I'm still working on my first Grails application. This time, my problem is to limit access to some actions for particular users.
Assume users add some object, e.g. books. I would like to give access to edit a book only to admin and the user that added the book. I'm currently using Acegi plugin. I know there is newer version of that plugin, but I'm not sure if it changes anything in my problem.
The second thing is some kind similar. I have a sidebar and there is "Hello ${currentUser.username}. currentUser is a method that returns an instance of currently logged user. But the problem is that I don't have any idea where can I put this message to be able to use it everywhere. Should I put it in some service and include it everywhere? I tried to create an ApplicationController that is extended by all other controllers, but that doesn't seem to work. Have you got any ideas?
Thanks!
Grzegorz
You should use the newer Spring Security Core plugin since it has an ACL add-on plugin that does exactly what you're looking for. See http://grails.org/plugin/spring-security-acl for details.
For the second question, there's a taglib for that. In the Acegi plugin use this:
Hello <g:loggedInUserInfo field="username"/>
(see http://www.grails.org/AcegiSecurity+Plugin+-+Artifacts) and in the Spring Security Core plugin use this:
Hello <sec:username/>
(see the "Security Tags" section of http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/)
For ROLE access you'll just need to specify that a particular ROLE for a particular URL has access to that action. That is if you are using the plugin's RequestMap approach. If you're using the annotation approach, just annotate the action in the controller with:
#Secured(['WHATEVER_ROLE'])
As far as only allowing the user who created the book to edit it, you can pull the user domain out of the authentication with authenticateService.userDomain(), then you can compare that user with the user who created the book (assuming you have some sort of createdBy property on your Book domain.
def loggedInUser = authenticateService.userDomain()
if (book.createdBy.equals(loggedInUser)) {
// allow editing
}
Something like that, anyway.
Related
I cannot figure out why ASP.NET Identity does not work with my roles. I created a custom UserStore and a custom RoleStore. In my UserStore I implemented the IUserRoleStore interface, and I expected at least one of those methods to be called when ASP.NET determines if the user should be authorized to call a given endpoint, but none of the methods are getting hit.
I registered the services like this:
builder.Services.AddIdentity<User, ProReceptionRole>();
builder.Services.AddTransient<IUserStore<User>, UserStore>();
builder.Services.AddTransient<IRoleStore<ProReceptionRole>, RoleStore>();
I also tried registering the services using this variant (with and without the AddRoles part - and with different ordering of the extension methods):
builder.Services.AddIdentity<User, ProReceptionRole>()
.AddUserStore<UserStore>()
.AddRoleStore<RoleStore>()
.AddRoles<ProReceptionRole>();
When I add the [Authorize(Roles = "MyRole")] attribute to my controller class, then I get 403 Forbidden, even for users that have the given role.
I read through the documentation but I can't spot my problem. The only part that I am unsure about is that it says If you are using Roles, update the RoleManager to use your RoleStore class. - and I am assuming that this is done when I register my RoleStore, but maybe I have to do something extra?
Any pointers are greatly appreciated.
Thanks!
Based on Django REST framework: Check user is in group , I have succesfully restricted my custom views to certain groups.
Yet, I need to restrict dj_rest_auth.views.RegisterView to a certain group.
How can I make it?
I thought of trying to set a wrapper class over RegisterView, and link my wrapper class in urls.py, but what methods should I override?
Thank you SO much!
Well, it seems dj-rest-auth is ready for this need:
#settings.py
REST_AUTH_REGISTER_PERMISSION_CLASSES = ("rest_framework.permissions.IsAuthenticated","api.permissions.HasLoginPermission")
Keep in mind there's a bug in dj-rest-auth<1.1.12 that prevents those string to work.
How do I run/call/kickoff an external program (custom code) whenever certain attributes or objects are added or modified in OpenDJ’s database?
Here is my real world need. (Feel free to change my thought direction entirely).
Whenever a new email address gets created or changed in the OpenDJ database I want to initiate some java code that does some email verification/validation (send the “click here” link with a token to prove the user owns the email they just signed up with).
I know, I could use OpenIDM/AM to accomplish this but to take this a step further I need to validate other information and other credentials (custom) which users supply that are not supported by OpenIDM/AM suites.
Initiating/calling custom code upon ADD or MODIFY of specific objects and attributes is what I want and would like to know how to accomplish this. Preferably without having to scrape logs.
Please Help.
Chad
OpenDJ has a plugin interface where you can plug Java calls on Add or Modify. A sample of this kind of plugin is the attribute uniqueness which verifies that some attributes have a unique value in the directory.
The plugin interface javadoc can be found here : http://docs.forgerock.org/en/opendj/2.6.0/javadoc/org/opends/server/api/plugin/DirectoryServerPlugin.html
I've installed Spring Security Core and Spring Security UI plugins in my project with hope to get something like this: User Management.
But on every action I get the first picture on this link (Member sign in) and I can't do anything else (Register as new user or Log in...).
I'm new in this so if anybody can explain me what to do and how to set it to work properly...
Thanks :)
That is probably because that you have wrong order in your static URL rules or all of the rules are defined for IS_AUTHENTICATED_FULLY users. Check your config.groovy and see if there exists any rules for anonymous users or IS_AUTHENTICATED_REMEMBERED . If you have rules including IS_AUTHENTICATED_FULLY then you should change them. See this blog post for details.
In LogIn method I have:
FormsAuthentication.SetAuthCookie(model.User, false);
and to get name of this user we use
User.Identity.Name
Is possible to get for example type account from databese?
I mean, during when user is Loging, type account is send (to cookie?).
And use this type in view using something like User.Identity.Name without using controller.
Is possible to do something like that?
If I'm understanding your question right, I think your best bet would be using an ASP.NET Profile Provider. With the Profile Provider, you can do something like:
HttpContext.Current.Profile.AccountType
You'll need to do a few things to make it work in MVC. See here for more info:
Implementing Profile Provider in ASP.NET MVC
Hopefully this helps, and I'm interpreting your question correctly.