Im currently creating a multi tenancy system in rails 5 using the gem Apartment
I have a Tenant model which contains a Name and Tenant so I can create individual tenants (or companies).
Each tenant has a users table. When a user logs in I set a session containing the user_id. The problem is when I switch subdomains it then picks up the user id from the second tenant and shows me logged in as them.
for example: on tenantA im logged in a Brad (user_id:1 on tenantA user table)
when I switch to tenantB im logged in as Dave (user_id:1 on tenantB user table)
Obviously this is no good as you can access data from another tenant.
Im just not really sure how to restrict users access to only their tenant. I think maybe some sort of scope on the session so it only applies the session to the current subdomain and not all of them, but not sure how to do this.
Has anyone done this before that could help me? Not sure what code to paste here but just let me know and I will post my code.
Thanks in advance
Related
I have RBAC Role Base Authorization (Casbin)
i want to say some role can update user information,
and also i have other role that can update users information but he/ she can not update for example users mobile number
For example, a certain role can edit users. Now, how can we say that a role can edit users, but for example, it cannot edit the mobile field and another role can?
I don't know how to do this process, I don't know the method, if there is a way to do it, I would appreciate it.
Maybe you can suggest me a way to do this
or a reference you have already done so using
i have some kind of this question
Hello again every one,
I have a question: I successfully implemented django-auth-ldap, the LDAP users can request successfully my DRF API. But nows, for my projetc needs, I have to define permissions depending of the group.
Indeed, I will have like 12 groups in my app. Depending of the group, I will authorize or not the user to request a given route, BUT even if I defined the global var AUTH_LDAP_MIRROR_GROUPS = True, and saw in my database the are linked to a group (see capture):
Users in database
Groups from LDAP inserted in db thx to django-auth_ldap settings
User linked to the groups defined
But now, I have some other problems: I do not know how to implement permissions depending of the group the user belong. In fact, if a user belong to the group ServerAdministrator, I want to allow him to access to every route accessible, but I dont know where to see this in the received request in my view?
As I understood, I should implement custom permissions I should write programmatically in a User object (which should inherit from django AbstractUser)
If yes, How does it work? Should I empty my whole Database and then let django-auth-ldap insert users and it also will create the given permissions defined inside the database?
Maybe it is not clear, do not hesitate to ask questions if I can be more precise.
Kind regards.
Benjamin
I'm unsure if this is a programming question or a database question
I'm making a web api, I use bearer token authentication and its working really well, I can login get resources and logout, I can added users and users can add users which ill explain next.
I have 3 main roles, CompanyAdmin (users who created the account in the first place), CompanyUser (the user company admins make) and StandardUser (users the company users make)
Everyone has a row in the users table for logging in, now when a user logs in I don't want them loading up fiddler and seeing another users data by manipulating the url, I want to make sure companys cant see other companies data, users cant see other users data from the same or another company.
I'm using WebAPI MVC, SQL azure database and the website is hosted by my hosting provider. all accounts that can log into the site and access the api have a row in the users table from which only a few tables hang off it mostly for claims, roles, profile, company data etc.
Any help, pointers in the right direction would be helpful thanks
Getting the access to the data by simply passing the request payload means, that there is no security in the broker between the client and database. There are some ways to secure the access that are exist and actively used, one of them, for example, is the simple, basic authentication where you are setting the context by passing credentials, (dis)advantages are described on the same page above. Or using token-based authentication (more detailed walkthrough).
So, please avoid the possibility to do a just pass-through the request through the Web API.
Also you may check that old but good book on creating the multitenant solution and partition your database for customers/tenants on Azure. Some titles from that are not available already (Ex.: Federations), but examples of how to partition your SQL Database and some code samples should work.
Hi I am working on a web2py project.
I use auth object to create login feature
And using the following code
auth.settings.extra_fields['auth_user']= [Field('address')]
So whenever, an user sign up for an account, the person need to put address.
What I would like to do is display the address in default/index.html when the user login to my application.(the user can view his own address only, not the others)
Do I need to deal with db.auth_user??
I have no clue...
Can you help me?
Thank you.
If the user is logged in, the entire user record is available in auth.user (which will have a value of None if the user is not logged in). So, to display the address in a view:
{{=auth.user.address}}
You could also retrieve the user record from the database via db.auth_user(id) or db(db.auth_user.id == id).select().first(), but using auth.user is more efficient, as it is stored in the session and therefore does not require a database query.
I have been doing some research about authentication and authorization on web api. I understand authentication (username/password) and ROLE based authorization, but what I'm confused about is authorization on data.
Say you have a user (user id 1) who is authenticated, an admin, and is associated to company ABC. I have other users associated to ABC which user id 1 can update. Now I want to update user id 2's name who is associated to ABC (which I should have access too). I need to pass in something to identify user 2, ie put /user/2 plus post data. I know on the server side that user 1 is allowed to update user 2 because he is authenticated and an admin.
Now I have user 100 who is associated to company XYZ. User 100 should not be able to update user 2. This is what I'm having a hard time finding information on.
What are some approaches/blogs/anything that can give some helpful ideas on how to prevent user 100 from accessing data outside it's company.
My thoughts are I could pass in the logged in users id (which I grab server side based on authentication) into the update stored procedure and do a check to make sure that user id is associated to the user being updated. To me this seems tedious and ugly in that every stored procedure needs a user id parameter and a check to make sure they can access the data they are accessing (maybe this is correct).
I know how to authenticate and how to check role based authorization, the missing part is resource based authorization.
Thanks for the help.
Does anyone have any insight. Its hard to believe that Role based Authorization is sufficient.
use the concept of authz where a user is prevented to see the details of other users