I have an application hosted with AWS CloudFront, which uses Lambda and Cognito for authentication. We have a concept called "user group", in which there are two types of users: type A which has full access to the application, and type B which has restricted access. Our application has an index.html file, which imports an index.js file, which loads a catalog of items that should be visible to group A, while hidden to group B. My task therefore boils down to differentiating user group A from user group B in the JS file.
A seemingly straightforward solution is to store the group that the viewer user belongs to in the cookie. However, this seems problematic since users can simply modify the cookies and get access to resources that they should not have access to. I wonder what the best way of handling this is? Thanks in advance!
Related
Hello again every one,
I have a question: I successfully implemented django-auth-ldap, the LDAP users can request successfully my DRF API. But nows, for my projetc needs, I have to define permissions depending of the group.
Indeed, I will have like 12 groups in my app. Depending of the group, I will authorize or not the user to request a given route, BUT even if I defined the global var AUTH_LDAP_MIRROR_GROUPS = True, and saw in my database the are linked to a group (see capture):
Users in database
Groups from LDAP inserted in db thx to django-auth_ldap settings
User linked to the groups defined
But now, I have some other problems: I do not know how to implement permissions depending of the group the user belong. In fact, if a user belong to the group ServerAdministrator, I want to allow him to access to every route accessible, but I dont know where to see this in the received request in my view?
As I understood, I should implement custom permissions I should write programmatically in a User object (which should inherit from django AbstractUser)
If yes, How does it work? Should I empty my whole Database and then let django-auth-ldap insert users and it also will create the given permissions defined inside the database?
Maybe it is not clear, do not hesitate to ask questions if I can be more precise.
Kind regards.
Benjamin
I am using Piranha CMS , and i want to create multiple users in different group, i tried to do so but its not allowing me to login those users,even i have to implement that logged in user should only edit few pages which is permitted to that user. How can i restrict user to do so
The group permission system in Piranha CMS is hierarchical, this means that all users that should be able to log in to the manager should derive from the group admin.
When you have that set up you can take a look at the different permissions in the manager interface and assign these to different groups.
There are however no support to allow users to only edit certain pages, if you want that kind of behavior you'll have to implement it yourself in the available manager hooks.
Regards
I'm new to Piranha CMS and just trying to get my head around it. I'm using the MVC implementation and I need to do the following:
I need to extend the User with a property that stores an account number.
I need a page that is only accessible once the user logs in
On this page, I need to call a REST API on another server, using the account number a parameter, to retrieve a list of documents that the user has stored on this server.
When the user clicks the document, it will be downloaded as a PDF using the REST API once again
I just need general guidance on how to do this. How do I store the account number against the user (and manage this) and do I need to create a new Region that will show the list of documents from the remote server. Is there an example of creating a new Region anywhere and maybe returning a list from SQL that I can adapt?
Any help gratefully received.
Thanks in advance
Mike
The easiest way is to implement an extension with your custom fields that you attach to the user where you store this information.
When editing a page, go in under "settings" and select which groups should have access to your page. For this purpose I suggest creating a new group for site users that are not admins.
This should be easily implemented in either the controller or model for your page. When the user is logged in "User.Identity.Name" is the user id. Get the user, load the extensions & use the account number.
See number three.
Regards
I'm somewhat new to CouchDB and I'm wondering how to make private docs, that is I want to have a database where all docs are public (rw, or r using a validate_doc_update) except for few/some selected docs, how would I do something like that?
And to complicate things a bit more I want them to be private to / accessible by the admin but also varying number of selected users (but no others).
I'm thinking that perhaps I could have two keys in these docs called "private" and "private_users", set them to true and [user1, user2, user3], and somehow use that info to make the docs private / only accessible by them.
So essentially it's about users being able to create docs and have them visible to everybody or just themselves and other selected users.
One way to do this would be to make the database private by setting the Security admin and members lists to the owner (making the database completely private), and then route all calls to reading documents through a backend script which checks these properties of the document through an admin account and fetches and returns the content if conditions are met, but the thing is I'd like to do this through configuring CouchDB and do CORS HTTPS calls from the clients browser directly to CouchDB, with no script in the middle.
Is this possible?
There are several potential solutions to this problem:
The problem: For a given user, allow only specific access to a given document in the database.
Database per user:
Create one database for each user and use authentication on the database for that given user. Because views do not work across databases, you will have to replicate all needed data between the different user databases to allow for a view to contain both private and public/other users' data. Because normal users can not create/delete databases, you will need to have a separate process running which watches your database for changes and creates a new user database when a new user registers.
Smart Proxy:
Create a smart proxy that wraps all documents with the user credentials and filters all results.
Document Encryption on a per User Basis:
This solution is described in a google document which was mentioned on the development mailinglist. The goal of this solution is to create a P2P like system, where you can replicate data to nodes which you don't trust.
validate_read_doc:
Have a javascript function be called on every read, in the same manner as the validate_doc_update system is applied.
For more information:
http://wiki.apache.org/couchdb/PerDocumentAuthorization
So essentially it's about users being able to create docs and have them visible to everybody or just themselves and other selected users ...... Is this possible?
Not with just couchdb...
The permissions that you set with _security in a database only apply write level security on it.
Other wise most of the documents (except the design documents) are available for every one to read. With validate functions
you can impose further restrictions on who writes the documents but again there is no way to check who is reading your documents.
rcouch has a validation on read which can help you what you want to do. Other wise if you want to go with couchdb you could use a proxy for communicating with it.
Let’s say I have 2 pages in a sharepoint site. Let’s call them page A and B. We are using windows based authentication mechanism. Let’s say I have 2 already authenticated users X & Y. The page A should be visible to users who have certain attribute set to 1 in active directory. Page B should only be visible to those users that does not have this attribute set to 1. Let’s call this attribute SpecialUser. If SpecialUser is 1 for a given user, user should be able to see page A only and not be page B. If SpecialUser has any other value, user should be able to see page B only and not be page A.
In this case, user X has the attribute SpecialUser set to 1 and user Y does not. So user X should only see page A while user Y should only see page B.
There is no group in active directory that includes only users that have SpecialUser attribute value set to 1. We don’t want to create sharepoint group and add these users manually either.
Given these constraints, how can we achieve this authorization? I am thinking there may be a need for custom coding. If custom coding is required, how do I go about it. If not, what is the solution?
If your Web Application can be setup to use Claims Based Mode instead of Classic Mode, you should be able to achieve this without custom coding, since an Active Directory attribute can be used as a claim when setting permissions on the page.
Otherwise custom coding would be required. You can create a custom web part that you place on the page, which can either redirect the user or call SPUtility.HandleAccessDenied(new UnauthorizedAccessException()) for invalid users. To security trim the pages (make them invisible), you would need similar logic in any menus or web parts that display the pages.
If the Active Directory attribute is part of the SharePoint User Profile, you can use the UserProfile class. Otherwise, you can use System.DirectoryServices.AccountManagement to retrieve the value of the attribute.
I think that the easiest thing to do might be to stick with the active directory side. Sharepoint authentication can be a bit fickle. Off the top of my head I would probably suggest creating an active directory group that's meant to hold a list of these users. Rather than updating it manually you could have a service to run every so often (once a day? once an hour? depends on how long you're willing to have stale authentication) and check the user lists in active directory for this flag. The service would then update the group you're using for authentication.
There might be a way to do this more gracefully within the walls of Sharepoint development, but I've not heard of anything like it.