I am creating an online survey tool.
As an administrator, i would like to see what the users have answered and also be able to answer on their behalf. The system get's a users answers and other information based on his/her username, when they are logged in, using the built in membership provider.
There are currently three roles: Administrator, Moderator and Respondent
If i would like to show my administrator a list of users,
how would it be possible to create a "backdoor" for the administrator, so that he can "log" in as the user, see the users answers etc ? (Just like the user would be able to if he was logged in to his own account).
When answering and retrieving quyestions, the system is bound to `User.Identity.Name
My suggestion on how to solve this:
Currently, when i want to retrive a users answers i use the following code:
Firma_ID = db.Firma.Single(x => x.CVR_nummer == User.Identity.Name).firma_id;
var answers = db.Tabelform_Answers.Where(x => x.question_id == model.Question_ID && x.respondent == Firma_ID);
This is because i have a table named Firma, that has a column referencing to a users Name, called CVR_Nummer. I then retrieve all the records in the Tabelform_Answers table, that match question_id and Firma_ID (A users answers for a specific question).
Instead of using `Firma_ID = db.Firma.Single(x => x.CVR_nummer == User.Identity.Name).firma_id;
to retrive the Firma_ID of a given user, i could store it in the Session upon Login. When i want to view a specific users Answers as Administrator, i would then just change Firma_ID in the Session. Changing Firma_ID in the Session would only be allowed through a controller which has the following code:
[Authorize(Roles = "Administrator")]
Also, i would set the Session timeout to be the same as the Authentication timeout.
Can somebody tell me which pros and cons of this solution? Are there any other ways of storing a "global" variable for a Session? (Firma_ID)?
Thanks
If you only need to log in as your users, I went for a ticket-method.
I have a special login-page that can take a ticket-id. This ticket is created in the admin-gui when the admin wants to log in as another user. The login-page checks the ticket in the database, logs in the wanted user, and then deletes/marks the ticket as used. As an added security, a ticket is only valid for 10 seconds after creation.
Another option is to make answers from users available from the admin-gui...
also you can do in your log-in script override
so you have at present something like
if user name and password match string then user is logged in and based on this you get user permissions
instead have admin page,
where you can select user and then you can apply permissions of the user instead of admin.
Related
A react application queries the Microsoft Graph to discover if a user is a member of a particular active directory group. Right now, there's this route:
https://graph.microsoft.com/v1.0/me/memberOf
The above does work in the application. It returns a (fairly sizable) object containing all of the user's groups, so I could iterate through the list, but it would be nice to directly check if the user is a member of a single group.
Given that I can already see the list of all groups, this doesn't seem like it should be difficult, but I'm not finding the route to do so.
Am I missing something obvious?
Thanks.
P.S. It would be nice if I could do this without requiring administrator permission on the application registration.
If you already know the group's ID, you can get the members of that group, and check whether the user is a member. I.e. the inverse of what you are doing now.
Or, if you have both the user's and the group's ID, you can filter like this:
https://graph.microsoft.com/v1.0/users/48d31887-5fad-4d73-a9f5-3c356e68a038/memberOf?$filter=id eq '1e770bc2-3c5f-487f-871f-16fbdf1c8ed8'
The first ID is the user, and the filter's ID is the group.
If it is for the currently signed in user, you can shorten it to
https://graph.microsoft.com/v1.0/me/memberOf?$filter=id eq '1e770bc2-3c5f-487f-871f-16fbdf1c8ed8'.
If the user isn't a member of the given group, you will get a return code Request_ResourceNotFound
This question already has answers here:
How do you prevent duplicate user properties in Firebase?
(2 answers)
Closed 6 years ago.
I am a newbie to Firebase so any hint will be appreciated. Right now I am using Firebase Login & Auth to handle all the authentication for me. But I want to store some user data, like username DOB, created_at... I have created a users node, and I am appending children nodes to users using the unique id I get on sign up or login. However I want to ensure that there are no duplicate usernames in the system. How can I check if a username already exists before writing to the server?
I'm currently investigating the same thing. My issue is that I also want persistence enabled, so I need to be aware of what can be accessed offline. If you're using persistence, I would also recommend disallowing particular operations such as checking username existence if your client is offline, which you can do by listening to ".info/connected" as further detailed here:
https://firebase.google.com/docs/database/ios/offline-capabilities#section-connection-state
My personal workflow for this is as follows:
Login to user's account
Check if the user already has a username
Check the firebase database to see if their user details includes a username:
DB/users/*userUID*/username != nil
If they don't have a username, then prompt them to set a username.
