I am doing a project in Flask. I am using sqlalchemy to work with database. I want to create the following roles and assign permissions to that roles as given below.
Roles :
Student,
Teacher,
HOD,
Admin
Peremissions :
Student can only insert into and select from table1. Should not be able to update any column of table1.
Teacher should have the permissions to insert, select, delete and update on table1.
HOD also have similar permissions as teacher.
By default when a user register, role of user will be 'Student'. Only admin should have the ability to change the role of a user.
How to impliment these role and permissions ? Or without assigning these permissions is ther e a way to handle this ? Can someone help ?
How to
This post may help.
Implementing Flask-Login with multiple User Classes
To my understanding, flask-login is actively maintained which is a good start for using any flask extension.
Based on what you're trying to solve, you could include a role property to the classes. Then on the API side of things, you could add a decorator for each route that requires different authorization levels. A decorator is kind of like a middleware that gets invoked before function at the route gets invoked.
Hope this helps!
Related
I have RBAC Role Base Authorization (Casbin)
i want to say some role can update user information,
and also i have other role that can update users information but he/ she can not update for example users mobile number
For example, a certain role can edit users. Now, how can we say that a role can edit users, but for example, it cannot edit the mobile field and another role can?
I don't know how to do this process, I don't know the method, if there is a way to do it, I would appreciate it.
Maybe you can suggest me a way to do this
or a reference you have already done so using
i have some kind of this question
I'm working on a project in Yii, and I have almost no experience with this framework and php.
I'm trying to give access to a view in Yii to different users depending on their role. In my code, in the Controller/accessRules function, I give permission to users with a specific role, that's working fine.
The thing/problem is: I also need to give that same permission to a specific users from very different roles and those roles they don't have to have permission. But those specific users they have a field activated in the 'users' table in the database (it's a boolean field, 1/0 values). If that field has a '1', those users must access to the view, if it's a '0', they don't.
I tried to check the value of the field I described before but the thing is if they don't have the role described in the accessRules, they don't have access. (or maybe the way I check this is not well done).
What I need to do to solve this? I need some tips.
Thanks!
Well, I finally found a solution. Not the one I was expecting but effective... I created a new role/profile in the database and added the role to the users I want to give access, also in the database. Then in the app I added the new role in the controller/action of the view, that's all. It's simple, I know. But I think it's not the best idea because of if the number of users starts growing and in the case every user needs a specific role...maybe it's too much work.
I have a question regarding Cumulocity. I want to create a site hierarchy in Cumulocity, we can go up to sub-tenant level only but I want to create a hierarchy up to 2 level.
Let's take an example of schools, its locations, and different branches. Here I want to attach an owner with each branch and that owner should be able to register only their own users and devices. I was trying to achieve it using groups, roles etc but was not able to do it. If anyone can suggest how to proceed for this use case.
I can see two possible options using which this can be tried:
Groups
Custom Apps (Angular apps)
But I am not sure how to proceed as there is no direct UI for the user to group assignment and REST API for this assignment is giving me errors.
You can use the inventory permissions for configuring access rights that are limited to a certain group see documentation
The managing of only your own users can be achieved by giving a user the global permission for USER_MANAGEMENT_CREATE. Make sure to revoke the ADMIN and READ role as well.
I would not recommend to solve this with apps on the UI side. That way you can of course hide information from the user but he may still be access it via API. Only with the RBAC you can really ensure on API level that the access is managed correctly.
Hello again every one,
I have a question: I successfully implemented django-auth-ldap, the LDAP users can request successfully my DRF API. But nows, for my projetc needs, I have to define permissions depending of the group.
Indeed, I will have like 12 groups in my app. Depending of the group, I will authorize or not the user to request a given route, BUT even if I defined the global var AUTH_LDAP_MIRROR_GROUPS = True, and saw in my database the are linked to a group (see capture):
Users in database
Groups from LDAP inserted in db thx to django-auth_ldap settings
User linked to the groups defined
But now, I have some other problems: I do not know how to implement permissions depending of the group the user belong. In fact, if a user belong to the group ServerAdministrator, I want to allow him to access to every route accessible, but I dont know where to see this in the received request in my view?
As I understood, I should implement custom permissions I should write programmatically in a User object (which should inherit from django AbstractUser)
If yes, How does it work? Should I empty my whole Database and then let django-auth-ldap insert users and it also will create the given permissions defined inside the database?
Maybe it is not clear, do not hesitate to ask questions if I can be more precise.
Kind regards.
Benjamin
I'm working on a site, which will have several modules that either fully available to certain users, semi available to other users, and unavailable to the rest.
For example:
An 'employee' is able to respond to the customer support tickets assigned to him.
A 'Manager' is able to manage all employees and support tickets in his team, including viewing the tickets of a specific employee.
An 'Admin' is able to manage all managers, employees, and tickets in all teams, as well as some other core functionality.
In addition, on some pages there will be some additional fields shown if the current user is an admin or manager. (E.g links to delete/flag things). These won't be shown to employees.
I want to create one 'Permissions' model which will handle the logic for:
Determining if a user can access the current page or not.
Determining whether a particular part of a page should be displayed or not. (E.g special links for editing/deleting to be shown to admins and managers only).
I need some recommendations/advice for designing this class, particularly what methods it should have in order to accomplish the 2nd requirement.
The way I have approached this problem when it has come up is to give each action that can be taken or piece of information that can be shown it's own Permission. Each User then has a collection of Permissions. From this, you can add other layers of structure to help manage the huge number of permissions that will exist, such as hierarchies or categories of permissions.
Once that is in place, you can either have the various parts ask the User if they have the needed permission(s), or you can have a PermissionManager take a User and a set of Permissions and determine if the given user has the needed Permissions. Either way will work fine, but which one you choose has an impact on dependencies and the architecture of your system.
The PermissionManager approach has the advantage that your application pieces don't need to depend on a User, so you could use a different PermissionManager that always returns False if no permissions is appropriate, or True if all permissions is appropriate.
For simple situations, this approach can be overkill, and it often seems like it is at first, but I've gone the route of using basic hierarchical or coarse-grained Roles and fond that virtually every system I've worked on quickly got too complicated for most vanilla, pre-built Roles-based permission systems.
My approach to this problem from database point of view would be to have a user table which holds the list of users, a role table for the list of roles, e.g.: employee, manager, admin; and permission table which stores all of the values of every action/feature available in the system and its permission for a specific role, e.g.: say for admin, the values for actions/features like create, edit, delete, view are all true. The relationships can be seen below whereas (N) ---- (N) is a many-to-many relationship.
Users (N) ------- (N) Roles (N) -------- (N) Permission
My impression is that you would require to make use of roles e.g. employee, Manager, and Admin. So a roles table with these would do. Then for the particular actions/permisions you would have to make use of branching logic i.e. for example for the employee you will have
if User.IsInRole("employee")
// insert logic to deal with customer support tickets
else if User.IsInRole("manager")
// insert logic to deal with manager responsibilities
and finally logic to deal with admin responsibilities
So you need both the users table and the roles table to achieve this.
Hope it helps