I have a script that is using manage_setLocalRoles to assign a specific role to certain users specified. See below for snippet
context.manage_setLocalRoles(username, (‘Editor’, ‘Reviewer’))
context.reindexObjectSecurity()
After that script runs, you can go to the Sharing tab of the page and see the user specified with Reviewer and Editor checked. However, that user does not have any of the rights that go with those roles.
For testing, I have performed the following checks
context.getMyRolesInContext() does not return any of the roles set above.
context.get_local_roles_for_userid(username) only displays the roles set above, and not any global roles set (when testing as site manager and the like).
context.portal_membership.checkPermission(“Modify portal content”) returns a False.
With Editor role I should have Modify portal content permission. I did verify in the workflow of the content type to make sure the roles are set correctly for the permissions in each state. And as a double check, I ran this script on the content.
username = context.getCurrentUserName()
roles = context.rolesOfPermission('Modify portal content')
member = context.portal_membership.getMemberById(username)
for role in roles:
if role['selected']!='':
print role['name']
print member.has_role(role['name'], context)
return printed
This was my result:
Editor
0
Manager
1
Reviewer
0
Site Administrator
0
Those results are from my site manager role, but after I ran the manage_setLocalRoles on my user to add Editor and Reviewer.
Any thoughts as to why the roles aren’t recognized everywhere? Or am I using the wrong process for what I am trying to accomplish?
NOTE - I have already looked at this answer, and as my code reflects I am already doing what it suggests.
EDIT
Adding versions per comment. We have quite a few add-ons, but none of them seem like they would be related. Mostly jQuery integrations, and types like PFG, True Gallery, FullCalendar. We are using a custom theme and all custom content types and workflows. Excluding the content type I am currently creating for this project both the theme and all other content types were created before I got here. The types are Archetypes extensions.
OS - Red Hat Enterprise Linux Server release 5.11 (Tikanga)
Plone - 4.3.2
Products.ATContentTypes - 2.1.13
AccessControl - 3.0.8
The problem boiled down to case sensitivity. Our users are fed from an Active Directory plugin. Some of the usernames are all caps, and others are all lower. Somehow the username being used in my set roles command were always lowercase. As a result, user was getting the roles, when it should have been USER.
My Solution was to first get the actual member from portal_membership, then grab the username from the member.
pm = getToolByName(self, 'portal_membership')
user = pm.getMemberById(username)
self.manage_setLocalRoles(member.getUserName(), ('Reviewer', 'Editor'))
self.reindexObjectSecurity()
Apparently getMemberById() is not case sensitive, and it returns the correct username in the correct case. So I was just missing that extra check/filter.
Related
So I have the users in a table and I know my login system works because I use it for other workspaces. However across all the applications in this particular workspace I am having an error where users roles are not being recognized in particular I can't even get the admin page to work for me and I am a developer. If anyone has any clue on how to fix this it would be greatly appreciated.
If that first image is the default Admin pages, then wouldn't that mean you have access since you can see that page?
(which by default, if you let APEX create it for you through New Page > Features > Access Control) has Administration Rights set as the Authorization scheme
You have two places to check to find the issue:
Shared Components > Security > Authorization Scheme
Go to or Click your Administation Rights, under Authorization Scheme, you need to make sure you are using Is in Role or Group IF that is the requirement and you are to use the created roles. Make sure the role, Administrator (if default roles exist) is listed.
if validation is once per session, and you're still in the same session. log out and log back in. The problem should go away
Shared Components > Security > Application Access Control
Check under Role Assignments if your username is there.
Click Administrator under Roles, and make sure Administration Rights under Associated Authorization Schemes has the Is in Role or Group as the scheme type
If there is a different Authorization scheme (not Is in Role or Group) or you have different roles, then I would suggest post a new question with more details on your setup.
I want to auto-assign a few of the Projects to the user who is logging in using the LDAP credentials. Currently, if LDAP user logs in, I have to go in Report Portal using super admin credentials and assign Member Role and Projects to that specific member.
I have recently tried this LDAP feature and facing this issue of the new user gets creating and assigning projects and members to each one of them. I wan some auto-assignment (like can we passed while setting LDAP setting in Report Portal)
Below is my LDAP user nperiwal with which I logged in Report Portal. But as you see this got created a new user and no project got assigned to it automatically. I want some process or code or settings which can fulfil my requirement.
FYI, see the below snapshot where I manually assigned projects and admin role.
Please help.
Simple way:
It can be done via scripting, see which requests are send to server in browser Network tab and put the same into the bash/shell script. Parametrize according to username and required access.
Long way: wait until our team will implement it within ReportPortal as feature, based on regular priority
Best way: request payed support from our team, and we will implement this capabilities for your company with highest priority. Drop mail at support#reportportal.io
I am working with a lot of MODX since 2010. From time to time i coudl need another user group with restricted permissions. Like "Can edit content, but not change settings". So the user can't break anything which is relevant for die CMS itself.
