I used to administer Oracle database but my knowledge of APEX is less than basic. Anyway I decided to create small apps (to make my job even easier) using this software and seems like dynamic menu is one of the last problems I cannot manage.
So would you take a minute and explain me how to create in the easiest possible way dynamic menu like below:
HOME
-- page1
-- page2
-- page3
ADMIN
-- apage4
I use three users:
ADMIN with full access to menu
USER1 who sees only Page1 in HOME
USER2 who sees whole HOME
I also created a table called T_PERM which contains info about this grants: USERNAME and ID_OF_FORM which I want to use.
I tried to understand short article from http://davidsgale.com/apex-5-0-how-to-dynamic-menus-universal-theme/
but I cant "convert it" to my scenario :(
I think what you're looking for isn't a 'dynamic' menu in the same context that the article describes. If I understand correctly you want to have one menu with only certain menu items visible to certain users.
To do this, first create authorization schemes for each level you want (so in your case it looks like you will need 3, one for admin and one for each user group).
I don't know how you have your security setup currently but the best way IMO to do this is to assign different user roles to each authorization scheme and have a user_roles table which groups a user with a role. You can do this in a simpler manner by simply assigning a username or userid to a specific authorization scheme also, depending on how complicated your app is.
Next create a navigation menu in shared components, and for each menu item assign the appropriate authorization scheme to it (don't forget to do this on page level as well).
Now when you login as each user only the menu items that they are authorized to see will be available to them.
Related
Being in a view and you know the area-name, controller-name and action-name of a destination to which you want the user to provide a link to, how can I figure out if the area/controller/action is authorized for the authenticated user.
Imaginary Use-case:
I have a table with a list of books (the result of bookscontroller.index). To the far right are some icons to edit or delete a specific book. The edit link refers to bookscontroller.edit and the delete link to bookscontroller.delete.
On the actions there are custom authorizationattributes and this works perfect. If a user want to access books/edit/1 and the user is not allowed to edit books, the user gets redirected to the logon page.
It is a bit stupid to have that edit-icon there if the user is not allowed to edit books. So at view level I would like to be able to figure out if the user is allowed to use the edit action of the bookscontroller. If he is, show the icon if not, do not show the action.
Goal: use that knowledge to create a custom tag-helper.
The go-to method is reactive, i.e. you check if a user can do action when the user tries to do. Since you do not want to go that way, here is how. (yet, this is anti-pattern)
Have the authentication token of the user send back to backend. The backend should have an API end point for each button on the page user can click. With the authentication token, the back-end resolve whether to dim or enable the buttons.
Now, what the backend does to resolve this is not very efficient. The backend needs to literally attempt certain actions and aborts the transaction. For create and retrieve, it is trivial (you can pre-resolve them) but for edit and delete, this requires a lot of resources.
The standard way of controlling such actions on UI is to use role based authorization.
For the buttons or other such UI elements, setup role tags, e.g. "admin:edit", "viewer:readonly" etc.
When you are authenticating a user, send the applicable roles from the backend server, store them in a way that is globally accessible to your UI and use them for filtering UI elements across your application.
I am currently working on a project that is designed based on SQL and VB.NET. The idea as the following: there are different permissions for users. The administraotr grants each user specific permissions. The idea is illustrated as the following:
For example, user A can get the following permissions:
He is able to add new tender, modify existing tender, add new customer.
User B has the following permissions:
He is able to view existing tenders, add new employees, ... and so on.
The idea of how to implement it in SQL and VB.NET is:
Creating a new table called Permission with the following fields:
UserID (foreign key for the user ID), for each permission there will be a single field so there will be 12 field.
Now, in VB.NET there will be 12 buttons (i.e. Add new tender, Delete tender, ....). Each button will enabled and disabled based on the value of the field (if the field = 1, the button will be enabled).
Here is an example:
In this case, for this user the buttons with the red lines will be enabled and the rest will be disabled, based on his permissions.
It is obvious that this way is SILLY and is not professional to be implemented.
I need your recommendation of how to enhance it.
Thanks
Ideally you want to use an external authorization framework e.g. Microsoft's claims-based authorization or better yet, XACML - the eXtensible Access Control Markup Language.
When you use externalized authorization, all you need to write in your code (if at all) is:
"Can I enabled button foo?". That's a question you send off to the external authorization engine. If you use an engine that "runs on XACML", then you get policy-based, attribute-based access control where you could easily define that:
users that are assigned to a customer can add tenders for that customer
Check out open source solutions or vendor solutions such as Axiomatics, the vendor I work for. Also check out available resources on XACML e.g. http://en.wikipedia.org/wiki/XACML or XACML videos on YouTube.
