I am trying to create a project that involves two roles say admin and student is it Ok to provide two radio button and then checking out which role a user select and then upon selection perticular page is constructed ??
Is my approach wrong ? what would you suggest??
Why ask for the user to choose a role? based on the role, load the page.
Your application must be simple to navigate through. Try to minimize the user interaction as much as possible. Wherever you can calculate the users need, do it. Here, provide a login page with a username and password entries only. You can then check whether that user exists in the database. If yes, check which role he belongs to, and redirect him to the page corresponding to his role.
Related
Should I have one login form for ordinary user and admin
Or
should I have separate login form for admin and ordinary user?
It is OK to have the same form.
The purpose of the login page is authentication-- determine who the user is, not what they can do (see What is the difference between authentication and authorization?). So for example you might want them to submit a password or other token to reduce the risk that they are not the person they say they are. That can be the same process for everyone.
Certain features in your site may be available only to administrators or end users, but checking for permissions (authorization) can only be done after you're sure who the user is (they have authenticated). And logic to check for permissions should be present on every single page. So it has little bearing on what the authentication process is like.
You should just use one form for both admins and ordinary users if the log in information required is the same. Having two forms only makes the application more complicated to write. Having one or two login forms would be equally safe. Just remember to implement the correct security measures on the server side so a user does not get admin privileges.
The first step in authentication would be to check if the username exists, then check if the entered password matches the user's password in the database (passwords should be hashed). Then you can do authorization to check if the user is an admin.
While this seems to be asked in the form of an opinion, it makes more sense to answer this based on what most websites (or applications) do.
It really depends on the context. As a general rule, the same login form would be used for regular users and admin users. Generally, a parameter specifying whether the user is an admin would be stored in a database table for the users. The authentication method(s) that are executed upon clicking the login button will verify the user exists, check the password against the hash, then check the database table to see if the user is an administrator.
In some certain circumstances, I have seen a separate login page for administrators, but it is rare. One example might be a webstore that has an administration/management dashboard which is separate from the main site. Generally, though, these will work via the same form.
Hi I am working on a web2py project.
I use auth object to create login feature
And using the following code
auth.settings.extra_fields['auth_user']= [Field('address')]
So whenever, an user sign up for an account, the person need to put address.
What I would like to do is display the address in default/index.html when the user login to my application.(the user can view his own address only, not the others)
Do I need to deal with db.auth_user??
I have no clue...
Can you help me?
Thank you.
If the user is logged in, the entire user record is available in auth.user (which will have a value of None if the user is not logged in). So, to display the address in a view:
{{=auth.user.address}}
You could also retrieve the user record from the database via db.auth_user(id) or db(db.auth_user.id == id).select().first(), but using auth.user is more efficient, as it is stored in the session and therefore does not require a database query.
Here is the scenario. I have two objects Users (with username/password) and UserInfo with rest of the data related to user. The Users is an old table with thousands of records and UserInfo is fairly new. I want to get as much UserInfo as I can when the user first logs in.
I'd like to force user to a custom screen after first login and ask for the UserInfo data. Once I get the "required" data in the new screen, I dont show it till the user voluntarily wants to fill in the data under "Profile".
Since there are multiple entry points to the application, I dont want to update all the controllers to check for this.
Is there a way I can use a Spring Security filter or something which is executed on successful login? I had a look at ApplicationListener<AuthenticationSuccessEvent> but it doesnt solve the problem as if I copy paste the link in the browser, it lets me go ahead to the destination without asking for "extra information".
In a nutshell, I want a check after each login which, if fails, user is not allowed to enter the application. No matter how he tries to get in.
In your Config.groovy, configure Spring Security's defaultTargetUrl and tell it to always redirect there:
grails.plugins.springsecurity.successHandler.alwaysUseDefault = true
grails.plugins.springsecurity.successHandler.defaultTargetUrl = '/userInfo/edit'
In your UserInfoController's edit action, you can check that the required fields are present (userInfo.validate() perhaps?) and if they are, redirect to wherever you like, perhaps '/', otherwise render the edit info view.
You can adopt what #doelleri proposed and enhance the rule by those steps:
run a batch task to assign a temporary ROLE_DISABLED role to each user who does not provide supplemental information yet. If the user already had some roles, save them in some property.
setup your authorization rule as that users with ROLE_DISABLED role only allowed to access /userInfo/edit.
in /userInfo/edit, if the user has a ROLE_DISABLED role, render the information input view, and resume user's role after it successfully updated its information. Otherwise redirect to '/' or the path it requested.
I want to use a single form to login normal users and admins, i have a flag on entity 'isAdmin'. If it's an admin redirect to panel and set ROLE_ADMIN, if not redirect to site and set ROLE_USER.
this is possible, have other method to do this?
That seems to make no sense at all. You should set the user's role on registration not on login.
When user loggs in you can retrieve its object from database and get the role attribute to decide which view to load.
Check the console commands for fosuserbundle, you can "promote" a user with the ROLE_ADMIN. On every login he'll be assigned with that role automatically.
It won't be working with a "isAdmin" flag on your Model Entity, more likely to use a mechanism provided by fosuserbundle itself (didn't dig into that myself to be honest).
You also might want to check out https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Resources/doc/groups.md
I have wanted to ask. I have a table tlogin. user_nm the first field and second field pass. so when the login form, if I login as admin then there is a special menu for admin.
how to manage it? please help
ow....ya, I using access for database
Thx b4
Usually, you'd use a flag or secondary table related to each user to indicate what "rights" the user has. For instance, if using bit flags, you might have an extra field in your user table called IsAdmin, which would contain true if it's an administrative user, false if not.
Then, once the user has logged in and you've validated the password, you can check the IsAdmin field, and if true, allow them access to the appropriate functions.
that's a simplistic method but it would work. You normally WOULD NOT want to base rights solely on the user's name.