symfony - credentials problem - symfony1

I am trying to fully understand how the credentials/permissions system works in symfony(1.4)
I have 2 groups and 2 users.
User 1 has the following permissions:
Add.Car, Delete.Car
User 2 has the following permissions:
Add.Bike, Delete.Bike
Now what I want to do, is only allow users with the Add.x permissions to be able to add to a category table.
The problem is, that If I have:
credentials: [Add.Car, Add.Bike] - it seems to look for users with BOTH of these, not either of them.
Is this how the credentials work and If so, is there a way to check if the user has either Add.Bike OR Add.Car before allowing them to create new records?
Thanks

Wrap the credentials in [ ]
credentials: [[Add.Car, Add.Bike]]
see http://www.symfony-project.org/jobeet/1_4/Doctrine/en/13 'Complex Credentials' section

Related

How to remove Groups from Project Role(Ex- Users Role) in particular project using API call

I want to remove groups in Users role in a given project using api call . How can i do that? I can remove all the groups and users using
jiraSoapService.removeAllRoleActorsByProject(authToken,remoteProject);
But i want to remove only groups of Role - Users how can i do that?
Thanks
You should use removeActorsFromProjectRole method from SOAP API:
jiraSoapService.removeActorsFromProjectRole(
authToken,
arrayOfGroupNames,
projectRole,
project,
"atlassian-group-role-actor");
If you'd like to remove users and not groups, you should use "atlassian-user-role-actor" as the last argument for that method.

How to create a "backdoor" for administrator, to be able to log in as anohter user and see information?

I am creating an online survey tool.
As an administrator, i would like to see what the users have answered and also be able to answer on their behalf. The system get's a users answers and other information based on his/her username, when they are logged in, using the built in membership provider.
There are currently three roles: Administrator, Moderator and Respondent
If i would like to show my administrator a list of users,
how would it be possible to create a "backdoor" for the administrator, so that he can "log" in as the user, see the users answers etc ? (Just like the user would be able to if he was logged in to his own account).
When answering and retrieving quyestions, the system is bound to `User.Identity.Name
My suggestion on how to solve this:
Currently, when i want to retrive a users answers i use the following code:
Firma_ID = db.Firma.Single(x => x.CVR_nummer == User.Identity.Name).firma_id;
var answers = db.Tabelform_Answers.Where(x => x.question_id == model.Question_ID && x.respondent == Firma_ID);
This is because i have a table named Firma, that has a column referencing to a users Name, called CVR_Nummer. I then retrieve all the records in the Tabelform_Answers table, that match question_id and Firma_ID (A users answers for a specific question).
Instead of using `Firma_ID = db.Firma.Single(x => x.CVR_nummer == User.Identity.Name).firma_id;
to retrive the Firma_ID of a given user, i could store it in the Session upon Login. When i want to view a specific users Answers as Administrator, i would then just change Firma_ID in the Session. Changing Firma_ID in the Session would only be allowed through a controller which has the following code:
[Authorize(Roles = "Administrator")]
Also, i would set the Session timeout to be the same as the Authentication timeout.
Can somebody tell me which pros and cons of this solution? Are there any other ways of storing a "global" variable for a Session? (Firma_ID)?
Thanks
If you only need to log in as your users, I went for a ticket-method.
I have a special login-page that can take a ticket-id. This ticket is created in the admin-gui when the admin wants to log in as another user. The login-page checks the ticket in the database, logs in the wanted user, and then deletes/marks the ticket as used. As an added security, a ticket is only valid for 10 seconds after creation.
Another option is to make answers from users available from the admin-gui...
also you can do in your log-in script override
so you have at present something like
if user name and password match string then user is logged in and based on this you get user permissions
instead have admin page,
where you can select user and then you can apply permissions of the user instead of admin.

accessing user credentials/permissions

Is there an easy way to get a credential/permission for a particular user?
I've seen the hasCredential() method, but I'd like to dynamically check any user, not just the current user.
I know I can use sfContext::getInstance()->getUser(); to get the current user object, but is there a way to load in any user and get his/her credentials?
Thanks
It kind of depends on the "store" you're using. In Symfony the current user (the one provided with sfContext::getInstance()->getUser()) is more an abstraction of the session.
So the most used plugin for authentication, sfDoctrineGuard, has controllers (sfGuardAuth) which handle things like a a signin form, and once succesful, it will populate the sfUser accordingly.
So, if you want to check for the permissions of a user, you will have to check the underlying store. If you're using sfDoctrineGuard, you can retrieve a User model through sfGuardUserTable::getInstance()->find(...). On the sfGuardUser, you can call the hasPermission($name) function to check.
If you are using sfGuardPlugin or sfDoctrineGuardPlugin you can get all user permissions by calling getAllPermissions() inside actions with:
$this->getUser()->getGuardUser()->getAllPermissions();
or inside models with:
sfContext::getInstance()->getUser()->getGuardUser()->getAllPermissions();
either way you have to call getGuardUser.
if you are using the sfGuardPlugin, you have the sf_guard_user, sf_guard_permission and sf_guard_group tables in your databse. So you can query that tables to obtain the permission of an specific user doing something like:
$c = new Criteria();
$c->add('username',$specificName);
$userPeer = new sfGuardUserPeer();
$user = $userPeer->doSelect($c);
$credentials = $user->getPermissions();
that way in $credentials you'll have an array of all the permissions (permissions are the credentials in sfGuardPlugin) of the selected user.
Good luck

sfGuardAuth across multiple apps

I've got 3 apps: Backend, Frontend and Members.
And I've got 2 credentials: Administrators and Members.
Administrators are imported by default but Members are created in the Backend.
When a Member is created, an event handler also inserts this Member as a sf_guard_user and of course, the proper relations in sf_guard_user_group and sf_guard_user_permission.
That's the boring part, now the fun:
Frontend is not secured, but Members is and using these credentials: [administrator, member].
According to all this, Members created in the Backend that also get inserted (correctly as far as I can tell) should be able to login to the Members secured app, since they get the member group/permission/credential.
This is not happenning, the only ones that can login to the Members app are the administrators, which is not wrong, but either is the fact that correctly created Member users can't login to it.
The error thrown by the guard is the classic: The username and/or password is invalid.
Now that I edit the error, the salt comes to mind: How would one emulate the inserting of the salt as the guard does it? Maybe that's what I'm not inserting correctly (or inserting at all) and thus the password invalid error (and in fact everythine else I've described is ok! omg)
And that's my problem.
Thanks in advance :)
[administrator, member] means both are required, I believe.
I think you want [[administrator, member]] for the credential requirement.
Also, yes, you will want to make sure you use a salt, and set the algo.
parent::_set('password', call_user_func_array($algorithm, array($salt.$password)));
Salt before password, as well.

Views with Multiple Admin-ish Roles

I have an app where there are multiple "Admin-ish" roles. Imagine you have a super-admin that can edit anything, and also a site-admin that can edit any information about his site.
So both admin/sites and siteadmin/sites are basically the exact same view.
What's the right way to set this up (views/controllers)? I'm trying to keep things as DRY as possible.
I'm a huge fan of the Rails Authorization plugin
This allows you to easily assign roles to objects and use blocks to grant access.
#a.has_role('admin')
#b.has_role('super_admin')
permit "admin or super_admin' do
# Show admin and super_admin stuff
end
permit 'super_admin' {}
You can also grant access on other objects or classes.
#user.has_role('photographer', #photo)
#user.has_role('news_poster', NewsPost)

Resources