I have been investigating the best method to create a complex permission based system and I am using the Yii2 framework and noticed it includes good RBAC support, however I am not sure if it is right for my situation.
What I am looking for I guess is similar to what a forum system would use where you can make groups and then you can select what permissions each of those groups are allowed to do.
I have noticed that with RBAC that you add your roles and if you add and admin and a author for example you can then add the author as a child of admin and then admin can do everything authors can + whatever other permissions you give them.
Do you have to do it like this or can you do all the permissions separately? Is adding the author as a child of admin just a quicker/cleaner way to give admin all the same permissions a lower level group has and then you can then add extra permissions on top?
I worry about doing it this way though because what if you remove a permission from the author, then all of a sudden the admin will lose that permission to unless they gain it from another child or are given it separately.
Can I still utilise RBAC for my needs or should I look at doing something custom?
The RBAC system of Yii2 is very powerful, you can effectly add yor group pemission to a parent and later if need to revoke a single permission the the child group you can add what you need only when and how you need.
Related
I've been looking around and not finding any good answers. I work at a small company. They have a quick information website for internal users. It needs updating but here is the situation. I want each group to be able to manage their own page/s contents. For instance HR to manage their documents, another group to manage the phone directory,etc. I don't want them all to have to be trained or take training on any extensive software. It doesn't even have to have a lot of features probably. I've been looking at possibly Joomla as our group already knows PHP, Apache, etc. But haven't really got a good feel if I can break the content up and assign certain areas to certain groups inside of it so they only have access to change their own content only.
Right now all of it's on one page and grew out of hand before I got here to 2 page list of items without a collapsible menu. I do like that some areas all they have to do is drop files on a file share to update their items. I may keep part of that, just break it up into separate pages instead of showing each in one single frame in the middle as you click on the menu item. Since most of it is documents it's not all that bad.
Anyway looking for someone that's already been down this road and has a feeling for what I'm trying to do and how to go about it.
BTW prefer something open source if adding on any product to what we have.
Joomla since version 1.6 has fine grained access control that you can customise your self. Normally what I would do is create a user group for each of your groups. THen create a category tree for that group to make and manage their articles. Then for each of these categories give members of the group permission to create, edit, delete or whatever you want them to have.
THere is a lot of documentation out there on how to do this. (Some by me :)) Just search for Joomla ACL or Joomla Access Control.
If you have using joomla, you have the choice to edit your mysql database, there are two tables you need to edit, one is users, the other is usergroup_map. Each group should have a group ID and its own permission. After you create a page, just assign the permission to the page. If you have more than 6 groups, you might also need to edit usergroup table to add more group ID
I am trying to do the following in Drupal 7:
Users in my website will post ads and others will pay to get in touch with the author of the ad.
Users that are buying the contact information have to see all of the content of the ad(node), except for the author. After they pay, they should see an extra field in the ad, telling them who the author is.
My question is:
How can I control the user access per node and per user for a specific part of the node? Are there any modules for this?
Also, a relation between the user and the ad would be nice, since I will later have to list all ads for a user, etc..
I found many plugins, but they seem to deny or allow access to the entire node and my functionality should be different.
Thanks in advance
In order to allow only specific users or roles to view specific nodes, this module can help you:
https://www.drupal.org/project/nodeaccess
Also, as you want to restrict permission by field, the Field Permissions module can do the work for you:
https://www.drupal.org/project/field_permissions
Of course you might need to write some custom code or use Rules module to grant permission to the users who are going to be allowed to see some nodes/fields based on actions they do on your website.
I am developing web application, using zend framework 2. In my app, I want some modules. News, for example, users etc.
Is it possible, to divide whole application to two big parts: front-end (for users) and back-end (for admins).
In front-end there will be part of News module, which render news list, full news item etc.
In back-end there will be part of News module, which will render list of all news, tools for editing, deleting etc.
At the moment, I have simple structure:
I have MyZfcAdmin module, with routes configurated so, that when I am writing /admin/news/edit/5 it will call NewsController edit action with id 5 and render it. So now, I have all actions (for admins and for users) in one controller. Is it possible to create something like this:
module
frontend
News
SomeMoreModule
backend
News
SomeMoreModule
I found topic on google questions, in that suggested to use this CMS, but I want to try it by myself.
Different people have different idea in managing application, for me I will have news module that handle all news related calls both admin parts and user accessible parts. The idea you have described have some side effects like duplication of code between modules and crossing of borders between isolate modules like calling action in another modules(it's ok if there are related or fall in hierarchy), which may have issues in long term maintenance of the applications.
IMHO I might suggest you could create modules like News, users, etc where it can have combined functionality of both admin and user access. You can later include user authorization plug ins using bootstrap events and restrict action accessible by admin and other users
There is not concept of submodules inside any module. But you can give them proper naming conversations. If code is not formed in oops properly, then there can be code duplication into your project. As per #raj's answer, it's good to give restrictions based on user role. If any action is not intersecting admin and user role then you can separate those actions, but actions like add or edit news content are same for both role then you should point to same action by router.
I've written an extension and I'm now trying integrate it into the ACL. I've been using the documentation here: http://docs.joomla.org/Developing_a_Model-View-Controller_Component/2.5/Adding_ACL
Thus far I've been able to set access for the entire component but what I really want is to enable one user group to perform actions on a certain "view", if you will, while another group is denied access to that particular view. I'm guessing it's what's explained here: http://docs.joomla.org/Developing_a_Model-View-Controller_Component/2.5/Adding_ACL#Adding_more_actions.2C_also_at_category_level_and_item_level
The problem I'm having is when I click the Options button and change the access options and save, the selected options aren't saved. I've added the asset functions in my table-class and I've added the asset_id column in my table.
http://i50.tinypic.com/ofsjtt.png
Does anyone know what I'm doing wrong? Is it even possible to separate permissions like this?
The viewing access level is called "ViewLevels" http://docs.joomla.org/Access_Control_List/2.5/Tutorial#ACL_View_Access_Levels_Examples.
If you want people to perform certain actions on certain items, then you need to create an other set of permissions for these items different than the component acl.
For example you have a shop component, you have ACL for the component but you can have ACL for the product categories only.
My project is using Symfony 1.3.11, PHP version is 5.3.3.
Let me explain my case and my problem:
We wanted to add another kind of user, not just "user" and "admin" (using sfGuardPlugin). I did add "business" and I did give him permissions to only ONE admin module -- "purchases" (accessing own and under some conditions -- other people's purchases made on the site).
The "business" user can be associated to one or more Partners (firms) registered in the site, effectively allowing us to handle business owners or representatives a wee bit differently.
When the "business" user accesses the admin section, the list of purchases he sees must be this: All Purchases for all Products of all Partners he has associated with him. (Not exactly a trivial query).
I did that, in my opinion, in a stupid manner, but it does work -- namely overriding the "apps/backend/modules/purchase/actions/actions.class.php#executeIndex". I had to first copy-paste some code from the version of that method in the cache.
In short, I did hook myself to the "executeIndex" and added a code to do the proper Criteria, and the code works.
The problem now is this:
The filter field above the list (the one containing the Product list) does contain all possible Products. We want it to only contain all Products for all Partners the current user is associated with.
Thing is, it's my first time having to override the admin's filters and I am lost as to where should I plug my code.
Any help is appreciated. Thanks for your time.
UPDATE: Strangely very unpopular question. Nobody ever had to do this? Wow.
You have to unset the product_list and set another widget with the filtered choices.
Check this post where I explain something like that but using doctrine. In your case the sfGuardUserForm is your somthingFilterForm.
You could also filter data using this method. This is a little more elegant but both would work.