I have a Sitecore site that uses the AD module for connecting to an Active Directory. Let's say that we have a Role defined in Sitecore called "Content Authors". Content Authors may contain individual user accounts - "jsmith" - or it might contain an entire AD Group - "Northeast Managers". I need to get a list of all users who are in the "Content Authors" role, either directly or indirectly (through an AD group). Right now my code only seems to be returning users that are directly a member of the "Content Authors" role. Here is my code:
string[] _roleUserNames = System.Web.Security.Roles.GetUsersInRole("Content Authors");
I was assuming that this code would return the "effective" list of everyone who is in that role. It seems to only return people who are directly in that role. Does anyone know if there is some other way of getting everyone in a role?
I figured out that this is a specific issue to Sitecore as Sitecore allows Roles in Roles and that functionality is built on top of the MS ASP.NET Membership stuff. To get all users in a role including "indirect" users you should use the following code:
IEnumerable<User> _roleUsers = Sitecore.Security.Accounts.RolesInRolesManager.GetUsersInRole(Role.FromName("Content Authors"), true);
This will give you all of the users including indirect users.
I know this is old, but I ran into this same problem and the above solution did not work for us. The indirect users in Active Directory were not found, only indirect users in Sitecore roles.
Further investigation into the AD module role provider seems to indicate that there is code for indirect roles, but that the call to get to it doesn't seem to function. dotPeek showed me that there is an explicit setting of 'false' for a parameter that would trigger indirect roles searching for users, and was not reading from the setting.
We needed to decompile the AD 1.1 code, and then fix that part in order to get it working.
Related
I am creating one multi-tenant app in Laravel with Single Database and thinking to use laravel-permission package by spatie.
My Requirement is pretty straightforward, I want my tenants to create their own Roles, whereas permissions will be managed by Super Admin only.
My problem is when I was trying using, It worked for 1st client but 2nd time it gives error:
A role 'Admin' already exists for guard 'admin'.
As I mentioned client can create roles, so they can crate duplicate roles.
Please recommend better approach or package or should I try writing custom code.
Any help appreciated!
Because the name is indexed in the role table, you cannot create a duplicate role name, I ask you not to change the package, but in case you have 2 ways to handle this
1- unindex the name collemn or disable unique feature, and add you tenant id to table so by do this you can manage and get right role for each tenant
2- add another table to manage your sub role (tenant role) and connect you sub role with master role by id
I would consider using a hidden prefix: on the roles and permissions that would scope them to a particular tenant. So for example:
Roles
system:admin
tenant_a:admin
tenant_b:admin
Permissions
system:creates-roles
system:reads-roles
tenant_a:creates-roles
tenant_a:reads-roles
The prefix would not be assignable by a Tenant, the system would automatically assign that based on the User. However, if you're a System Admin (i.e. Super Admin) then you could create/view/assign a prefix in order to manage the roles and permissions.
This would require you to write some custom logic for handling the prefix, however, it is pretty flexible (you could nest unlimited identifiers - a:b:c:d:e etc.) and doesn't require you to go messing with any underlying packages (i.e. laravel-permissions).
We are trying to integrate our platform with Pipedrive. As far as we have researched, in a pipedrive account, there is one admin and he can add multiple users. And the users later can login in their respective accounts.
What we are trying to make sure is that once a Pipedrive account is integrated with our platform, the same account should not be integrated twice. So, I need a unique identifier, that lets me know whether the account has already been integrated.
My initial approach was to check the api key. But it was not successful, since every users in an account have different API Keys.
After a bit of research, I found out that there is an identifier called company_id which is common for all the users in an account. But I could not find anything regarding it in documentation. So, I am not 100% confident to go ahead and implement it in our code.
Does anyone have an idea about this?
Pipedrive support rep here.
The most sure-fire way to ensure this is to make a GET request against http://api.pipedrive.com/v1/users?api_token=your_token_here.
You are correct in assuming the company_id in the additional_data object in the response is static and won't change across any users on the account.
Note that a Pipedrive account may have more than one admin, and that non-admins (regular users) might have visibility (and editing) restrictions in place, which may cause some of your GET, PUT and DELETE requests to fail.
In case you're not doing this already, I'd thus advise filtering the data array from the abovementioned endpoint for user.is_you to equal true and check whether the is_admin property is set to 1 during "registration" to ensure the user setting up the integration is an admin.
Hope this helps!
I'm not quite sure what you're asking for. Are you looking for a unique identifier for each user?
