I have Strapi V4 and 2 custom user roles - seller and buyer.
On the front-end, I have 2 routes that define which role will be assigned to new users /account-buyer/signin and /account-seller/signin.
I tried to make a copy from node_modules\#strapi\plugin-users-permissions\server\controllers\auth.js to src\extensions\users-permissions\controllers\auth.js. but nothing seems to happen.
Also, I’m not sure how to throw the user type (buyer/seller) through all of these back-and-forth redirects of Google (for example).
How could I solve it?
Or let’s say:
save the needed role in localstorage at the moment the provider button is clicked
register the user with the default Authenticated role
on the frontend's /redirect page read the value that has to be set.
Send the value from localstorage and reassign user's role
How can I update the user’s role in this case?
Thank you.
I would start with setting up the Google auth flow with your frontend and Strapi first. On sign in for a non-existing user this will register a user with the default role. Depending on your frontend authentication framework you can pass arguments to the redirect url, e.g. /api/user-registered?role=<some-role>&redirect=<original-redirect-url> (this route can also exist within Strapi instead of your frontend). On this page I would call the Strapi API (or e.g. query engine API inside Strapi itself) and update the role of the current user (you know who this is because they just signed in).
Related
My express.js backend has an endpoint which returns a list of what data the user is authorized to view. There are Auth0 roles corresponding to which segments of this data any given user is allowed to read. A user may have any number of these roles. However, when I tried to add role-based permissions to this endpoint, I realized that the Auth0 recommended middleware express-jwt-authz perhaps doesn't do what I intend: it simply authorizes/rejects based on the roles in the JWT. This endpoint only requires a user's session authorization, not the user's roles.
I want the endpoint to change its responses based on which Auth0 roles are associated with a user. The only solution I can think of is adding a row to my own database (which is not connected with Auth0) where I keep track of each user by the JWT sub property, and manage their roles/permissions from my backend. However, this seems like it would split roles between Auth0 and my application's database, and furthermore feels one step closer to rolling my own authentication system, which I do not want right now. Is there a way I can do this with Auth0 and express.js?
I was able to work around this by selecting "Add Permissions in the Access Token" in Auth0 in Applications > APIs > [my API] > Settings. Then I could view the permissions passed into req.user.permissions on my backend, and process them how I wanted there.
im new in vuejs and i build small control panel and i have roles and permissions.
when user login i store data in local storage with user data and he roles and permissions
but when the admin attach or change role or permission for any user
not update in that user if he login even he logout and login again
my solution is get current user every time from api when route change!
i put my call function in app.js
store.dispatch('users/getUser');
is that good solution ?
I would not store profile and permissions in localStorage as user could inspect it and modify it.
I think you should store user id encrypted and in each route change validate if he as permission for the desired page or action.
So essentially yes but don’t forget about security.
I am building a single page app with vue js/vuex and Laravel backend, I need the users have different roles. I am authenticating on the backend, and using a jwt token for API calls, I am not concerned that we will allow CRUD operations to be performed by a user without the appropriate permissions. What I need to have is the ability for vue to know the role of the user and maintain statelessness without tampering.
I am using vuex-persistedstate with js-cookie and it works but the cookie is clear text and if I change the "role" in the cookie then refresh the page vuex uses the new value. Obviously the data will come from the API and therefore when the token sent is for a user with role = user for data restricted to role = admin it will return 401. Am I overthinking this? If they really wont get, nor be able to change any data they aren't allowed to, just let the "hackerish" users do what they will?
I have created 3 api, one with
owner=apicreator
visibility=public
and the others two with
owner=admin
visibility="restricted by role".
Once I opened the store home page the only api visible is the one created with apicreator, then when I logged in as admin I can see the other two apis (final count of 3).
Is it possible to show all the api (doesn't matter by the owner or creator) in the store home page, without login?
Is there any configuration change to apply or any change in the jaggery code(I don't want to change the visibility)?
Thank you in advance
Claudio
Is it possible to show all the api (doesn't matter by the owner or
creator) in the store home page, without login?
If an API's visibility is based on roles, how do you expect API Store to show it to public?
Once a user logged in to the API Store only, we can identify their roles and based on that, API will be visible to him
I am currently developing an app using the Google places API..
https://developers.google.com/places/documentation/
I want to use the Events methods, so that a Place/Business owner can add events..
https://developers.google.com/places/documentation/actions#event_intro
However I obviously need to restrict it, so that only the Business owner can create events for their Business. Is there anyway of authenticating a user via a Google api, to confirm that they are the Place owner? I looked at Google+ however there is no reference to any 'Places' setup by that user in the people request.
Looks like this is possible now. The workflow would be the following:
Your user triggers a places search and selects a specific place in the result
Your user selects an option in your app to claim they are the owner of your place
Your user is redirected into an OAuth flow to Google Places where they login with their Google credentials
Once authenticated, your app is provided with an OAuth token for the user
Your app submits that token along with a Place reference to a Places API owner verification service
The Places API returns a yes/no as to whether the user concerned is the verified owner of the Place
Source - https://code.google.com/p/gmaps-api-issues/issues/detail?id=3894 - comment #3
Enjoy!