Let's say we have multiple users and documents.
Users can have access to documents using permissions, such as: document:id:action (e.g. document:1:edit, document:2:read).
Now I also like to have the option to grant access to multiple users from my document-side, e.g. (user:*:read) -> all users should have read-access.
Am I missing something obvious in Apache Shiro or is this not possible?
SecurityUtils.getSubject().isPermitted(document:8:read) will only cover the direction user -> document.
How do I implement something like
SecurityUtils.getTarget().allows(user:7:write) ?
I can get all document-permissions as a List. How would I check against this list for a certain permission?
Essentially I'm looking for a helper-function on Shiro's side such that I can do:
allPermissions = ['user:6:write', 'user:*:read']
permissionToCheck = 'user:95:read'
isPermitted(allPermissions, permissionToCheck)
I propose an answer myself:
List<String> notebookPermissions = ...;
String permissionToCheck = "user:read:" + getUser().getId();
Permission resolvedPermissionToCheck = resolver.resolvePermission("user:read:" + getUser().getId())
List<Permission> permissions = notebookPermissions.stream().map(p ->
resolver.resolvePermission(p)).collect(Collectors.toList());
for (Permission perm : permissions) {
if (perm.implies(resolvedPermissionToCheck)) {
return true;
}
}
return false;
What do you think about this approach?
Related
I'm facing with a really strange issue. I interfaced a SAML authentication with OTRS which is an ITSM written in Perl and the Identity Provider sends the attributes as follow :
LoginName : dev-znuny02
mail : test2#company.dev
Profile : company.autre.idp.v2()
Profile : company.autre.mcf.sp(dev)
givenName : MyName
sn : Test2
I handle these with a module called Mod_Auth_Mellon and as you can see the attribute Profile is multivaluated. In short I retrieve all of these values with the following snippet :
sub new {
my ( $Type, %Param ) = #_;
# allocate new hash for object
my $Self = {};
bless( $Self, $Type );
$Self->{ConfigObject} = $Kernel::OM->Get('Kernel::Config');
$Self->{UserObject} = Kernel::System::User->new( %{$Self} );
# Handle header's attributes
$Self->{loginName} = 'MELLON_LoginName';
$Self->{eMail} = 'MELLON_mail';
$Self->{Profile_0} = 'MELLON_Profile_0';
$Self->{Profile_1} = 'MELLON_Profile_1';
$Self->{gName} = 'MELLON_givenName';
$Self->{sName} = 'MELLON_sn';
return $Self;
}
sub Auth {
my ( $Self, %Param ) = #_;
# get params
my $lname = $ENV{$Self->{loginName}};
my $email = $ENV{$Self->{eMail}};
my $profile0 = $ENV{$Self->{Profile_0}};
my $profile1 = $ENV{$Self->{Profile_1}};
my $gname = $ENV{$Self->{gName}};
my $sname = $ENV{$Self->{sName}};
...
}
I can handle all the values of the attributes except the attribute Profile. When I take a look to the documentation, they said :
If an attribute has multiple values, then they will be stored as MELLON_<name>_0, MELLON_<name>_1, MELLON_<name>_2
To be sure, I activated the diagnostics of the Mellon module and indeed I receive the information correctly :
...
MELLON_LoginName : dev_znuny02
MELLON_LoginName_0 : dev_znuny02
MELLON_mail : test2#company.dev
MELLON_mail_0 : test2#company.dev
MELLON_Profile : company.autre.idp.v2()
MELLON_Profile_0 : company.autre.idp.v2()
MELLON_Profile_1 : company.autre.mcf.sp(dev)
...
When I try to manipulate the MELLON_Profile_0 or MELLON_Profile_1 attributes in the Perl script, the variable assigned to it seems empty. Do you have any idea on what can be the issue here ?
Any help is welcome ! Thanks a lot guys
PS : I have no control on the Identity Provider so I can't edit the attributes sent
I didn't managed to make it work but I found a workaround to prevent users who don't have the Profile attribute value from logging into the application:
MellonCond Profile company.autre.mcf.sp(dev)
according the documentation :
You can also utilize SAML attributes to control whether Mellon authentication succeeds (a form of authorization). So even though the IdP may have successfully authenticated the user you can apply additional constraints via the MellonCond directive. The basic idea is that each MellonCond directive specifies one condition that either evaluates to True or False.
I am new to Sitefinity. But I followed steps from tutorial and created the one project named as "SFcmsDemo" and when I run this project and Sitefinity dashboard appears on localhost it is showing name as "Default" instead of "SFcmsDemo", The tutorial I read is showing the correct name in that but when I tried it is showing as "Default". Can anyone please help me find out the root cause and solution for this. I am attaching some screenshot which will help to understand more. Thanks.
Default can be easily changed if you click on it and then Manage Site.
