Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I created a user and then logining for this user, all screens are disappeared. What am I doing wrong?
The only assumption I can make is that you use CUBA 7.2+ and your user has only the system-minimal role, thus their can only log in to the client without access to screens, entities, menu items, etc. I'd recommend defining a new role with the required permissions either design-time or run-time. See the Roles documentation for more details.
Also, take a look at the Security Subsystem section in the Release Notes to get familiar with changes made in CUBA 7.2.
Please set up the security properly. It means you need to create a role either in your code in design-time or define a role for the new user in runtime and grant corresponding properties.
Note that permissions in CUBA follow the "allowing" principle. E.g. if you define an entity as read-only for one role and give full access in another one, then a user granted with both roles will get full access to the entity.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
I have a standard User, Group, Permission schema that use to grant/revoke CRUD permissions to my users. I have an API that serves filtered data from a model Data based on a user's query.
I want to have the ability to limit how many objects get returned when a user sends a query. My question is I'm not sure where/how to best store this information.
The basic solution I have is add a max_rows column to my Group and reference that every request It's simple and easy to manage, but since users can have multiple groups I'd have to make sure that max_rows is in sync with the other groups that user belongs to.
Any thoughts to improve this?
You don't have to ensure that your max rows are in sync accross the groups the user belongs to.
Think about it this way: superadmin should be able to acquire as many rows as he/she asks for, that's infinity. A trusted user may have some proper limit, like 10 000 rows maximum, for example. Now, if somebody has both roles, it is evident that the person should be able to load as many records as he/she wants, because he/she is a superadmin and the fact that the person is also trusted should not diminish his/her superadmin rights, therefore a logical approach would be:
select max(max_rows)
from yourgrouptable
join yourgroupmappingtable
on yourgrouptable.id = yourgroupmappingtable.group_id
where yourgroupmappingtable.user_id = 5;
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I followed this tutorial https://yii2-framework.readthedocs.io/en/stable/guide/tutorial-advanced-app/ but it doesn't say anything about backend admin login details.
How to setup backend admin login details?
You have to install and MIGRATE RBAC extension, after that register user with username admin. Take his id from DB and follow this tutorial:
https://habr.com/ru/post/235485/
how to set up role based access. I guess that's what you trying to implement.
Yii2 templates basically is a starting point to develop an app, not a pre-made cms that has default logins.
In this case, if you have executed migrations as outlined in the tutorial
Apply migrations with console command yii migrate.
Then you would have a user table in your database. You could create a new user there with a bcrypted password, and then use that to login to the application.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
My main problem is getting the token. I can’t go further than this step.
In the Linkedin API's docs there are two ways described to obtain the token.
Witch is the correct one?
1) https://developer.linkedin.com/docs/v2/oauth2-client-credentials-flow
2) https://developer.linkedin.com/docs/oauth2#configure
I understand that in order to use the new Linkedin API (the partners one) I should use the first one (https://developer.linkedin.com/docs/v2/oauth2-client-credentials-flow)
Here is my petition:
https://www.linkedin.com/oauth/v2/accessToken?grant_type=client_credentials&client_id={MYCLIENTID}&client_secret={MYCLIENTSECRET}
The response:
Error "access_denied"
error_description "This application is not allowed to create application tokens"
And I get stuck here.
With the second one (https://developer.linkedin.com/docs/oauth2#configure) I actually get a token:
https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id={MYCLIENTID}&redirect_uri={MYURIREDIRECT}&state={STATERETURNED}
This returns the code (and the State) which I use to make the token request:
https://www.linkedin.com/oauth/v2/accessToken?grant_type=authorization_code&client_id={MYCLIENTID}&client_secret={MYCLIENTSECRET}&redirect_uri={MYURIREDIRECT}&code={CODERETURNED}
And I get the token. But this isn’t the correct way to do it, is it?
By default you will need to use the authorization_code flow to obtain an access token. Per the documentation the client_credentials flow is not enabled by default and needs to be specially enabled by LinkedIn.
https://developer.linkedin.com/docs/v2/oauth2-client-credentials-flow
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have SharePoint 2010, on which each WebApplication have two zones - one Windows authentication and another is FBA via LDAP. The zone with FBA is allowed for anonymous access. Users are able to login with no problem in both zones.
Now, lets say I want on some web to take down anonymous access and give only to specifiec FBA users/roles access to it, by adding those FBA users/roles to SharePoint's group "Site Visitors". If I add user, then there is no problem - only this user is able to browse the web, however if I add role, none of he user from this role are able to access the web. Thye all got "Access Denied".
It seems like SharePoint fails to get roles for the FBA user and check whether this role has permissions to the web.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed last year.
Improve this question
Cheers,
We started implementing biometrics authentication in our web system and came to a doubt. We're going to use a third-party solution for performing it which is going to be called via a web service.
There are going to be four kinds of authentication:
Regular one: username/password
Challenge
Fingerprint
Cellphone
All users will be authenticated using 1. Optionally, some of them may also require 2, 3 or 4. What would be a good way of verifying which authentication type is required for a specific user?
This is something new for me. Initially, I thought about passing the username from the login page to a web service, which would query the database to check which authentication type is required for this user. Then, depending on the result, the second authentication form would be shown on the screen. Obviously, some extra check would be performed after the user hit the Submit button.
Am I on the right path, or there are better solutions for this?
Thanks,
I guess that would work. Maybe it is an option to do some sort of query in the background (AJAX?) when the username is filled in, so you can dynamically add extra inputs to your login form.
However, this has one potential issue: everybody that knows someone 's username can find out what authentication is required. If that is not wat you want, maybe just ask for a username + password to login to a reduced privelege mode. Then, as you suggested in your question, this reduced privelege mode may require extra credentials to continue to the more secure environment.
You could even make it so the reduced privelege mode will grant access to some of the features, while others require extra authentication (for example: posting a mesage would require basic auth, changing passwords might require all four).