I added users, placed them into roles and groups, but somehow it never works the way I expect it to work. A role is not a "role" but a level of authority. A group is just a link to a set of permissions, which is already setup as a ruleset. Still, if I create and setup the group "content editor", I never get it running as expected.
Is there a guide (or even an extra?) to setup restricted user account without breaking ones brain?
There's a basic tutorial available in the official documentation: https://docs.modx.com/revolution/2.x/administering-your-site/security/security-tutorials/giving-a-user-manager-access
My personal recommendation would be to ignore roles altogether. Whenever you need to enter a role (when adding a policy to a user group, or when adding a user group to a user) just pick "Super User - 0". They're an added complexity to allow, essentially, different permissions within the same user group, that 99% of the people don't need.
The primary thing to do is to create a policy, based on the "Administrator" policy set, that contains the permissions you want the user to have in the manager. Those would include the relevant resource/document permissions, but not settings, for example.
Then you add that policy to the user group of your choice as a "mgr" context policy.
The usergroup will also need context permission to be able of interacting with specific contexts. So on the contexts tab in permissions, add the different contexts you want, with the contexts policy.
As #optimuscrime commented, ACLs can be a little complicated, but that's the general approach.
I am trying to model some complex permission management system using apache shiro.
English not being my native tongue I am afraid I might be missing some of the subtleties of terms such as "Roles", "Permissions", "Rights" & "privileges".
For example lets say I want to create a system that manages resources such as printers located inside buildings.
A DB holds the information of which printer is located in what building.
Users of that system should be able to reset a printer or print to it.
Its clear to me that some users will be "Super Admins" and be able to reset and print to any printer ('printer:*:*')- I guess that we could say that those people have a "Super Admin Role".
But what if someone should be allowed to reset the printers in a specific building ('building:A:*') ? Is "Building Admin" a (prarametric) role? or is this just a permission on a specific building? How would you model this using apache Shiro?
n.b.
When tagging this Q I added the user-roles tag and it says:"A user role is a group of users that share the same privileges or permissions on a system. Use this tag for questions about how user roles work in a particular security framework, or questions about the implementation of user roles in your program."
Would I be correct to assume that based on this definition there is not such role as a "Building Admin" because being an Admin of Building A does not give you the same permissions as does being an Admin of building B?
and if so, what would be the correct terminology to describe a "Building admin"?
Have you considered using more than three tokens within the WildCardPermission format?
There is no limit to the number of tokens that can be used, so it is up to your imagination in terms of ways that this could be used in your application.
— WildCardPermission Javadoc
Instead of the domain:action:instance syntax commonly used in Apache Shiro examples and documentation, you could add another token to represent the building, e.g. printer:print,reset:*:buildingA.
The downside of this scheme is that whenever you are checking if an action is permitted on a particular printer, you'd now also have to specify the location, even though the token representing the printer instance might already uniquely identify that printer:
// let's say the role for buildingA-admin has permission of "printer:*:*:buildingA"
subject.isPermitted("printer:print:epson123:buildingA"); // returns true
subject.isPermitted("printer:print:epson123"); // returns false
Depending on your application domain, maybe a structure like buildingA:printer:print,reset:epson123 might even be more appropriate or useful.
To answer your other question regarding user roles, you'd be correct to assume that if you have both buildingA-admin and buildingB-admin roles, they are different user roles, if the permissions assigned to them are not the same.
You might conceive a general user role of Building Admin for permissions that all admins for the different buildings might have in common, to avoid duplicating those permissions across the different building-specific admin roles.
I'm trying to make the "Edit" button on the Project form to only be visible if the user logged into the system is the Project Manager of that project. I've been reading various answers online regarding this, gathering some understanding of Access Rights vs. Record Rules but I haven't been able to get this working. To my understanding, Access Rights over-ride Record Rules. So, if I create a record rule under the group "Project/User" that has read and write access with the domain as the following:
[('user_id','=',user.id)]
This will be over-ridden by the Access Rights for Project/User anyway? So How would I get this to work?
Thanks to anyone who can help.
As far as I know, Record Rules can override Access Rights.
Here is an example where record rules are used to change the base_user edit capabilities depending on the Task state: https://github.com/OCA/project-service/tree/8.0/project_baseuser/security
However, the "edit" button is not dynamically visible depending on the Task Status: it's always visible but the rules may or may not allow to write upon "Save".
Access Control List is checked before Record Rules.
Because Access Control List is a CRUD security on models (create/read/update/delete).
Only if ACL is passed next record level security comes in.
As far as I understood you want to give Project User permission to edit his own projects (he is in group Project User not Project Manager but set as Project Manager for exact Project by Project Manager group user LOL).
I did this by doing the following:
1) Give project users Project Manager role.
2) Restrict them to only modify own projects by creating a Global rule (no group is set) with the following domain on update / delete operations:
['|', ('user_id','=',user.id),('create_uid','=',user.id)]
P,S, Here is screenshot - http://awesomescreenshot.com/0083nqyf76
For the model project.project, provide the write permission only to the group project manager.Go to settings/techical/security. There you can see the access control list. CHeck what all group is provided to the project.project model.for every group other than project manager, remove the write permission