saved with public readaccess and private write access
there is also a delete and edit option for each comment in case user wanna delete or edit the comment
here i cannot understand how can i check if the current user has access control (ACL) over that data so that i may allow him to edit it
USING PARSE AS A BACKEND!
ANY HELP WOULD BE PRAISED
I'm still working on my first Grails application. This time, my problem is to limit access to some actions for particular users.
Assume users add some object, e.g. books. I would like to give access to edit a book only to admin and the user that added the book. I'm currently using Acegi plugin. I know there is newer version of that plugin, but I'm not sure if it changes anything in my problem.
The second thing is some kind similar. I have a sidebar and there is "Hello ${currentUser.username}. currentUser is a method that returns an instance of currently logged user. But the problem is that I don't have any idea where can I put this message to be able to use it everywhere. Should I put it in some service and include it everywhere? I tried to create an ApplicationController that is extended by all other controllers, but that doesn't seem to work. Have you got any ideas?
Thanks!
Grzegorz
You should use the newer Spring Security Core plugin since it has an ACL add-on plugin that does exactly what you're looking for. See http://grails.org/plugin/spring-security-acl for details.
For the second question, there's a taglib for that. In the Acegi plugin use this:
Hello <g:loggedInUserInfo field="username"/>
(see http://www.grails.org/AcegiSecurity+Plugin+-+Artifacts) and in the Spring Security Core plugin use this:
Hello <sec:username/>
(see the "Security Tags" section of http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/)
For ROLE access you'll just need to specify that a particular ROLE for a particular URL has access to that action. That is if you are using the plugin's RequestMap approach. If you're using the annotation approach, just annotate the action in the controller with:
#Secured(['WHATEVER_ROLE'])
As far as only allowing the user who created the book to edit it, you can pull the user domain out of the authentication with authenticateService.userDomain(), then you can compare that user with the user who created the book (assuming you have some sort of createdBy property on your Book domain.
def loggedInUser = authenticateService.userDomain()
if (book.createdBy.equals(loggedInUser)) {
// allow editing
}
Something like that, anyway.