UPDATE
From the decompiled Telerik.Sitefinity.dll (v.12.2):
internal static Site GetOrCreateDefaultSite()
{
Site site;
string str = "CreateDefaultSite";
MultisiteManager manager = MultisiteManager.GetManager(null, str);
using (ElevatedModeRegion elevatedModeRegion = new ElevatedModeRegion(manager))
{
ProjectConfig projectConfig = Config.Get<ProjectConfig>();
Guid siteMapRootNodeId = projectConfig.DefaultSite.SiteMapRootNodeId;
Site site = (
from s in manager.GetSites()
where s.SiteMapRootNodeId == siteMapRootNodeId
select s).FirstOrDefault<Site>();
if (site == null)
{
site = (projectConfig.DefaultSite.Id == Guid.Empty ? manager.CreateSite() : manager.CreateSite(projectConfig.DefaultSite.Id));
site.IsDefault = true;
site.IsOffline = false;
site.site = projectConfig.DefaultSite.site;
site.SiteMapRootNodeId = siteMapRootNodeId;
site.Name = (projectConfig.ProjectName != "/" ? projectConfig.ProjectName : "Default");
....
Note in the last line how it looks in the projectConfig.ProjectName value and if it is equal to "/" then it sets it to "Default"
Now, if we look at the ProjectConfig there is this:
[Browsable(false)]
[ConfigurationProperty("projectName", DefaultValue="/")]
[ObjectInfo(typeof(ConfigDescriptions), Title="ProjectNameTitle", Description="ProjectNameDescription")]
public string ProjectName
{
get
{
return (string)this["projectName"];
}
internal set
{
this["projectName"] = value;
}
}
So, default value is indeed "/", so that's why when the site is created it has a name of Default.
Implementing a SAAS (multi-tenant) app, I have a situation where an app would need to connect to different databases based on the user who wants to login. The databases are for separate institutions. Let's say MANAGER-A for institution-A, MANAGER-B for institution-B, want to login into their various institutions.
The process I'm implementing is this: There are 3 databases involved: DEFAULT-DB, INSTITUTION-A-DB, INSTITUTION-B-DB. The DEFAULT-DB contains all the login and database credentials of each user. This means that before MANAGER-A can login to his app, what happens is that, first, he will be logged in into the DEFAULT-DB, if successful, his details would be fetched and logged and set as the parameter of the config.php file. This means that connection will be dynamic based on the params fetched and passed by the DEFAULT-DB. My questions are these:
How do I write these params dynamically to the config.php file?
Secondly, I'm open to experts advise if my implementation is not the best.
Config.php file
<?php
unset($CFG);
global $CFG;
$CFG = new stdClass();
$CFG->dbtype = 'mysqli';
$CFG->dblibrary = 'native';
$CFG->dbhost = 'localhost';
$CFG->dbname = 'mydb';
$CFG->dbuser = 'root';
$CFG->dbpass = '';
$CFG->prefix = 'my_';
$CFG->dboptions = array (
'dbpersist' => 0,
'dbport' => '',
'dbsocket' => '1',
'dbcollation' => 'utf8mb4_unicode_ci',
);
$CFG->wwwroot = 'http://localhost:8888/myapp';
$CFG->dataroot = '/Applications/MAMP/data/myapp_data';
$CFG->admin = 'admin';
$CFG->directorypermissions = 0777;
require_once(dirname(__FILE__) . '/lib/setup.php');
This is Moodle. I have tried IOMAD, it is a great app but does not address my need.
That is a bad solution, IMHO. When you rewrite the configuration file, what happens when the next request comes in that loads that file? They will load the wrong configuration.
I would create two additional configuration files: config_inst_a.php and config_inst_b.php. Then set a session variable when the user logs in that contains the settings file name to load. You can then redefine the database information variables in the additional settings files. If the session variable has a filename in it, load that file AFTER the default config and the database connection values will be replaced.
Added sample code:
Really, really brief:
// Log in user here, and get info about what user company..
$session_start();
$_SESSION['User_ConfigFile'] = 'settings'.$userCompany.'.php';
// More code, or page redirect, or whatever, but the below goes on every page AFTER the default DB is included:
$session_start();
require_once($_SESSION['User_ConfigFile']);
If it helps somebody, my solution, not in production yet, but for now it works like a charm.
if ($_SERVER['SERVER_NAME'] == 'institutionA.mydomain.com') {
$CFG->dbname = 'institutionA'; // database name, eg moodle
$CFG->dbuser = 'user_institutionA'; // your database username
$CFG->wwwroot = 'https://institutionA.mydomain.com';
$CFG->dataroot = 'dataroot_institutionA';
//
$CFG->some_custom_data = 'my_institutiona_data';
} else
if ($_SERVER['SERVER_NAME'] == 'institutionB.mydomain.com') {
$CFG->dbname = 'institutionB'; // database name, eg moodle
$CFG->dbuser = 'user_institutionB'; // your database username
$CFG->wwwroot = 'https://institutionB.mydomain.com';
$CFG->dataroot = 'dataroot_institutionB';
//
$CFG->some_custom_data = 'my_institutionB_data';
} else {
...... anything you need in this case
}
I have to modify the password of an account on a vtiger crm. The problem is that I don't know the location of the database.
