I'm incorporating version spring-security-core:2.0-RC5 into an application - having successfully used the s2-quickstart approach. I'm trying to write some admin functionality to be able to create, edit and remove users within the application.
When I try and delete a user instance, in my user controller, I get an error as the associated SecUserSecRole instances, which define the specific roles the user have to be removed prior to deleting the user instance.
So I get the list of SecUserSecRole instances, within the user controller, and try to delete them using the command:
secUserSecRoleInsance.delete
But I get the error:
No such property: delete for class: vidplay.SecUserSecRole
I could create a controller for SecUserSecRole but them I remembered that when creating users in the Bootstrap file and adding associated roles in order to create instances for SecUserSecRole I used the command:
SecUserSecRole.create user1, userRole, true
So presumably the spring security plugin has all these SecUserSecRole actions to be used.
Is this correct or do I need to create a specific SecUserSecRole.delete action in my application or what else shoukd I do?
BTW Note that the beginning of the Bootstrap I've added the line
def springSecurityService
I've also put this in my user controller.
Hope someone can advise.
-mike
delete is a method, not a property. delete() will do what you want.
Related
I have the following questions,
How do I prevent a user to access another using the SpringSecurityCore?
For example, prevent a student to access data from another student. At the time the two have the same role (role student)
and if I do student/show/1 I can see and edit the data. I want to stop it!
I can do with the ACL plugin, using the #PreAuthorize tag but it is deprecated and is giving error with the 2.5.1 version of Grails.
Following as it did in ACL: Only the ADMIN and the student logged in have access.
#PreAuthorize("(hasRole('ROLE_ADMIN')) or (isAuthenticated()) and (principal.id==#studentInstance.id)")
You can use the #Secured annotation at the method level instead. Then compare the principal ID like you're already doing. Finally, render a 403 status when the principal doesn't match.
render(status: 503)
I am working on a grails 2.3.8 project and trying to customize the Role Hierarchy. I am trying to change the default value of rolePrefix = 'ROLE_' in resources.groovy with rolePrefix = 'PERM_'. I understand that to make this work, I need to make the following changes in my Config.groovy into something like:
grails.plugins.springsecurity.userLookup.userDomainClassName = 'tpo.core.acl.AdminAccount'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'tpo.core.acl.AdminAccountPermission'
grails.plugins.springsecurity.authority.className = 'tpo.core.acl.Permission'
And to establish hierarchy, I need to add this too in my Config.groovy
grails.plugins.springsecurity.roleHierarchy = '''
PERM_ACCOUNT_ALL > PERM_ACCOUNT_CREATE
PERM_ACCOUNT_ALL > PERM_ACCOUNT_READ
PERM_ACCOUNT_ALL > PERM_ACCOUNT_UPDATE
PERM_ACCOUNT_ALL > PERM_ACCOUNT_DELETE
'''
So in my Controller, it is something like,
#Secured(['PERM_ACCOUNT_ALL'])
def index() {
redirect(action: "list", params: params)
}
When I try to run my application, and access my controller's index() action, I was prompted to log in, this is expected because of the presence of #Secured(), but having successfully logged in, I was not yet able to access the index() action, and it displayed, Sorry, you're not authorized to view this page. The permission was assigned to the user that I used to logged in, but still, I was not able to access it.
Where am I missing?
There's a lot more to it than that :)
The reason that the plugin doesn't allow this change is to support the standard voters. Currently there are three styles of strings that can be used to specify access rules - role names, SPeL expressions, and the funky "IS_AUTHENTICATED" ones - IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_FULLY, and IS_AUTHENTICATED_REMEMBERED. Additionally there's a new way that was added for the 2.0 release - using a Closure and any arbitrary Groovy code inside of it, but that's unrelated to role names.
Each of the registered voters is queried to determine if they "support" (i.e. can vote on) each of these tokens. The logic is currently rather straightforward - the "IS_AUTHENTICATED_..." strings are handled by one voter, strings starting with "ROLE_" are handled by another, and everything else is assumed to be a SPeL expression.
To be honest, I think since roles would have to have been "registered" at startup anyway (to specify what access rules are allowed for each role in annotations, Config.groovy, etc.) that the role voter could do more than just check that the string starts with some prefix - it could look at its collection of known role names. So it probably wouldn't be too much work to add support for custom role prefixes for the 2.0 release, and I'll look into that. But for now, the plugin is as customizable as much as possible in every way except for this one exception.
I'm new to cakephp, I'm doing a web application in cakephp 2.3.5, my application has several controllers with corresponding models in each controller. I have actions with their respective views, and other actions that are simply no view functions that are used by other actions.
I have two questions:
One, of such actions is to remove an entity, is there any way that the user does not execute its actions through the browser by entering the URL (eg ... / estudiantes/delete/6)?, Meaning that only actions can launch web browsing.
Two, I have several user page belongs to a different role, of course there will be action in which a specific profile can not use and others who, for this I use the function "IsAuthorized" on each controller, controlling every action and seeing the user and the role it plays using the session, would it be right?
First question: yes, just change the delete action to protected or private and only other actions within your controller can access that. Or, if you're trying to use it with ajax or post, add this in the delete action
public function delete($id=null) {
if ($this->request->is('ajax') || $this->request->is('post'))
//do delete
else
//redirect or throw error or sad face
}
Second question: yes.
Or you could use plugins, like ACL.
I'm not sure if I am approaching this the right way; looking for some input from the community.
I'm using the following pluggins:
sfDoctrineGuardPluggin //for user management
sfForkedDoctrineGuardApplyPluggin //for registration of new users
What I'm trying to achieve:
I'd like to allow my registered users to register child-users. To do this, the child-user's that they create must inherit a couple of the parents attributes (their corporate_id, employer_type, etc... in child-user's profile at bind time). Setting these attributes has been challenging, as from what I can surmise from my reasearch, the sfApplyApply form does not have setters that can be overridden.
As an alternative, I attempted to create a whole new "user" module which uses the sf_guard_user table schema. This worked somewhat, but it lost the features found in the registration pluggin (email confirmation) and it was not salting the password or something because I was never able to login a user created this way - which always produced an error saying the username or password were incorrect.
So the question is, what's the best approach to achieve my desired result?
In your action:
public function executeNew(sfWebRequest $request)
{
$this->form = new sfApplyChildApplyForm();
}
In the plugin forms, create a form called sfApplyChildApplyForm modeled after sfApplyApplyForm.
That's it.
I have three entites: Users, Roles and Permissions.
There two controllers: UserController and RolePermissionController. All controller wrapped by Nhibernate Session.
When I create fill Role Permissions, User doesn't exist. So I storage my new Permission object in the ASP.MVC session. I wants to save new Role with permission when I`ll create User in the UserController.
But when I filled new Role with exist Permission (I got then from DB by Nhibernate) and went to the User Controller New object Role created, without call Session.SaveOrUpdate or any other methods.
I tried to use Evict after fill my new role with exist permissions:
Microsoft.Practices.ServiceLocation.ServiceLocator.Current.GetInstance<ISession>().Evict(newRole);
But it didn't help.
So I want to say to Nhibernate - don't save entity on this transaction (RolePermissionController) - and save as connected to User object entities in the UserController.
This doesn't answer your question directly, but it still might be a solution - how about collecting all the information through a ViewModel, so that you end up with a single controller action that takes the information from the ViewModel, creates the Role and the User at the same time (i.e. during the same request), and no need for messy session stuff.
Maybe not the answer you were looking for, but I've done something similar this way, and it works just fine.