I know of 2 ways to implement admins:
add admin role flag to the user entity
add a new admin entity
I don't know if there are more ways of doing it
1. Does it matter in terms of admin usability? security?
2. which is easier to scale or maintain?
for a rails-specific (but not limited to) sub-question
Is using a premade admin services such as active_admin or adminium are worth it for the long run (heavy use application, not small sized), or would it just be better to make my own admin panel and incrementally add features as I need them?
The answer to that question depends on your needs for a particular project.
Using the premade admin services makes life easier as what you can do is to customize the services by the help of ease that they provide and then use them in your application.
In ActiveAdmin railscasts, there is a video about ActiveAdmin that shows that how it is very customizable. Apart from that there are comments by various people in the railscasts from their experience about its usage.
This will clearly give you the idea in the right direction.
There is also a very good article by batsov which explains the differences between RailsAdmin and ActiveAdmin.
Short version: Do it yourself with the admin role flag. For security do not allow mass assignment of this flag. Build your own admin interface, especially for a big project nothing premade will suit your needs.
Long Version:
I haven't actually used any of the premade admin services as in general my experience has shown me that my users are either normal/admin or semi-admin.
Having your own flag means that you have full control over how to add admin users.
Example: some apps I have allowed anyone with admin access to make anyone else an admin.
Rails allows you to quickly scaffold/build your own custom admin interface and here I can't see anything 'off the shelf' beating the add as you go/need mentality as the end result will be custom built to fully suit your needs vs spending your time with an admin interface that you have to customize yourself.
Related
I need to create a very basic log in system to allow access to an admin portal.
I'll need to hold email, password and a field to identify access level (admin, read-only or edit).
Users will be created by an admin, where they will get sent an email with a generated password. There will be no user registration page.
Asp.net core Identity would handle all this...but my question is it overkill for a small application?
That is really a matter of opinion. I don't mind overkilling small tasks, as I learn a lot in the process. If it's a system between a small group, you could just implement a reset-button for you, that resets whoever you want, and generates a new random password. I have done that in the past.
Also .Net Core Identity handles a lot of the boilerplate code, so it's not that difficult to implement. There are a lot of great guides out there.
...but my question is it overkill for a small application?
Depends on your definition of an overkill.
It will allow you to setup working identity system in a few clicks, so from that point of view, having to code all that stuff from scratch would be an overkill.
On the other hand, the generated tables have a few excess (for your use case) columns that might seem like an overkill. There is also support for functionality like 2FA, which you may not need.
Bottom line: by choosing to use the identity system, you save time and gain some extraneous functionality.
I have been using .net for a very long time, and for a long time implemented custom user management (overriding built in providers, and customising to my own database structures etc) This is required if implementing over legacy system but for new development and security, it worth using off-the-shelf authorization/authentication systems whether it's built in or supported by .Net or using 3rd party services.
I recently finished one of my first AgilityJS projects, which is a web-based file browser that lets you create and manage folders and files, and navigate around the folder tree. I followed the various AgilityJS recommendations regarding the design and ended up with all my HTML and Javascript in a single Javascript file.
Now, I would like to provide a "read-only" version of this app which does not have the ability to add/edit/remove files and folders. I'd like to have 2 user types on the website, one type which can only read the files and folders, and another user type who can administer.
My question is, how do I proliferate these permission differences to my AgilityJS app? I know how to secure my endpoints and operations on the server side, but I'm wonder about the best way to do this on the client side. Should I create a separate version of the app with a limited set of functionality? Should I simply hide certain buttons/features? Are there theories, frameworks, etc.? which deal with this issue? Any point in the right direction would be helpful.
LOL - probably one could write books about that topic. Some very basic ideas:
I would start with the philosophical debate according to MVC. There are people argue with the help of MVC that any piece of code and also any piece of data model should never be implemented twice. Business logic and model to the server. The opposite view is focussing on serving users at any cost - even if that means to double maintain code or the model for the sake of avoiding extra round trips. The way in between defines a master source for business code and model and makes sure to follow on other places that leading master (the master will be changed first). Take your choice. Your answer to that question results into boundaries for how the user interface can/have to look like for the user.