When they set their username, check if the username exists in:
DB/usernames/*username*/ != nil
If it doesn't exist, then write the username and userId in the two database locations checked above.
eg.
user.uid = wewe32323
username = scuba_steve
DB/usernames/scuba_steve = wewe32323
DB/users/wewe32323/username = scuba_steve
So now you have the DB/usernames reference that you can check quickly to see if anyone has a username already, and you also have DB/users/ where you can quickly find a username for a given user.
I won't say this is fool-proof, as I still a few concerns around concurrent requests. My current issue I'm investigating is that lets say you delete the username association to a particular user, the user can depend on their local copy of the database to incorrectly assert that they are still assigned to that username.
You could look into the database write rules to disallow anyone to modify existing data (enforcing that you can only write to the DB/usernames directory if there is no existing data. This would prevent overriding of whoever sets the username first, which I think is an important step.
It may also be worth investigating Transactions:
https://firebase.google.com/docs/database/ios/save-data#save_data_as_transactions
But I believe correct write rules as mentioned in the paragraph above should allow dependable writing.
You can check if the username is stored like this:
let username = "fred"
self.ref.child("users/\(username)").observeSingleEventOfType(.Value, withBlock: { snapshot in
if snapshot.exists() {
If the snapshot returned in the closure exists, then the username "fred" exists.
I have User table and Employee table, but I have only one login form for user(Admin). I want to login Employee also from same login page please help me as soon as possible? In MVC.
First check if username exits in the User table, if it does then match the password and return accordingly. If doesn't exist then check username in employee table and match password. If not found in both tables, return user doesn't exist.
I prefer having all my users in one table, then assigning them the Admin role if required.
But if that is not an option, check if the user exists in the admin table, if not, check the users table. If still not, don't log him in. Otherwise do the rest of the login process.
My preference is:
All users should be into a single table. And user table needs to contain a column "isAdmin[bool]".
when user press on the login button with correct username and password, system will check the role. if isAdmin == true then the user should log into the system with admin functionalists as well as the regular employee functionalists. Because a admin is also an employee.
when isAdmin==false the the user should log into the system with only employee functionalists.
Try to learn more about role based authentication.
Thanks
I am writing an application and need to read basic Instagram user info such as username, #posts, #followers and etc. This works well for public users but for private users returns:
{
"meta":
{
"code":400,
"error_message":"you cannot view this resource",
"error_type":"APINotAllowedError"
}
}
Let's say I am signed in as user A, and we want to show information from User B which is private to user A (user B also authorized my application to access it's basic info). I am using the following end point to read user B information:
https://api.instagram.com/v1/users/<userB_ID>/?access_token=<myAccessToken>
Am I missing something? or should I use different end point?
Update (Solution #1)
It seems one solution to fix this is to use Query end point. I was trying to manage all my work with Instagram user IDs (not usernames) but it seems I have to use usernames for the query. Is there a way to use query with user ID?
Here is what it looks like:
https://api.instagram.com/v1/users/search?q=<UserB_Username>&client_id=<myClientID>
if <myAccessToken> is to get user A's info, you can't get User B's info with it. If you have a backend to this app, then you can store different access tokens for each user, and make the call with the appropriate access token, and feed the info to the app through your own API.
Is there an easy way to get a credential/permission for a particular user?
I've seen the hasCredential() method, but I'd like to dynamically check any user, not just the current user.
I know I can use sfContext::getInstance()->getUser(); to get the current user object, but is there a way to load in any user and get his/her credentials?
Thanks
It kind of depends on the "store" you're using. In Symfony the current user (the one provided with sfContext::getInstance()->getUser()) is more an abstraction of the session.
So the most used plugin for authentication, sfDoctrineGuard, has controllers (sfGuardAuth) which handle things like a a signin form, and once succesful, it will populate the sfUser accordingly.
So, if you want to check for the permissions of a user, you will have to check the underlying store. If you're using sfDoctrineGuard, you can retrieve a User model through sfGuardUserTable::getInstance()->find(...). On the sfGuardUser, you can call the hasPermission($name) function to check.
If you are using sfGuardPlugin or sfDoctrineGuardPlugin you can get all user permissions by calling getAllPermissions() inside actions with:
$this->getUser()->getGuardUser()->getAllPermissions();
or inside models with:
sfContext::getInstance()->getUser()->getGuardUser()->getAllPermissions();
either way you have to call getGuardUser.
if you are using the sfGuardPlugin, you have the sf_guard_user, sf_guard_permission and sf_guard_group tables in your databse. So you can query that tables to obtain the permission of an specific user doing something like:
$c = new Criteria();
$c->add('username',$specificName);
$userPeer = new sfGuardUserPeer();
$user = $userPeer->doSelect($c);
$credentials = $user->getPermissions();
that way in $credentials you'll have an array of all the permissions (permissions are the credentials in sfGuardPlugin) of the selected user.
Good luck