N2 CMS has the following roles by default: Everyone, Members, Writers, Editors and Administrators. It allows you to assign users to these roles and offers role assignments for each editable page.
Is there a way to easily create additional roles for specifying which groups of users can edit certain pages? Maybe a configuration option in the n2 section of the web.config?
Click on settings, set "show non pages in navigation" to checked. Open Users node for editing. You will see one row per line. Add your role on a new line.
Next, change web config to add your new role as editors
<editors dynamic="true" roles="Editors,NewRole" />
Related
I added a TFS group [Projects]\Business Analysts. Some of the people assigned to this group do not show up in the dropdown. Anyone know why this would happen?
Additionally, when I access the AssignedTo field from the context menu on the backlog page the names are completely different than those on the Product Backlog AssignedTo List.
Here is work item definition for the group:
<FIELD name="Assigned To" refname="System.AssignedTo" type="String" syncnamechanges="true" reportable="dimension">
<ALLOWEXISTINGVALUE />
<ALLOWEDVALUES expanditems="true" filteritems="excludegroups">
<LISTITEM value="[Project]\Business Analysts" />
</ALLOWEDVALUES>
<HELPTEXT>Organizer of product feature</HELPTEXT>
</FIELD>
Are the people that are not showing up part of the project in any way? Did you put the full group inside one of the OOB groups (contributors, Admins, etc.) or in a team in this project. If the missing individual don't have access to the project they won't show up in the dropdowns this rule doesn't add them to the project just filter user in that group in the assigned to field.
Some of the people assigned to this group do not show up in the
dropdown.
The drop down is actually a cached list of users you have assigned tasks to in the past.
So, you just need enter their first name or email address to search him and assign to him. Next time, you will see him in the drop down list.
Details steps:
When assigning a user to a task, enter their first name and click the search button. The user should be brought back by the search. Assign the user to the task.
Next time you go to assign a user to a task, if you click on the drop down list should now display the user as it is now cached.
For details please take a look at Ewald Hofman's response in this question: TFS-2015 limiting user list
If you still not able to see those users after manually search their name/e-mail, then you may have to check the corresponding permission. Make sure all of them have sufficient permissions.
Hope this helps.
I'm looking for a way to prevent HTML form user modifications, based on this example:
"User" entity has an enum Role (User, Administrator etc.) and there's a UserController that displays a g:form for first, last and email. Controller's action does user.properties = params.
How, a user can modify the HTML form with Firebug or Chrome Webdeveloper and rename textfield firstname to role and enter "Administrator" and will be granted Administrator rights.
There's useToken="true" and the withForm-closure, but this just seems to prevent the user to double-submit the same form. Beside this works with sessions and it's therefore not really scalable over multiple servers.
I'm using Grails 2.3.6. Is there a way to prevent such things except not using xxx.properties = params?
You can give a list of allowed properties. For your example:
user.properties['first', 'last', 'email'] = params
You should always give the list for security. Search in the grails documentation for 'Data Binding and Security Concerns'.
Is it possible to restrict users from editing a field in TFS based on a user? For example suppose there is a state field and owner field. The user selected in the owner field should only be allowed to updated the state field, it should be readonly to rest of the users.
You can define a rule of a field to achieve it.
Just edit the process template and make the field only editable by Admins. (You may need to install the power tools or use witexport and a good XML editor to do all the work)
<FIELD refname="System.Description" name="Description" type="PlainText">
<READONLY for="[Project]\Contributors" not="[Project]\Project Collection Administrators" />
</FIELD>
More info from MSDN: Apply a rule to a work item field
Restrict modification of a field to a group of users:
Use not to exclude a group from a rule. This example defines the Triage Description field as read-only for everyone except those users in the Triage Committee group.
<FIELD name="Triage Description">
<READONLY not="[Project]\Triage Committee" />
</FIELD>
Update
You can also add some restriction during the transition of two state. Please see below steps and screenshot for more info.
Detail steps:
Open the Work Item Type from server(need tfs power pools)
Right click the transition select 'open details'
Select for or not, add the owner to a group, if you select this group. The user in this group can only be allowed to updated the state field.
I'm using the ASP.NET MVC 5 built in authentication methods. I would like to show and hide links (in the menu navbar) based on the role the user is in.
Has anyone acheived this?
Where would be a starting point?
Just wrap your links in:
#if (User.IsInRole("SomeRole"))
{
...
}
You can use MvcSiteMap for this. It has a feature called SecurityTrimming which uses the [Authorize] attribute on your action methods to decide whether or not to display the menu item.
