I know that I can use annotation or Request mapping to restrict access to an ACTION by some specific ROLES. But now I have a different circumstance.
My scenario is: every user of my site can create posts, and they can make their own post public, private, or only share to some other users. I implement sharing post by a database table PERMISSION, which specify if a user have the right to view a post or not.
The problem arises here is that when a customer access a post through a direct link, how can I determine he/she have the privilege to view it? There's 3 circumstances:
The post is public, so it can be viewed by anyone (include not-login
user)
The post is private, so only the login-owner can view it
The post is sharing, it means only the login-user that is shared and the
owner can view it.
I want to process like this:
If the requested post is public: ok.
If the requested post is private/sharing: I want to redirect
the customer to the login page; after
logging in, the user will be re-direct
to the page he wants to see.
The problem here is that I can redirect the user to login controller/ auth action, but after that I don't know how to redirect it back. The link to every post is different by post_id, so I can't use SpringSecurityUtils.securityConfig.successHandler.defaultTargetUrl
Could anyone know a way to do this?
Dunno about grails, but spring security has a spring-security-redirect parameter which can be used to redirect the user to the specified url on successful authentication.
I think you could add your own filter that will be executed before the action is called and do the verification of the post permissions there. You can find more information about Grails Filters here.
Have you looked at the Grails Spring Security ACL plugin? I don't know it very well, but it's designed to restrict access to particular instances:
http://grails.org/plugin/spring-security-acl
I have found a quick workaround for this problem:
If the user is logged in: check the user's privilege, and return the appropriate result.
If the user is not logged in: At view action, set the post_id by:
session.post_id = 8
Redirect the user to the Login Controller/ Auth action.
At checkrole action(which is my grails.plugins.springsecurity.successHandler.defaultTargetUrl in Config.groovy), if session.post_id exists, use it to build the link for re-directing to the view action. Before redirecting, clear the session.post_id.
Related
I am calling a webpage from an external webpage and I am passing a user id with the call (http://localhost:54697/?position='position'&user='user'). What I want to do is I want to put the user into an authentication process using the request variable.
It is a good place to do it at global.asax.cs/Application_Start() ? If so, is there any way to pass a request variable into it?
Or is there any suggestion?
UPDATE:
The external site has the credential info that is needed for my site's authorization. Shortly, I have a system on which I can go through several other websites via menus. One menu link will go to this (http://localhost:54697/?position='position'&user='user') Asp.Net MVC web site. Whenever the user clicks to the link, a userid will be sent through the link. Based on the userid I will go through an authorization
process on which I will check the userid and show menus based on the roles associated with the userid. In the controller I can get the userid
however, I do not want to check the roles in every controller. Whenever the link is clicked I want the system to go through a role provider and assign the roles associated with the userid and place role annotators to the controllers. As stated above I am not sure if it is a good place to do it at global.asax.cs/Application_Start() ? If so, is there any way to pass a request variable into it? Or Can I use the constructor of the controller for this purpose?
I use Devise to do the oauth with Github for my users. On login we ask for two basic scopes (for regular users) but if a user wants to perform some action (like setting up a new github organization in our product) we need to require some other scopes in addition to the ones we asked already.
I got it working for the most part the question is about how to better put everything together. This is the timeline of events:
User login (scope email)
User wants to perform setup action (POST /organizations)
in POST /organizations we check for the scopes of the current user and redirect to github to ask for the extra permissions if needed
User accepts the permissions and we get the oauth callback in the callbacks controller.
What I want is to continue with the process have at POST /organizations but the callback is in a different controller (obviously).
I've looked into omniauth.origin but that will only work for a GET redirect and this is a POST.
Any ideas how to better structure a solution for this?
Thank you!
I have a requirement as below
User makes a request to access welcome.html. In the process of request, we are also posting userid.
Once the request reaches to the server, first think i need to check if user present in my DB or not, in case it is not present, then i have to redirect to the login page and incase user is already present in my db, need to create new session and redirect to welcome.html.
I am not sure, how can I achieve this functionality.
Looking for some idea.
thanks
Adi
I'm using Grails and Spring Security. Some methods of the controller are annotated with #Secured and when the logged in user doesn't have the necessary roles I want him to be redirected to the last visited page instead of to /login/denied.
I guess that the real question is how to get the last page visited so that I can redirect him accordingly from the denied method?
There is a way to do this in JavaScript, using back button, but I am looking for a way to achieve this on the server side.
maybe you could use an interceptor to store the history of you views and then with an accessDeniedHandler redirect to the previous one
I'm using rails 3 and devise. I would like to do build in the following work flow.
Article is submitted on site that requires admin approval.
Site sends the admin of the site an email with a link to the page where the admin can review edit and approve the article
I've got this implemented, however, if the admin is not currently logged into the site the admin is bounced back to the root path for not being authenticated.
Is there away that the link that that is sent in the email can act as an authentication for the specific admin?
You want to look into token authentication for devise. This allows you to use a one time key to authorize user access through a URL parameter.
See more information here. http://zyphmartin.com/blog/simple-auth-token-example-with-devise
Also you could simply create a authentication token per resource and store the authentication value in the database. When you go to the approve URL for the resource pass in the resource id and the authentication token. This would be more secure than logging the user in as administrator.
If you need more help let me know.
You could implement this as a custom controller action.
You can turn off devise authentication for a given action in a controller by adding an :except => :custom_action key to your :before_filter call.
You could include a query string in the link with the article_id and the admin_id. Then in the custom controller action, you would check that this article has not already been moderated, via an extra field in the articles table. If it had, you could bail. If it hadn't then you could allow the moderator to approve or disapprove of it, set the moderated flag to true and thank the moderator for her work.
If you wanted to get really tricky, you could make the URL include an MD5-hashed id which you could use as the key rather than an article id. You could store this in an extra field in the article model. That would make it much less likely to get spoofed during the brief window when it is moderate-able.
ian.
You could add an action to the controller (which is where your URL would point to), and then exclude it from authentication by adding this to your controller:
before_filter :authenticate_user!, :except => [:review_article]
You could include some sort of a key in the URL (e.g. MD5 of the article as Ian suggested), and check that in review_article.