I have different role in my project. I want to bypass a validation for user role admin only which is a role in my project. I didn't want to use scenario. Thanks in advance
To bypass a validation on saving model, just pass false as first argument of save() method. It will skip model validation before save.
$model->save(Yii::app()->user->isAdmin ? false : true);
Related
I am using cookie authentication on a new ASP.NET CORE 3.1 project.
I have a controller action that is used by both guests as well as authenticated users. Because of that, it is decorated with the AllowAnonymous attribute.
The behavior of the action is slightly different if the user is authenticated so I use httpContext.User.Identity.IsAuthenticated to check that out and if true, I then retrieve the principal's claims in order to perform a database update.
The problem that I have is that because the action allow's anonymous, the OnValidatePrincipal event of the cookie authentication scheme is not called to make sure that the current claims are up to date.
This means that even if the httpContext.User.Identity.IsAuthenticated flag is true, I cannot rely on the claims that come with it because they are not validated in this case.
First of all, this seems to me like a problem. Second, does anyone know if there is a way around that ? Some ways to force the OnValidatePrincipal event to be called as soon as the httpContext.User.Identity.IsAuthenticated flag is true no matter if the action requires authorization or not ?
You can try creating a dummy controller method that requires authorization and call it when httpContext.User.Identity.IsAuthenticated flag is true.
I'm trying to find a way to limit access to certain pages based on whether they are logged in as a keystone.js admin - is there a way to extend their existing admin auth to apply to pages outside of the admin interface?
If you're using the Yeoman generator, the User model has an isAdmin property. Within your Express route, you can determine if req.user exists, then if req.user.isAdmin is true.
Is it possible to define authorization at control level ? If so what is the best practice ?
Consider I have input control named daily wages (text box). userRoleOne is an user role who supposed to see this field, other user roles should not see this field . what is the best practice to do this ?
Yes, it's possible. Current instance of HttpContext is accessible in Razor's views by name Context, so you can check is user in role, or not:
#if (Context.User.IsInRole("userRoleOne"))
{
Html.TextBox("dailyWages", "")
}
It should work without any additional code with ActiveDirectoryMembershipProvider and Windows Authentication, but may not work with Forms Authentication and other memberships.
In last case you should manually create an object of GenericPrincipal class in Application_AuthenticateRequest method of Global.asax (see details).
When a user logs in to a website what method is the best to authenticate the session? For example does setting a variable in $_SESSION that is checked and if is set the user logged in, work? I was reading this tutorial and they have if(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['Username'])) and if this returns true the user is shown the contents of the page. Is this how it's done?
Yup, that's the general idea.
After setting $_SESSION['LoggedIn'] to TRUE elsewhere (on the login page) you'll check the $_SESSION['LoggedIn'] to see if it's TRUE if so, display the content
I agree with #relentless. However I prefer if you store the information inside the database.
Assuming that you have a table called user with a tinyint column logged_in. Whenever the user has successfully login update the column value to 1. Upon logging out change it to 0.
Yes and I would recommend you looking a little into PHP and some of the predefined variables like $_POST and $_SESSION here http://php.net/manual/en/reserved.variables.php . And functions like isset() and empty() and maybe some html forms.
I want to use a single form to login normal users and admins, i have a flag on entity 'isAdmin'. If it's an admin redirect to panel and set ROLE_ADMIN, if not redirect to site and set ROLE_USER.
this is possible, have other method to do this?
That seems to make no sense at all. You should set the user's role on registration not on login.
When user loggs in you can retrieve its object from database and get the role attribute to decide which view to load.
Check the console commands for fosuserbundle, you can "promote" a user with the ROLE_ADMIN. On every login he'll be assigned with that role automatically.
It won't be working with a "isAdmin" flag on your Model Entity, more likely to use a mechanism provided by fosuserbundle itself (didn't dig into that myself to be honest).
You also might want to check out https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Resources/doc/groups.md