I know it's frowned upon to post a links in answers but I found this blog post very useful.
In addition to the role-based menu visibility, I added custom attributes to the MvcSiteMapNodes to determine visibility of links that were accessible to users but I didn't want shown in the menu (e.g. Edit pages), and I also added icon attributes which allowed me to use the bootstrap menu icons e.g:
<mvcSiteMapNode title="Till" controller="Home" action="Index" area="Till" iconClass="icon-home" visibility="true">
I went a bit off-topic there, but I just wanted to highlight how flexible MvcSiteMap is.
Two things I do. Either
User.IsInRole(admin)
{link somewhere}
Or what I personally do is because I use areas I have a viewstart in area admin which links to admin shared viewmodel then in admin shared view that links to the public view.
In the admin shared view. I set up a section. Inside this section I define extra nav details what that specific role will see and add them in a list tag
Then inside public shared view I then use (on phone can't remember exact name something like)
Html.IsSectionDefined
I personally like the second method using areas and sections both would work fine but with the second I find it much cleaner and you can be so much more specific and much simpler
I am applying spring security on my jsp page, I need to show different parts of the page to users with different roles all the roles are as following.
All authenticated users >> Edit and Add New
Admin > Delete and Edit and Add New
Anonymous > Add New
<sec:authorize
access="isAuthenticated()">
Code of add new and edit buttons
</sec:authorize>
<sec:authorize
access="hasAnyRole('ADMIN')">
Code to add new, edit and delete buttons
</sec:authorize>
<sec:authorize
access="isAnonymous()">
Code to add new
</sec:authorize>
I am wondering if there is any easier method, in this case, if I want to modify access of a specific role I have to change its access rules in security.xml file and every page that I have set the role access.
For example, lets say I want to unable Admin role to access delete button then I have to change the code of security.xml and all the JSP pages that admin role was authenticated to view delete button.
Is there any easier method to do it!?
There can be a solution by using rights set which can be contained in role object as a collection.
After this implementation you can check the right permission for showing buttons and if you want to change anything in your security architecture, you can easily manage this by granting or revoking the rights from related role.
An example of this can bee seen in the link below.
http://en.tekstenuitleg.net/blog/spring-security-with-roles-and-rights
I don't think there is a built in solution for this. You could set up a fine grained role system assinging like a edit role, a delete role and so on. Then you can assign these roles more freely.
If you want to keep it easy for the user (like still only showing admin and user role) you might have to mask the actual roles behind a mapping between the roles and the titles shown to users.
Another approach would be to set up global parameters for each action (edit, delet, etc.) in which you specify the roles that shall be allowed for the action. This way you wouldn't hardcode the roles into your application but map them through the global parameters.
Looking forward to see if someone else comes up with a better idea.
Edit to specify the approach of mapping by global parameters (refined the mapping would be stored in a db but that is getting from an ad hoc solution to implementing an ACL):
With global parameters I just meant something like a rightsMapping.properties. In this file you would map something like that:
right.edit=ROLE_USER, ROLE_ADMIN
right.edit=ROLE_ADMIN
etc...
After that you can just insert the rights into the jsf pages using something like this:
<f:loadBundle basename="rightsMapping" var="rights"/>
....
<f:CommandButton name="edit" .... rendered="hasRole(rights.edit)"/>
This is a pretty easy hands on solution which can be refined by using for example a mappings table in the DB, a Bean evaluating access rights, etc. But the basic idea of mapping the fine grained rights to the roles stays the same.
I suppose that you have the same rights for Edit buttons everywhere in your app. In this case you can extract autorization code into some custom tag (I recommend JSP tag files). For each edit button you will use your custom tag:
<customtags:hasEditPermission>
Edit button code goes here
<customtags:hasEditPermission>
All permissions will be declared once in your hasEditPermission.tag:
<%#tag description="Edit permission tag" pageEncoding="UTF-8"%>
<sec:authorize access="hasAnyRole('ADMIN')">
<jsp:doBody/>
</sec:authorize>
So in a case of new POWER_USER role you need to modify just one file:
<%#tag description="Edit permission tag" pageEncoding="UTF-8"%>
<sec:authorize access="hasAnyRole('ADMIN', 'POWER_USER')">
<jsp:doBody/>
</sec:authorize>
You can prepare and use tags for "Add new" and "Delete" buttons too. Hope this helps.
This is probably what you are looking for, with sample code
In your case, you would have BF_ADD_XXX, BF_EDIT_XXX and BF_DELETE_XXX etc.
This allows you to grant/revoke particular permissions (or BFs or business functions or whatever you want to call them) to/from particular roles.