In Symfony CMF there is a PublishableInterface. This seem to only handle whether a node is published but is not meant to function as Role based security. Or is it?
Let's say I want a specific StaticContent page to only be accessible, and only show in menus if the user has a role ROLE_PREMIUM_CONTENT.
How to implement a role requirement for Symfony CMF content or routes?
You can write your own publish workflow voters and tag them with cmf_published_voter - inject the security into the voter and let it decide on documents. you can add your own interface of course, for example to let the document specify which role it requires. menu entries are automatically hidden when the linked content is not published.
the details are explained in the documentation: http://symfony.com/doc/current/cmf/bundles/core/publish_workflow.html#publish-voters
Related
I’m currently building an ASP.NET MVC 5 EF6 blogging web application.
I have two databases and contexts :
-a database for the actual data of my application (blog posts, blog categories, tags, etc) .
-a database for authentification and membership purpose (users and roles).
I am able to authorize a given user the right to add/edit/delete blog posts, using the authorize attribute in the BlogPostcontroller :
[Authorize(Roles=”Administrator,Author”)]
and it works pretty well..
MY GOAL : let’s imagine I want to grant an user the right to add/edit/delete a subset of all the blog post or blog categories (let’s say only to the “Cooking” and “travel” blog categories).
I started to think about creating a navigation property between the user and the blog category entities, but apparently foreign keys between two separate databases are not supported by the entity framework.
Do you guys have an idea of a walk-around for this problem?
Your help will be much appreciated.
This is what you need.
http://typecastexception.com/post/2014/02/19/ASPNET-MVC-5-Identity-Implementing-Group-Based-Permissions-Management-Part-I.aspx
Basically, the privileges is what you will need to configure and associate user roles.
If you want to keep your authorization data separate from your business data, i.e. in 2 separate databases where one contains user information and permissions and the other contains your blog data, then what you actually want to achieve is externalized authorization. That's actually a great intent. After all, do you keep authentication information with your application data? Of course you don't.
Different frameworks give you externalized authorization capabilities. For instance, in .NET, you have claims-based authorization.
You can also take a generic approach and use XACML, the eXtensible Access Control Markup Language. XACML uses attributes (it's an attribute-based access control model as opposed to simply role-based) and combines them into policies & rules to define what can happen. For instance, with XACML, you can write the following rule: A user can edit blog posts he/she owns.
In XACML, you have the notion of an authorization engine called the Policy Decision Point (PDP). That PDP links together all the information it needs to make decisions. In your case, it will use the 2 separate databases and create the relationships on them.
Now, if your use case is simple, using XACML might prove too much. In that case, just use claims-based authorization.
I am relatively new to umbraco and have just got the site build but the clients request for a microsite with a completely new look and feel.
So how do I set up a new microsite in umbraco.
Please Help.
Thanks a ton
To give pages within Umbraco a completely different look and feel from the others, there's a few different ways you can go. Obviously there's more than one way to solve a problem, but I'll just mention a few that I can think of and explain how they'd work.
Create a new master page template that has your new design, then create child templates for each document type, to include a home page, a standard text page and anything else you may need. Assign these templates to the document types that will use them.
Pros: Easiest approach. Allows most flexibility in design.
Cons: The user can choose the wrong template or forget to set the right template.
Create separate templates as in option 1, but also create separate document types. Assign the templates only to the new document types. Each document type can extend your existing ones to inherit the same properties or you can create entirely new ones.
Pros: Ensures that the uses uses the correct template all the time. Allows most flexibility in design. Allows site specific customization - can add or remove properties.
Cons: The number of document types doubles and therefore the amount that appears for the user to select. Of course the number that they see can be limited by what templates they are allowed to create.
Use existing templates, but include a check that determines which site is being visited, depending on the path or subdomain, etc., then dynamically load different style sheets.
Pros: You do not need to create separate templates or document types for the microsite.
Cons: Your master template's markup will have to be generic enough to compensate for both designs, therefore it isn't as flexible.
Once you choose an option for how you will structure and style the pages of the microsite (and remember that my list is not conclusive), you will need to determine where to setup the node structure. The best option here, if the microsite will be subdomain or if it has its own domain, would be to add it as a separate home node first and then add all of its own pages below it. Then you can actually setup a different host reference for the site within Umbraco. There have been a few answers on SO that mention how to do that:
Assigning hostnames in umbraco
Publishing multiple sites on a single instance of umbraco
Here are some basic steps to allow Umbraco to use other domain names:
Setup your web server to accept host headers for the specific domain/subdomain. In IIS 7.5, this can be done by adding bindings for the domain/subdomain.