Here is the scenario. I have two objects Users (with username/password) and UserInfo with rest of the data related to user. The Users is an old table with thousands of records and UserInfo is fairly new. I want to get as much UserInfo as I can when the user first logs in.
I'd like to force user to a custom screen after first login and ask for the UserInfo data. Once I get the "required" data in the new screen, I dont show it till the user voluntarily wants to fill in the data under "Profile".
Since there are multiple entry points to the application, I dont want to update all the controllers to check for this.
Is there a way I can use a Spring Security filter or something which is executed on successful login? I had a look at ApplicationListener<AuthenticationSuccessEvent> but it doesnt solve the problem as if I copy paste the link in the browser, it lets me go ahead to the destination without asking for "extra information".
In a nutshell, I want a check after each login which, if fails, user is not allowed to enter the application. No matter how he tries to get in.
In your Config.groovy, configure Spring Security's defaultTargetUrl and tell it to always redirect there:
grails.plugins.springsecurity.successHandler.alwaysUseDefault = true
grails.plugins.springsecurity.successHandler.defaultTargetUrl = '/userInfo/edit'
In your UserInfoController's edit action, you can check that the required fields are present (userInfo.validate() perhaps?) and if they are, redirect to wherever you like, perhaps '/', otherwise render the edit info view.
You can adopt what #doelleri proposed and enhance the rule by those steps:
run a batch task to assign a temporary ROLE_DISABLED role to each user who does not provide supplemental information yet. If the user already had some roles, save them in some property.
setup your authorization rule as that users with ROLE_DISABLED role only allowed to access /userInfo/edit.
in /userInfo/edit, if the user has a ROLE_DISABLED role, render the information input view, and resume user's role after it successfully updated its information. Otherwise redirect to '/' or the path it requested.
I am trying to create a project that involves two roles say admin and student is it Ok to provide two radio button and then checking out which role a user select and then upon selection perticular page is constructed ??
Is my approach wrong ? what would you suggest??
Why ask for the user to choose a role? based on the role, load the page.
Your application must be simple to navigate through. Try to minimize the user interaction as much as possible. Wherever you can calculate the users need, do it. Here, provide a login page with a username and password entries only. You can then check whether that user exists in the database. If yes, check which role he belongs to, and redirect him to the page corresponding to his role.
Let’s say I have 2 pages in a sharepoint site. Let’s call them page A and B. We are using windows based authentication mechanism. Let’s say I have 2 already authenticated users X & Y. The page A should be visible to users who have certain attribute set to 1 in active directory. Page B should only be visible to those users that does not have this attribute set to 1. Let’s call this attribute SpecialUser. If SpecialUser is 1 for a given user, user should be able to see page A only and not be page B. If SpecialUser has any other value, user should be able to see page B only and not be page A.
In this case, user X has the attribute SpecialUser set to 1 and user Y does not. So user X should only see page A while user Y should only see page B.
There is no group in active directory that includes only users that have SpecialUser attribute value set to 1. We don’t want to create sharepoint group and add these users manually either.
Given these constraints, how can we achieve this authorization? I am thinking there may be a need for custom coding. If custom coding is required, how do I go about it. If not, what is the solution?
If your Web Application can be setup to use Claims Based Mode instead of Classic Mode, you should be able to achieve this without custom coding, since an Active Directory attribute can be used as a claim when setting permissions on the page.
Otherwise custom coding would be required. You can create a custom web part that you place on the page, which can either redirect the user or call SPUtility.HandleAccessDenied(new UnauthorizedAccessException()) for invalid users. To security trim the pages (make them invisible), you would need similar logic in any menus or web parts that display the pages.
If the Active Directory attribute is part of the SharePoint User Profile, you can use the UserProfile class. Otherwise, you can use System.DirectoryServices.AccountManagement to retrieve the value of the attribute.
I think that the easiest thing to do might be to stick with the active directory side. Sharepoint authentication can be a bit fickle. Off the top of my head I would probably suggest creating an active directory group that's meant to hold a list of these users. Rather than updating it manually you could have a service to run every so often (once a day? once an hour? depends on how long you're willing to have stale authentication) and check the user lists in active directory for this flag. The service would then update the group you're using for authentication.
There might be a way to do this more gracefully within the walls of Sharepoint development, but I've not heard of anything like it.