I'm trying to find a way to limit access to certain pages based on whether they are logged in as a keystone.js admin - is there a way to extend their existing admin auth to apply to pages outside of the admin interface?
If you're using the Yeoman generator, the User model has an isAdmin property. Within your Express route, you can determine if req.user exists, then if req.user.isAdmin is true.
Related
I have Strapi V4 and 2 custom user roles - seller and buyer.
On the front-end, I have 2 routes that define which role will be assigned to new users /account-buyer/signin and /account-seller/signin.
I tried to make a copy from node_modules\#strapi\plugin-users-permissions\server\controllers\auth.js to src\extensions\users-permissions\controllers\auth.js. but nothing seems to happen.
Also, I’m not sure how to throw the user type (buyer/seller) through all of these back-and-forth redirects of Google (for example).
How could I solve it?
Or let’s say:
save the needed role in localstorage at the moment the provider button is clicked
register the user with the default Authenticated role
on the frontend's /redirect page read the value that has to be set.
Send the value from localstorage and reassign user's role
How can I update the user’s role in this case?
Thank you.
I would start with setting up the Google auth flow with your frontend and Strapi first. On sign in for a non-existing user this will register a user with the default role. Depending on your frontend authentication framework you can pass arguments to the redirect url, e.g. /api/user-registered?role=<some-role>&redirect=<original-redirect-url> (this route can also exist within Strapi instead of your frontend). On this page I would call the Strapi API (or e.g. query engine API inside Strapi itself) and update the role of the current user (you know who this is because they just signed in).
Box documentation at https://developers.box.com/docs/#oauth-2, says that user is redirected to authentication page in first leg of oAuth, and application can pass a parameter "scope".
scope: What scope the eventual auth token will have. This field is not required. If not specified the application will get the default scope configured. If your application has different kinds of users that may need different types of scope, then you can provide a comma separated list of scopes, to give some users a lower scope if they sign in from different locations. If you are using a Provision-granted application, you must specify the alias: folder_readwrite to use the auth-code grant.
Type: string
But I could not find what are all possible values that can be passed as scope.
Any help is greatly appreciated.
My requirement is to restrict the login to only box admins, if someone has any other ideas then please share.
If you still need help with this, to see all the possible values, check all the scopes in your app (actually select the all the checkboxes). Then, in your initial request to Box (i.e. https://app.box.com/api/oauth2/authorize) do not include a scope parameter. You will be redirected to a Box authorize page (login if necessary). There should be a hidden input with all the possible scope values.
From my scope settings I received this hidden input
name="scope" value="root_readwrite manage_enterprise manage_managed_users manage_groups manage_enterprise_properties"
Hope that helps!
Using beast's answer I was able to find the appropriate documentation page:
https://developer.box.com/v2.0/docs/authentication#section-oauth-2-scopes
Here's what it says at the time of writing:
root_readwrite - Read and write all files and folders
manage_enterprise - Manage an enterprise
manage_managed_users - Manage an enterprise's managed users
manage_groups - Manage an enterprise's groups
manage_enterprise_properties - Manage an enterprise's properties
manage_data_retention - Manage an enterprise's retention policies
manage_app_users - Create and manage app users
manage_webhook - Manage Webhooks
They also have a few scopes that require filing a support ticket (no OAuth2 name provided):
Global Content Manager
Admin can make calls on behalf of Users
Can suppress email notifications from API calls
so!
I have a question: how to allow access some part of module only for adminisitrator, for example.
For example, I have module album. It has controllers index, delete, add, edit, full. I want full and index controller be available for all roles, but edit, delete and add action only for administrators.
What module I have to use to do that? I found Zend\Authentification.
Table is: username, password, role.
How to authentificate user?:
// do the authentication
$auth = Zend_Auth::getInstance();
$result = $auth->authenticate($authAdapter);
if ($result->isValid()) {
// success: store database row to auth's storage
// system. (Not the password though!)
$data = $authAdapter->getResultRowObject(null, 'password');
$auth->getStorage()->write($data);
$this->_redirect('/');
} else {
// failure: clear database row from session
$this->view->message = 'Login failed.';
}
After that I will get access to user data, for example, by:
Zend_Auth::getInstance()->getIdentity()->username;
So, in action, in which I want to restrict access I just need to use:
if(Zend_Auth::getInstance()->getIdentity()->role == admin) {
redirect("auth/login");
}
Right?
The questions:
Is my suggestion about how to check user role in each contoller correct?
Do I understand correctly how to work with Zend\Authentification and restrict access to some actions? So in future I will just use same for each action, right?
Additional question: Does Aclmodule uses for managing permissions? So Acl is needed to help Zend_Auth with permissions, right?
To be able to do this you have to build or implement an ACL (Access Control List). You can also use a third party solution in combination with the earlier mentioned Zend_Auth (or any other authentication module). You can read more on Zend ACL here: Zend ACL introduction
You could for example also take a look at BjyAuthorize. This ACL module provides a complete authorization solution for your application but depends on ZfcUser for user authentication and registration. It might be a good way to get started.
If you are done building or implementing BjyAuthorize you can easily tie your access permission checking to your routes (but there are many other ways). You can see how this works here on the BjyAuthorize GitHub page
These modules will teach you a lot about how authentication and authorization can be build into your Zend Framework 2 application.
I have MVC4 application which uses SimpleMEmbershipProvider for authentication mechanism.
Everything works fine, apart of when I return to the application and authenticate using persistant cookie.
I am authenticated fine, but cannot access roles that I am assigned to. Effectively, cannot access roles at all:
string.Join(",", Roles.GetRolesForUser(User.Identity.Name))
returns empty string
What might be causing that?
This can happen when the SimpleMembershipProvider hasn't been initialized. The example MVC forms authentication template assumes that you'll be allowing anonymous access to your site and doesn’t initialize the membership provider until you go to the login page. However, a more common security technique is to require a login for any site access and to define menu choices in the _layout page to be determined by roles. But, if you use the persistent cookie, you don’t revisit the login page so the roles for the authenticated user aren’t loaded from the membership database.
What you want to do is initialize the provider when the user enters the site so that values get loaded. To do this, you want to add the following filter in the RegisterGlobalFilters method of the FilterConfig class in the App_Start folder
filters.Add(new YourAppNameSpace.Filters.InitializeSimpleMembershipAttribute());
This will cause the user data to be loaded from the database when a cookie authenticated user enters the site.
Another alternative technique is to add the [InitializeSimpleMembership] decorator to any controller method that cookie autheticated users might enter directly. This is kind of messy though if you have to put it on a lot of controllers. Therefore, putting it in the global filter is better in most cases.
I want to use a single form to login normal users and admins, i have a flag on entity 'isAdmin'. If it's an admin redirect to panel and set ROLE_ADMIN, if not redirect to site and set ROLE_USER.
this is possible, have other method to do this?
That seems to make no sense at all. You should set the user's role on registration not on login.
When user loggs in you can retrieve its object from database and get the role attribute to decide which view to load.
Check the console commands for fosuserbundle, you can "promote" a user with the ROLE_ADMIN. On every login he'll be assigned with that role automatically.
It won't be working with a "isAdmin" flag on your Model Entity, more likely to use a mechanism provided by fosuserbundle itself (didn't dig into that myself to be honest).
You also might want to check out https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Resources/doc/groups.md