You need to think by hard about a permissions concept. Looking at Microsoft I would assume that they invested for all their applications a couple of dozens man years to make up the permission concepts. The ideal permission concept very much depends on your application. So it is close to impossible to work this out without knowing at least a very little of your application. However the permission concept has to come up with policies deciding on roles, groups, access rigths, access levels, context driven permissions (eg. based IP address), permissions black or white listing (permissions each user has at creation). An example from Microsoft: http://office.microsoft.com/en-us/windows-sharepoint-services-help/permission-levels-and-permissions-HA010100149.aspx
Data on the client is not secured!!! Whatever you do on the client, be it data hiding, encryption, compression... - if this is done on the client there are ways to read the data (even by disabling the data manipulation) or by reverting those. Somebody can send data to your server, where the client should not even have given an update form could be implemented by hackers. So as soon as you start to implement permissions make sure, that for all data you send to clients users are permitted to read and that you inlcude permissions checking for each time you add/update data to the database.
Is there a good extension for yii framework that controls user permissions. Give them different levels of access. I have checked some of them, they are good but up to date for example http://www.yiiframework.com/extension/rights/.
You can look up this Yii extension. I used it a couple of times myself. http://www.yiiframework.com/extension/srbac/
Before implementing an extention please checkout original rbac from yii. It is important to understand how it works. Extentions are mainly made to have an graphical administration for it.
http://www.yiiframework.com/doc/guide/1.1/en/topics.auth#role-based-access-control
I'm starting a new project with Symfony 2 and I have to create and manage some users with many personnal informations.
I must decide to chose a way to manage us and i wish receive some advice for chose Symfony 2 basic implementation or FOSUserBundle for example.
Use FOSUserBundle. It's easy to install and configure.
At the most basic level, it lets you easily handle user storage and authentication through the database. It requires that your user entity conform to some of its 'standards', but after that you're free to write your user entity how you see fit.
AFAIK, it's also the most popular user management solution for Symfony2 right now, so you should be able to easily find resources/information for it online.
Alright. So I am new, I know my way around html pretty well, and have gotten by for a while now doing so. But today I am presented with a seemingly simple issue.
My client needs the ability for users to create their own LOGIN/PASSWORD, my client wants to be able to MANUALLY approve visitors. And he want to be able to track how many times they login.
The login section will just be about 4 pages of PDF file downloads.
I cant imagine this is the hardest thing in the world, I just have no clue where to even start. Perhaps there is a code already written, as things like this are done every day using forum technologies...
Please help!
It may also help to mention that I am using Dreamweaver cs4 on a MAC
I'd check out Ruby on Rails if I were you. It's pretty easy to get something quick up with it that you can have users create accounts with that send e-mails to the client with approve/reject options, and be able to track downloads and users via MySQL or other databases.
I've found Agile Development with Rails to be a great source of info on how to do stuff like this (they do an online bookstore as the book's example) and with a little modification I think it should work for what you say you want to do (and the book is pretty cheap as far as programming books go).
If you want just really basic static login features without lots of coding, you can start with Password protecting your pages with htaccess. You can password protect directories like this without any effort at all. This way, you can be sure that your login routine is secure.
Then, you can continue with advanced features like account administration and login statistics. These will require some programming skills.
Tracking count of user logins should be easy too. You can put simple PHP code to the source of protected pages that will save the info about login to the database. This will require you to study some basics of databases. You can use plaintext files which is not as clean but much easier and it will allow you to export info for your client more easily.
If you want to do it profesionally, you should invest in learning about web development or hire someone to do it for you. These tasks might not be trivial.
Have you worked with PHP, ASP.Net or some other web language yet? What you're trying to isn't too difficult in the grand scheme of things but it may be somewhat challenging if you haven't programmed before and/or haven't had any experience with web development.
(P.s. Alter your question as a response and comment on my answer when you're finished.)
As you are looking into Ruby on Rails, take a look at bort which is a RoR app skeletton with RESTful authentication included, it should help (Chris Bunch answered on the general RoR question).
There is also this bort fork. There is also Authlogic which may be easier to work with.
Have a look at the ASP.net Membership provider and also the login controls which provides the UI for the login as well as registration screens out of the box.
Here is a Multipart Series on ASP.NET's Membership, Roles, and Profile
If this is too complex than probably you can also design you application from scratch using ASP.net. If you don't know asp.net than the best place to start is www.asp.net it has several videos and tutorials which would help you get going soon.