The new node needs to be a direct child of the Content node.
Right-click the node and choose "Manage hostnames". Then add the domain/subdomain URL.
Hope that helps! Feel free to ask more questions.
The Spring Security UI plugin, among other things, provides a registration page. On this page are 4 fields: username, email, password, and verify-password. It uses a regular architecture of controller and gsps. Staying with a single page registration for the user, I need to add a bunch of fields -- e.g. address, payment info, etc.
Any thoughts / recommendations on how to extend this plugin's page, so that I can get updated versions and incorporate them without too much re-integration. It's almost like one part of the page should go to the UI controller, and the other parts of the page should go to my controller. Note the UI controller usees regular forms (i.e. not ajax).
Thanks
To custom configure the Spring Security UI plugin I'd first of all have a look at the existing plugin code to get a handle on how it works and then run the override scripts that you require as detailed at:
http://burtbeckwith.github.com/grails-spring-security-ui/docs/manual/guide/10%20Customization.html
In your case you'd need:
grails s2ui-override register com.my.packagename
Jim.
Assuming you used the s2-quickstart script to create the domain classes, controllers, and GSPs, you have 2 options for customising the User domain class
add your custom properties (address, payment info, etc.) directly to the User domain class created by the plugin
create your own User domain class that extends the one generated by the plugin. Add your custom properties to the subclass
According to this article, the latter approach is preferable because:
because it allows you to easily update the generated user domain class
if its template ever changes. It also means you don't overly pollute
your domain model with Spring Security specifics. On the downside, you
have to deal with domain class inheritance, although the cost is
pretty minimal.
You'll also need to add the custom fields to the GSPs. The controller actions probably won't require any modifications.
I have a super simple ASP.NET MVC application that uses RpxNow (OpenID) to allow users to login. I now want to let users edit their own account and provide administrator access to edit anyone's account.
I have two separate "Edit Account" views:
~/account/edit/
~/account/edit/1
The first loads the account details based on the logged in user. The second loads the account details using the supplied AccountId. The first would be for standard users, and the second for an administrator.
Firstly I need to define the roles (User, Admin) and then I need to assign a user account (or multiple) to that role.
Then I need to check the role in the controller. I like this concept:
http://schotime.net/blog/index.php/2009/02/17/custom-authorization-with-aspnet-mvc/
So, down to the questions:
Is there a simple way to define a list of roles in the web.config?
Is there a simple way to define which users are in which roles in the web.config?
Is there a way to do this WITHOUT using Membership / Role providers?
Am I approaching this from the wrong perspective? Should I be partioning the application into two branches and securing them based on folder authorisation?
I'm not a friend of storing authorization data in web.config. I prefer storing it in database or other xml files.
Have a look at Xml Membership / Role Provider. This uses Membership / Role for reading userdata but it shows a way storing and reading user authorization data from xml files.
Braching the application woulded move the issue and not solve.
Remember that the entire permissions plumbing still really revolves around IPrincipals, the Role/Membership providers are just window dressing to allow most applications to not have to write that plumbing code. In this case, you could easily add a database-backed (or just static if the list is short enough) list of roles and a list of users in roles and query that. Wrap it up behind a custom IPrincipal and stuff that puppy in there at the appropriate place and you are golden.
I'm having a huge problem in understanding Membership with MVC. We have in our project controllers named "Admin" and "SuperAdmin" and they are restricted to some users.
Do I have to use the Authorize Roles attribute on each Action or can I use a ActionFilter to check if an user can view a certain page?
And if I have to user Roles attribute, do I have to configure each user on the ASP.NET Configuration tool? For example, "SuperAdmin" will be only a few users (around 3 at top), making easy to use ASP.NET Configuration tool and tells it who these users are. But "Admin" users will be many more... how can I configure them?
I'm totally lost!
I need a great clarifying on that!
Thanks a lot!!!
You can apply the AuthorizeAttribute to controllers as well as actions. If you apply it to the controller, each method will have its access restricted with respect to the attribute. You can also apply another instance of the attribute to individual actions to further restrict access if necessary based on other roles. You will need to put the individual users in their roles for them to have access to role-controlled controllers/actions.