I have a problem with the following scenario:
I have a list of products and every product has a flag to be public or not, meaning can be viewable by logged only users or both logged and anonymous.
In order to achieve the filtering in doctrine level I created a filter which checks if user is logged and if not filters only the products that are public.
My problem now is that if someone not logged tries to view a non public product Symfony throws 404. Of course it does the right thing but in my side I would like to return 403 if product really exists but is non public.
So my question is:
1) Remove filter and change whole implementation using voters?
or
2) Add an an exception listener on kernel request and there check if product really exists and transform response from 404 to 403? (well redundant db queries then :( )
or
3) Something else?
This need to be done on every single action, I need to do it in a level where actions won't get involved (otherwise it will use same logic to many places in the code and also there is big possibility to forget to do this check in a single check and break security).
Related
I know you can save sessions actions of user in a file (logs) or database. But this file (or line in database) is rewrited in every action that user make, for example:
If user start in login and then go to home, later go to about; this file is rewrite to from: home > to about.
I know it is not the complete quote generated in log/db. Is it possible to storage the first action (from login to home) and the second (from home to about)? How can I do it?
Thanks
I've been using Laravel Audits and it's pretty cool, give it a try.
It tracks pretty much everything you need, and shows you what was created and the old and new values when something is edited. but downfall is it does not track changes pivot tables
Check it out here: Laravel Audits
Maybe have a look at https://github.com/spatie/laravel-activitylog which allows you to specify your own logging requirements.
Laravel requests allow to get a lot of informations.
You can create a table in your database and a middleware which get the request anytime a route is called and store informations like the route called, the user id or even his referer in the table.
Check it out for more info about requests
I've got a method that deletes a user from a company and would like to do a check to make sure the company will still have a admin left within it.
I'm using the method below, and the snippet is not working when adding a third parameter. How can I pass more than one variable to it?
$this->authorize('companyHasAdminAfterDelete', $privilege->company, $user );
Can you just perform a simple check before deleting the user to check how many people with admin role are left?
If there's only one before delete then you know that probably he should not be deleted etc.
We are developing an application in Laravel 5 where users can login and based on the licenses assigned to the user, multiple "content types" are available within the app. The business logic and presentation logic differs based on the selected content type. The user can select the content type to work with, or, if only one license is available, will be directed to the homepage of that content type.
Now I am trying to figure out how to handle the selected content type. Storing this in a session is imo not the way to go because a user must be able to use multiple content types in one browser session simultaneously.
I figured I need to start with grouping all relevant routes and prefixes them with {contentType}. Also, add a Middleware (named something like SelectContentTypeMiddleware) and let that middleware check if the content type exists, and if the logged in user is allowed to have access to it.
Furthermore, every descending route (in the {contentType} prefix route group) also must handle the route parameter $contentType.
I am trying to figure out of this is the right approach. I was looking at this blogpost which addresses the case for setting the app locale. Using app()->setLocale($locale) the locale for that request is set. I was wondering if a similar approach for my case makes sense, or that including the route parameter $contentType in every route is more advisable.
I am developing an application in php codeigniter. Now I am worrried abt the permission.
I need page wise permission, page may be add records page, edit page, delete page and print report etc. There will be many users as well, and applicaiton will grow with passage of time.
If I implement ACL that will better for me or not
what can be ideal for me any suggestion.
First, let's clear up some terms: I personally use the security term for things like preventing SQL injection, XSS attacks, where we have to validate input, filter/sanitize values, take care of the dynamically generated SQL commands, take care of properly escaping output (for JSON or HTML text or HTML attributes), etc. This is not about what you are asking, if I understood well.
The access control or permissions system is where you give or deny access to a function for a user. It can be secure or not. I understand that to deny a user which does not have permission the access to a function may sound like "security", but I wouldn't use this specific word in this context, to avoid confusion.
Now, the answer:
I strongly recommend you create a few base controller classes to your needs. Read the following blog post carefully (it is short and useful): http://philsturgeon.co.uk/blog/2010/02/CodeIgniter-base-Classes-Keeping-it-DRY
A code to check if the user is properly authenticated (logged in) is essential. If the user is not logged in, redirect to home page or login page.
For fine-grained control, you could create your ACL in the database using the users table, plus an actions table, plus an acl table...
The users table would contain the users data (id, name, login, password, etc)
The actions table would contain the id field and at least one more field containing what suits best for your application: it can be only the controller class name (the first part of the URL, for example: "products"), granting access to the whole "products" controller or not. Or you may want to include both the controller class AND the method name (the first and second parts of the URL, for example: "products/add" and "products/delete"), and so on.
To decide about the actions table is the most decisive step. Think very well about it, balance your needs (your "true" needs)... I developed a system where each and every action has its entry. It is good, but it needs work to be maintained.
A very useful column for the actions table is a human-readable description of the action.
The acl then would be nothing more than a column for the user id and another column for the action id.
A "master" grant/deny access field in the users table is useful too, in case you want to temporarily deny access from a specific user, without having to delete all his permissions and maybe having to restore it later.
With the database tables and your "controller/method" or "actions" strategy well defined, you can easily code in your base controller class a function which checks if the user have permission to execute the requested action.
This is the basic. In my system, I have the users administration interface, where I can grant/deny the actions for each user (I use an ExtJS tree with checkboxes). One of these actions is the own user management. I have gone one step further, where the user who can access the user management may "delegate" (grant/deny) to other users only the actions he himself has access to.
The system has several modules, and functions. The interface does not show anything the user does not have access. So, I have users who can see only a single or a couple of modules, and they don't even imagine the existence of the other modules.
It requires more work to manage all this, but the result worths.
I also log each granted access, so it is possible to track who did what, and when. This log feature is very very easy to add, since you have this base controller "master function" allowing or disallowing the users to perform the actions.
I hope I have helped. I've just shared a bit of what worked (and works) for me...
Let's say I have a simple website where users can log in. When they are logged in, I want to show them a different message than users who are not (guests). This message should render in a placeholder, by appending the message to it.
Where should this be done? I was thinking of having my controller check whether the user is logged in or not, and then append to the placeholder via $this->view->placeholder("sidebar")->append()
Why not just put it in the layout itself?
For example, I often have the following situation that affect my layout: if the user is logged in, I want to display his username, a link to view/edit his profile, and a link to logout. If he is not logged in, then I show him a link to login and a link to register.
The code to handle all this uses Zend_Auth::hasIdentity(), Zend_Auth::getIdentity(), and the url() view-helper. To keep the layout code a little leaner, I often push all this into my own view-helper called something like authLinks().
A better solution might be to switch the layout based on the authentication status of the current user. This could be done with a plugin in preDispatch, or in the preDispatch within your controller. By placing the display logic in the view layer, you don't have to update lower level code if you decide to change the message, or remove it all together.
I would personally opt for it being in a controller plugin since it abstracts the concern of checking authentication status and updating the view away from controllers, and prevents you from having to worry about putting the appropriate code in any controllers you create in the future.
That is a matter of personal preference. I always delegate that responsibility to the view, so in my mind yes it should be handled by the view.