Each user has an id, you can get all users by calling
https://api.pipedrive.com/v1/users?api_token=____
This will return a JSON Object with data on your users, including their names and associated IDs. Admins are just users with different privilege levels. All admins are users, but not all users are admins. All users are part of a company, the company is identified by the first part of the Pipedrive account url ie.
https://FooCompany.pipedrive.com
Are you trying to see if a certain company has been integrated already?
I am about to define permissions for users in my project. I checked the laracasts videos regarding ACL, Roles and Permissions.
I have a doubt. Do I need Roles for normal users?
I mean, in my project a user should be able to create / update / delete his own posts, he should be able to comment on his own posts and posts by other users and delete his posts and posts left by others on his own posts.
The point is: do I really need to define Roles for this kind of permissions? Shouldn't I just define some policies like can / can't post / update / delete etc. and only define roles for admins?
You don't necessarily need a full featured, powerful Roles/ACL system but if you are storing both admin and basic users in the same table then you do need something to distinguish between them. This could be something as simple as a Role field as a string on your users table e.g. Admin or Basic, or even a boolean is_admin field.
This would give you the ability to implement a Policy or Middleware to prevent basic users accessing the admin panel, and you can have permission checks to ensure a user can't update other users posts etc.
If you don't foresee needing anything more complex in future then this would suffice. However, as your app becomes more mature, you might wish to have a more advanced roles system, for example where a user needs to have multiple roles.
You don't necessarily need to define a role for every user...
It's probably a good idea to, however, you can 'hardcode' and make some assumptions about some of the access...
For example:
If you assume that anyone who is logged in can make a post and can edit their own post, you don't need to make a role for users to say "can_make_post", just have a check saying "if user is logged in, then let them make a post"
then if you say, have an admin area, then you can go "if user a has role
with the 'admin_access' permission, then allow access"
It would be a good idea to have roles for everything, as it allows more customisation, however, your the one designing it, if you don't need the customisation, you can probably just make some assumptions like above.
Im new to Umbraco development, but im plenty familiar with ASP.Net & MVC etc. So Im getting to grips with the object model and terminology used, but Im not sure where to start. I need to use windows authentication on my Umbraco site, which will be for internal use only.
What I envision:
- When a domain user hits any area of the website, grab the user identity
- Lookup to see if matching user(or member) exists and if not create it
- Login this user to Umbraco
- By default all new visitors, if their user identity doesnt match a current member, then create that member and log them in.
Sounds like I need to create my own controller that overrides the base controller (RenderMvcController ?) and check the user identity on each and every request? Maybe do this by overriding the Index action method? Or could I do this with a macro - or as ive seen mentioned, are macros loosing favor with the new version of Umbraco?
Also, Im not sure how to deal with members vs users? As I understand it, members are who have access to the front part of the website, whereas users are those that have access to the back office area and can create/manage content.
Are all users also members?
There will be some that I want to give access to create/manage content, so when Im auto-creating users, its actually members that I need to create, not users?
[ update ]
Actually, I think I will need to create my own membership provider if I want every request routed through the check for a valid domain user? In my research, I keep coming across this example http://thegrayzone.co.uk/blog/2012/07/combined-authentication-with-umbraco/
I have overridden the default RenderMvcController in numerous projects with success, you could of course use the built in Umbraco auth to redirect to an authentication page for users that do not have a valid Umbraco Auth token and set it only only on that page based on their windows identity.
RE: Are users also members?
No. Users & Members are entirely independent of one another; users being back office users & members being front end users. You will need to create 2 accounts.
My Understandings
I know we can add Group with some permissions and then we can create users with some permissions and finally we can add users to multiple permissions Groups. We can call these groups as roles as well. This is fairly simple.
The Real Problem
suppose we have teams and team members modules. A user "abc" is a member of multiple teams A, B, C. In team A the user's role is TeamLead. In team B his role is Assistant and in team C his role is NormalMember.
Now the problem is every one can see the list of teams. We need to display the Edit and Delete icons against each team. but only the authorise user can see the edit or delete link based on their role in the team inside a loop.
This is something linked with adding/removing roles or permissions on the fly.
Do you have any idea that how can I achieve this? how can I check permissions inside a loop with different roles in different teams.
Thanks in advance.
regards.
you can check whether the group is assigned to the user and accordingly show the buttons
Also use has_access attribute of sentry while defining route. In this case you can limiting the access of route itself if user try to access edit or delete functionality through url