I have RBAC Role Base Authorization (Casbin)
i want to say some role can update user information,
and also i have other role that can update users information but he/ she can not update for example users mobile number
For example, a certain role can edit users. Now, how can we say that a role can edit users, but for example, it cannot edit the mobile field and another role can?
I don't know how to do this process, I don't know the method, if there is a way to do it, I would appreciate it.
Maybe you can suggest me a way to do this
or a reference you have already done so using
i have some kind of this question
Related
I am doing a project in Flask. I am using sqlalchemy to work with database. I want to create the following roles and assign permissions to that roles as given below.
Roles :
Student,
Teacher,
HOD,
Admin
Peremissions :
Student can only insert into and select from table1. Should not be able to update any column of table1.
Teacher should have the permissions to insert, select, delete and update on table1.
HOD also have similar permissions as teacher.
By default when a user register, role of user will be 'Student'. Only admin should have the ability to change the role of a user.
How to impliment these role and permissions ? Or without assigning these permissions is ther e a way to handle this ? Can someone help ?
How to
This post may help.
Implementing Flask-Login with multiple User Classes
To my understanding, flask-login is actively maintained which is a good start for using any flask extension.
Based on what you're trying to solve, you could include a role property to the classes. Then on the API side of things, you could add a decorator for each route that requires different authorization levels. A decorator is kind of like a middleware that gets invoked before function at the route gets invoked.
Hope this helps!
Hello again every one,
I have a question: I successfully implemented django-auth-ldap, the LDAP users can request successfully my DRF API. But nows, for my projetc needs, I have to define permissions depending of the group.
Indeed, I will have like 12 groups in my app. Depending of the group, I will authorize or not the user to request a given route, BUT even if I defined the global var AUTH_LDAP_MIRROR_GROUPS = True, and saw in my database the are linked to a group (see capture):
Users in database
Groups from LDAP inserted in db thx to django-auth_ldap settings
User linked to the groups defined
But now, I have some other problems: I do not know how to implement permissions depending of the group the user belong. In fact, if a user belong to the group ServerAdministrator, I want to allow him to access to every route accessible, but I dont know where to see this in the received request in my view?
As I understood, I should implement custom permissions I should write programmatically in a User object (which should inherit from django AbstractUser)
If yes, How does it work? Should I empty my whole Database and then let django-auth-ldap insert users and it also will create the given permissions defined inside the database?
Maybe it is not clear, do not hesitate to ask questions if I can be more precise.
Kind regards.
Benjamin
Im currently creating a multi tenancy system in rails 5 using the gem Apartment
I have a Tenant model which contains a Name and Tenant so I can create individual tenants (or companies).
Each tenant has a users table. When a user logs in I set a session containing the user_id. The problem is when I switch subdomains it then picks up the user id from the second tenant and shows me logged in as them.
for example: on tenantA im logged in a Brad (user_id:1 on tenantA user table)
when I switch to tenantB im logged in as Dave (user_id:1 on tenantB user table)
Obviously this is no good as you can access data from another tenant.
Im just not really sure how to restrict users access to only their tenant. I think maybe some sort of scope on the session so it only applies the session to the current subdomain and not all of them, but not sure how to do this.
Has anyone done this before that could help me? Not sure what code to paste here but just let me know and I will post my code.
Thanks in advance
I have been doing some research about authentication and authorization on web api. I understand authentication (username/password) and ROLE based authorization, but what I'm confused about is authorization on data.
Say you have a user (user id 1) who is authenticated, an admin, and is associated to company ABC. I have other users associated to ABC which user id 1 can update. Now I want to update user id 2's name who is associated to ABC (which I should have access too). I need to pass in something to identify user 2, ie put /user/2 plus post data. I know on the server side that user 1 is allowed to update user 2 because he is authenticated and an admin.
Now I have user 100 who is associated to company XYZ. User 100 should not be able to update user 2. This is what I'm having a hard time finding information on.
What are some approaches/blogs/anything that can give some helpful ideas on how to prevent user 100 from accessing data outside it's company.
My thoughts are I could pass in the logged in users id (which I grab server side based on authentication) into the update stored procedure and do a check to make sure that user id is associated to the user being updated. To me this seems tedious and ugly in that every stored procedure needs a user id parameter and a check to make sure they can access the data they are accessing (maybe this is correct).
I know how to authenticate and how to check role based authorization, the missing part is resource based authorization.
Thanks for the help.
Does anyone have any insight. Its hard to believe that Role based Authorization is sufficient.
use the concept of authz where a user is prevented to see the details of other users
The application is written in Ruby on Rails but the problem I am facing is more a design matter than language related.
the system provides service to a number of users to maintain a registry. So it relates persons to things. As such it has a model called Person representing owners and it has a model called User representing those who manage the registry.
Now a new requirement has arisen to allow People to log in and be able to change personal details which it was not required for the original design.
The question is how to refactor the application to allow this new requirement in?
One easy solution is to create Users for each person who request login credentials and link user to person entity but that is not very DRY as some fields such as firstname, surname etc. are in both classes and in particular, that is precisely the data people will be able to change. Besides User and Person are stored in separate tables.
The other possibility I was considering is to make one to extend the other but having data in separated tables it makes it a bit messy. Additionally the logical extension would be User <- Person as an user is (generally) a person but thinking on the implementation Person <- User is quite a lot easier.
One last option could be to scrap User and move login credentials into Person leaving logon fields empty for those who won't log in and half of the fields empty for those just login in.
Can you think of a better solution?
You could think about how this should ideally work if you were to write the application bottom-up, and then figure out how to make a reasonable compromise between that and your current setup. Here are some generic inputs.
As authentication is involved, you need an "Identity" that can be authenticated. This can be e.g. an email address and an associated password, with email verification.
An Identity can potentially be associated to multiple "Roles" and someone authenticated with the identity can choose which role to perform, e.g. "I am now an administrator" vs. "I am now a regular site user", and the role defines the user's current rights for the logged in identity. Or if you don't need that level of complexity, you can say that an Identity is a (single) Role.
You need some tracking between possible "Rights" and the Role the user is performing. E.g. the simplest setup could be the Identity or Role has some boolean can_edit_profile or can_modify_registry properties.
Whenever a user attempts to perform an action which requires certain Rights, it is simply a matter of looking up the corresponding rights set for the Role being performed by the user, to check whether the user is allowed to proceed.
For your application this may just involve adding a 'can_change_registry' property for your user objects, and check whether that property is True for any code accessing that part of the site.