I want to integerate Laravel Authority bundle in my laravel application.
How can i implement ACL for it?
My approach is like every controller will define permissions associated with the controller. Then I will map those permissions with roles. The Authority initialization will load the permissions available for the session user and pass them to authority. Permissions can be later on checked normally with Authority::can().
Now my question is how can I load all the permissions available in the controllers at some page which will allow me to set permissions to roles.
Is it the right way to define permissions?
Please help.
As noted in the comments bundles do not work with laravel 4 but Matt Machugas Authority package for laravel-4 seems to suit your needs exactly. It allows you create roles with certain prividleges and then add individual permissions to on top or instead of those roles if you want, I find it very easy to use.
Related
I need to restrict permissions for certain branches across 50 repos for specific user groups in azure repos. This is to say, a particular group of users cannot force push to the master branch but can other branches.
This is easy enough to do in the interface, but requires going to 50+ repos and manually performing this task. I've been reading through the Azure repos API documentation and I'm struggling to see how I go about setting this?
As explained in the blog post https://jessehouwing.net/azure-devops-git-setting-default-repository-permissions/:
tfssecurity /a+ "Git Repositories" repoV2/<Team Project GUID>/<repository guid>/refs^heads^<branch name>/ "ForcePush" <memberIdentity> DENY /collection:https://dev.azure.com/{organization}
The repository guids can be found out via REST API, where GitRepository.id contains the guid:
https://learn.microsoft.com/en-us/rest/api/azure/devops/git/repositories/list?view=azure-devops-rest-5.1#examples
See https://learn.microsoft.com/en-us/azure/devops/server/command-line/tfssecurity-cmd?view=azure-devops for more information about how to specifiy member identity.
You can use below rest api to set branch permission fors for group.
POST https://dev.azure.com/{orgname}/{projectid}/_api/_security/ManagePermissions?__v=5
Here is a sample of request body.
{"updatePackage":
"{\"IsRemovingIdentity\":false,
\"TeamFoundationId\":\"{teamfoundationId}}\",
\"DescriptorIdentityType\":\"Microsoft.TeamFoundation.Identity\",
\"DescriptorIdentifier\":\"{DescriptorIdentifier}}\",
\"PermissionSetId\":\"2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87\",
\"PermissionSetToken\":\"repoV2/{projectId}}/{repoId}}/refs^heads^{branchname}}/\",
\"RefreshIdentities\":false,
\"Updates\":
[{\"PermissionId\":1,\"PermissionBit\":32768,\"NamespaceId\":\"2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87\",
\"Token\":\"repoV2/{projectId}/{repoId}/refs/heads/{branchId}/\"}],
\"TokenDisplayName\":null}"}
Note
\"PermissionId\":1, means set the permission to Allow,
\"PermissionId\":2, means set the permission to Deny,
\"PermissionId\":1, means set the permission to Not Set.
\"PermissionBit\":32768 is the Bypass policies when completing pull requests permission.
\"PermissionBit\":128 is the Bypass policies when pushing permission.
\"PermissionBit\":4 is the Contribute policies when pushing permission.
\"PermissionBit\":2048 is the Edit polices permission.
\"PermissionBit\":8 is the Fource push permission.
\"PermissionBit\":8192 is the Manage permissions.
\"PermissionBit\":4096 is the remove other's lock permission.
Addition
There are too many parameters in the request body, you can get there parameters by offical documentations. Or I recommand you to get these parameters by using Network Tool to manual cathch them.
GOAL: Create users in Azure Active Directory using our Global Admin account from an API.
PROBLEM: Every single way I try, I get "unauthorized".
WHAT I'VE TRIED:
I've been focusing mostly on this: https://graph.microsoft.com/v1.0/invitations
I've tried as outlined here
the "Authorization Bearer {token}" is problematic -- I can't seem to properly retrieve tokens, using any of the built URLs recommended (ie, combining ClientID & TenantID in the URL.)
I've tried the relevant portions of this, including creating the app, setting permissions on the app, trying both Web API and Native. I'm able to get a code back, but using it always comes back with Unauthorized.
As an aside, I am using Nintex to run this web service, as it is part of my workflow. Typically, web services don't give me issues. So, this sucks.
I'm missing something, here. Any thoughts or direction?
UPDATE: Removed the word "method" - bad choice of phrasing.
If you want to use Microsoft Graph explorer to create user as the global admin, you could use POST https://graph.microsoft.com/v1.0/users, and the required permission is:
Permissions
For the details, you could read Create user.
Global admin runs as a user by default. To grant access to Active Directory, you need to elevate permissions in the portal.
I'm not convinced you have the permissions to create the user, and that's why I think you're getting the error.
Also, try and avoid using Global Admin. Create a Service Principal and provide more granular permissions.
I have set up a user and assigned him to a role. While I am able to permit or deny access to different pages in the site, assigning access restrictions in Media Library -> Security seems to have no effect. Any idea what I'm missing?
You have to assign them to a role. Configure both 'Permissions' and 'UI personalization' like you can see in the screenshot below.
David
Please check to make sure you do not have any global or higher level permissions set on those users that would override your specific security settings. For instance is a user was set to a role but also has Global Admin rights, the global admin would override all the permissions.
Also have you tested if the users can actually edit those libraries? (add, edit, remove items) or can they just see the media items in there?
I had a similar issue. Disabling the "Manage" permission while leaving "Read" enabled via the Role's Permissions -> Media libraries (Module) resolved it. See my response here: https://devnet.kentico.com/questions/limit-access-to-media-libraries
I have added the SEOptimizer add-on to my site, and need to restrict who can access the SEO tab. I'm not sure how to manage permissions for this.
Default add-on permission use the "Modify portal content" permission, so users able to edit the content will see the tab: https://github.com/quintagroup/quintagroup.seoptimizer/blob/5d0ee147f2b094ea8a05849f1d77161a8329bb44/quintagroup/seoptimizer/profiles/default/actions.xml#L14
You can change this behavior by changing the permission related to this action and the permission in the ZCML: https://github.com/quintagroup/quintagroup.seoptimizer/blob/f55624284a7daa6c225801990e6b2e9801b9eeac/quintagroup/seoptimizer/browser/configure.zcml#L95
Change the permission used by the action is simple (you can do it also TTW accessing ZMI and portal_action tool).
Changing the ZCML permission needs a registration of a new ZCML that will override the old registration: See http://docs.plone.org/develop/addons/components/zcml.html#overrides
You probably need to register a new permission, to be given to your "SEO" role.
BTW: this can be a really good change for the original product too: think about open an issue.
I've just installed Apache Bloodhound in my server. It's working fine. But with the default settings, anyone can view the list of tickets. I want to change this so that only logged in users are able to view the tickets.
Is it possible? How can I do this?
Default Trac ticket permissions are TICKET_VIEW for 'anonymous' sessions (everyone) and editing for 'authenticated' users, yes.
You'll want to remove TICKET_VIEW, so only authenticated users will see (and modify) tickets. To accomplish that, any user with PERMISSION_REVOKE (inherited by TRAC_ADMIN and PERMISSION_ADMIN as well) is allowed to navigate to the permission web admin page, can check and submit the 'remove' action. Alternatively you could use the trac-admin command:
trac-admin <path_to_trac_env> permission remove anonymous TICKET_VIEW
where you need to replace the path with you real one, like /var/www/trac_env/myTrac.