i am a newbie in the Symfony framework and I have to create a web application. The problem I have is the autorization of defined actions in the code.
I load my users out of a database with some roles (many-to-many). In the security.yml I work with ACLs for the different routes. But now my teacher told me, that I should implement specific rights to roles. That means, that I have some roles with rights (many-to-many), so I can create new roles with simply adding the some rights.
An example might be "editing users" in the database. So I can specify granually the rights "editing", "persisting" and so on.
How can I implement this in my Controllers/Twig-Templates? In Twig I work with the isGranted()-function, there I can only check roles?
Thanks for your help :-)
Related
Let's say I'm using one realm mycomp in Keycloak to handle all users (+ master realm for Keycloak superadmin).
I'm have role of Customer Support (CS) that should be able to view users and manage their basic data like names, email, password reset etc.
I'm able to grant realm-management permissions like manage-users or view-users to any user in 3 ways:
assign directly
by creating composite role for CS
by creating group with and adding there CS
The problem is that giving manage-users rights CS end up being able to manage roles and groups so it is able to grant other users management permissions. Thats not valid for my config - it is a role of some higher level admin.
How to grant some users permissions to view and manage basic user data without allowing them to manage roles?
So in the end of the day I finally managed to find an working solution.
Problem was that Role manage-users cant be overriten by Policy.
With help of Pedro Igor Silva from Keycloak (https://issues.redhat.com/browse/KEYCLOAK-18151) I managed to setup configuration that fullfills the usecase.
With Keycloak preview feature admin_fine_grained_authz enabled I created global composite Role user-managers and granted it query-users Role from realm-management client. Then I created Policy that grants manage permission on Users resource when user has user-manager role.
That works perfectly
I'm building a couple of ASP.NET MVC websites that will share a database (because they share data under the hood). That said, logins between sites will not be shared at the moment. For reference, I'm using NHibernate for data access with SQL Server under the hood (currently).
As currently laid out, the system has tables for Sites, Roles, Users, and Rights. Sites have sets of users, rights, and roles. Users can be in many roles. Roles have a set of rights. Users will be able to sign in with a username and password, but I don't want to paint myself into a corner - I might want them to be able to use a google or facebook login later.
Now, I'm a little confused as to which path to take with regard to securing the site. I'm not enamored of the old school membership and role providers for several reasons. Chief among these is that I won't be restricting very many things by roles; things will be restricted based on user access rights. I'm looking at the following few scenarios for authentication.
1) I want to be able to specify rights required to use a controller method via an attribute.
2) I want to be able to quickly query and see if a user is in a particular role or has a particular right.
So, I actually have a set of questions, but they are kind of intertangled. First, what should I do? Just a custom authorization attribute? Second, what's the workflow on login and the like? What are the steps required for this to work properly and securely?
I realize these are sort of noobish questions, but in the past I've gotten by with the old provider way of doing things. I don't particularly care for that and would really like some better suggestions. So I guess everything old is new again for me.
I would flee the Membership provider from MS like the pest. It was already badly implemented when it came out with .NET 2.0, and the recent refresh is no better.
Roles, Users, ..that's not bound to the Membership provider, you can use those on your own. Set up Authentification, create a httmodule that handles said Authentification (a simple userId for the Context.User.Identity suffices)
All you need is a User that derives from IIdentity and in your httmodule
string[] roles = new[] {"Admin", "CoolDude"};
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(user, roles);
..and now in your mvc controller simply add the necessary authentication attributes, game played !
Make custom roles, custom mvc attributes, or query if a user is in a specific role directly
if (HttpContext.Current.User.IsInRole("Admin")) { ...
In the book "Agile web applications with Yii 1.1 and PHP5 the RBAC is implemented though authassignment and a bizrule. This should support the possibility of granting users with different roles in each project.
but whenever a user is assigned a role in a specific project a new record is added to the authassignment table with this role and that user. since there are 3 roles (owner, member, reader) this does not allow assigning the user to more than 3 projects and the user must be assigned different roles in these projects (otherwise integrity constraint will be violated).
Any ideas? Is this really a flaw in the RBAC implementation in the book?
thanks
This is probably more of a role for business rules than creating individual roles. For example, a user may be give a particular role that allows them to create and own a project and then a business rule would be used to ensure that only they can administer their project.
In addition to creating RbAC file, what is the other advantages of Yii Rights module? What the Yii rights module does that Yii RbAC doesn't support?
Allows to manage access in backend: create roles on the fly and attache it to user.
Role access has weak binding with code because is based on module-controller-action-oriented permissions that you can give to user. That all can be managed with backend interface on the fly.
Has task (not role) oriented access - when you can create custom task (text editing for example) and base your logic on permissions to tasks instead of roles
You can find answers to all of those questions here: http://www.yiiframework.com/extension/rights/
Basically, everything you can do with Rights, you can do with RbAC, but Rights makes it all easier to manage.
I've got a rails 3 app in beta right now that uses Devise for authentication for users, and need some advice. I want to add an admin-user that has some additional abilities, but I will be the only admin user (or admin users can be created via terminal - ie people cannot sign up to be admin users). All regular users have the same abilities. I was just about to use cancan to separate abilities based on user roles. Then it occurred to me that using cancan may just be overkill. does it make sense to just create a different class of user instead? Am I giving anything up by doing this?
I can foresee in the future that if this app is successful, there may be different roles for users (a free versus paid account, etc). Even in that case, does it make sense to NOT have an admin user via devise? Thoughts?
Thanks!!
If you only have two types (users and admins) it seems perfectly fine to have two classes. It might even be easier to implement than a full-fledged role system. But if it is foreseeable that you will get more roles in the future it would be better to lay a solid foundation and use a role system from the start.
If you are the only admin, I would create a field in your user model called Admin and then when you are going to add a function that is only for you, use the admin? check in your code.
For most of my projects, I have been using Devise and then use Option 2 from their Admin Role Wiki which is super easy to implement.