Anyone know the path of the database containing the credential of the users?
If your username starts with 'ad' like 'admin'. use the following mysql query
UPDATE vtiger_users SET user_password = '$1$ad000000$mnnPAFfqzJOuoYY7aB.mR0' WHERE user_name='admin';
This query will reset the password for user with admin username. The password will be set to password.
Vtiger use encrypt_password function in Users.php on line 264 to encrypt user password.
modules/Users/Users.php
It use crypt_type and username for encrypt new passwords. so Mysql query only work if your username starts with ad for example 'admin' , 'adam' and etc.
function encrypt_password($user_password, $crypt_type='') {
// encrypt the password.
$salt = substr($this->column_fields["user_name"], 0, 2);
// Fix for: http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4923
if($crypt_type == '') {
// Try to get the crypt_type which is in database for the user
$crypt_type = $this->get_user_crypt_type();
}
// For more details on salt format look at: http://in.php.net/crypt
if($crypt_type == 'MD5') {
$salt = '$1$' . $salt . '$';
} elseif($crypt_type == 'BLOWFISH') {
$salt = '$2$' . $salt . '$';
} elseif($crypt_type == 'PHP5.3MD5') {
//only change salt for php 5.3 or higher version for backward
//compactibility.
//crypt API is lot stricter in taking the value for salt.
$salt = '$1$' . str_pad($salt, 9, '0');
}
$encrypted_password = crypt($user_password, $salt);
return $encrypted_password;
}
You can use the following tools on Github. it can change all users password without login into crm and phpmyadmin and update vtiger user privileges file.
https://github.com/spadana2004/Vtiger-CRM-Reset-Password-Tools
Go to My preferences(right top of the browser). There you can change the password of the user.
In database you can't change bcoz there it will be converted to MD5. Then also for your kind information in database check the table vtiger_users for user detail.
update vtiger_users set user_password = 'adpexzg3FUZAk', crypt_type = '' where id = '1';
Login: admin
Password:admin
To make this really easy for admins I created a simple gist that will generate the sql query you need to run to reset a password with any username. Just put in the username and temp password, then run the script and use the SQL it provides. After that just login with that username and password. It is tested with and working on VTiger 7.2.
https://gist.github.com/mav2287/59d5587c7efabdbb105b739c4bc27cb5
<?php
// Put in your username as found in the "vtiger_users" table under the "username" column
$user_name = "";
// Set your TEMPORARY password. You NEED to reset your password after using this to reset it.
$user_password = "password";
// return the approiate stamtent
echo "Run the following SQL query to reset your password: \n";
echo "\"UPDATE vtiger_users SET user_password='".crypt($user_password, substr($user_name, 0, 2))."',crypt_type=''WHERE user_name='".$user_name."'\"";
In out SP site, we have a library with files. These are files associated with a user. We now cstomized the user's profiles to accept a list of files. And now, to this list of files in the user's profile, we would like to add a reference to the file so that the user doesn't have to upload again.
Current Library:
/personal/my/User Files/[filename]
So, I was wondering how to do this? The data looks like this in the new User Files field (JSON):
{
[
{
"Id":"1",
"Title":"Test",
"Url":"\/personal\/my\/User+Files\/testfile.doc"
}
]
}
I have a csv file that I iterate over. The csv file contains the user name:filename pairs.
The Id value has to be gotten from the SP instance libarary at that location for that file.
Powershell code:
$upAttribute = "UserFiles"
$profile_info = Import-Csv profiles.csv
foreach ($row in $profile_info) {
$userId = $row.user # User ID
$fullAdAccount = $adAccount += $userId
#Check to see if user profile exists
if ($profileManager.UserExists($fullAdAccount))
{
$up = $profileManager.GetUserProfile($fullAdAccount)
$upAttributeValue += $row.filename # Filename
# CODE ??????
$up.Commit()
}
}
That is the all the data that I have.
Thanks for any and all help.
Eric
You will first need to add the custom property to the User Profile like so:
http://www.paulgrimley.com/2011/02/adding-custom-user-profile-property-to.html
Then this should help you out:
http://get-spscripts.com/2010/07/modify-single-value-user-profile.html
#Get user profile and change the value
$up = $profileManager.GetUserProfile($adAccount)
$up[$upAttribute].Value = $upAttributeValue
$up.Commit()