I generated entity and model, then a CRUD for it using Gii. Default access rules say that delete action can do just users with admin role. By default we have 2 users defined in UserIdentity.php: admin/admin and demo/demo. Demo is common user and admin is admin user. Authenticating with demo I have "403 forbiden" on delete page. So question is where is set role for these default users?
In your access rules array, you need to specify users not roles. Until you start using the RBAC module, you will have no roles assigned. The tutorial for RBAC shows how to define your roles and assign them to users. What it doesn't tell you is where to populate the files. read up about data migrations. That is where I populated my files.
This is not default users but default roles. You should read about RBAC
It depends on how deep you plan to go with your site security. If you are just trying grant access to specific users from that default users array, you can just configure them through the accessRules method and use the users configuration.
Otherwise, if you actually want a comprehensive role system, you will want to look into RBAC as #oroshnivskyy suggested.
Related
I'm looking for a solutions where I can do the following in my Sonata backend:
In my database I have the following tables:
roles
id
name
role
is_super_admin
weight
permissions
name
permissions
description
role_permission (many to many)
role_id
permission_id
So I would like to save relations in my table role_permission. But I'm a bit stuck on how to do this in Sonata admin. Can I do this in the list view? And if yes, can you help me on my way?
Not sure if OP wants to implement custom roles or use existing features. However I would recommend using a single role system. Sonata already has handlers for security so in my opinion it would be best to use those instead of creating your own.
On the sonata site, there is a section in the admin bundle about security. Which explains how to setup certain types of role management. I would either go for the Role or ACL handler depending on what you need.
When enabling the role handler you can create groups of roles. These groups would serve as your "Role 1". For example I could create a group called "Beta Testers" and give them the ROLES (permissions) ROLE_CHECK_BETA_CONTENT and ROLE_BETA_FEEDBACK_FORM. Now if you want normal users to not have these rights you could create a normal user group and assign every other role (permission).
I am new to Laravel, and currently I am developing a job website project using Laravel 5. In the website, in addition to the Admin user, I have three types of users- jobseeker, employer, and training provider, which I want to seperate the three tables because each of them store different information. Plus, each of them should go to certain allowed user logged in area. For example, logged job seeker can only work on their allowed area, and employer and training provider can do the same thing.
Could you advise me how to manage authentication for each tables?
Best Regards,
Naren
The best way to manage this in Laravel is use a plugin. Try this: Laravel ACL
It uses following table to manage role based access for entire application:
users
role_user
roles
permissions
permission_role
permission_user
By using this module you can manage role wise as well as individual person permission also.
You can apply the following stuffs from Laravel 5.2+,
Use multi authentication. So each type of user has its own model: JobSeeker, Employer, TrainingProvider. They will have their own Guard in middleware for authentication.
Routes are protected via middleware. Some routes are permitted to all, some are personal...
Since each role might have same or different access to some type of actions, ex. all have access the JobSeeker profile (to view), but only JobSeeker can edit the profile. Use the Laravel Policy.
I am trying to create roles and permissions functions in php. I have checked some tutorials
A Better Login System
RBAC in PHP
but it is not clear that the permissions are that of the ones granted by mysql or they are improvised in php.
For example if I have roles like admin and user and developer, so should I have to create different users in database and then use those to perform different operations or should I create one root user and then control the access in php. To me it seems like the database should restrict it by having different users.
First clear yourself on roles & permissions. In front end these are different things to provide access to certain pages & changes.
As per your question let me tell you the roles as Admin/User/Developer can be managed by MySQL user rights. MySQL user rights restrict user access on tables, creating tables,deletion and insertion etc. Now if you create different users in database with custom user rights you will have to include different connection credentials for each of the users.
Further in controlling PHP pages restrict user access with user pages assignment by php codes.
If you are really going for custom access management module. I would recommend you to create role table where roles will be placed
table:role
Columns:
id (pk, auto-increment)
role_name (Varchar)
keep 'role_id' in the user table.
you don't need to create a separate table for user_role since each use will have one role.
But if you are planning to have completely page level access.. You would need that table and a UI should be created where you would assign pages (access) to the user while creating a user.
If you are using any framework, do look for the available apis. YII has a very good security feature which access rules and filters are defined.
The current ACL of phalcon is managing access between roles, resources and its actions. For example, if we want to allow specific role into specific resource :
$acl->isAllowed("Guests", "Customers", "search");
This check if role called "Guest" can access "Customers" controller for action "search".
In my scenario, we also have "Role Level", for example, Admin can access all modules and controllers, but, to modify the contents, an Admin should have minimum Role Level 2. To gain access to modifying website configuration, an Admin should have Role Level 3.
In addition to role level, we also want to assign which models a role can have access to. For example, Mr. A and Mr. B both are Admins and have same levels. But, we decided only to allow Mr. A to access "Accounts" models while Mr. B can have access to "Accounts", "Personnel", etc.
Here are my questions :
Does phalcon ACL support roles and levels ? Or, should I just create the custom validation?
What is the benefit of using ACL compared to creating similar validation functions?
If I have to create custom validation, where should I put it ? In the controller, or in the dispatcher ?
Thx
At the moment Phalcon does not support Role based ACLs. You will have to do something yourself to cover this. The feature has however been asked for and it is in the long list of NFRs for the project :)
The way I would go about it is use a combination of Phalcon functionality and custom programming. I would add everything to a base controller in the beforeExecuteRoute function so that whenever something is to be dispatched ACL is checked.
In a similar project to yours, I created two tables in my database:
Groups
------
group_id <- 2
group_name <- Admins
and have an ACL table that maps all actions to a group like so
ACL
---
group_id <- 2
acl_controller <- Customers
acl_action <- Search
You can easily extend this to have a collection of controller/action pairs to map to a Role. From there you can just create a simple function that would load the role based resources.
It is a bit of a workaround but it works.
I have only just started using CakePHP (v2.4.1). I did a fresh install, then I created my database structure and did a cake bake to create all modules, controllers and views. Great! I have also created a login using the Auth component.
I have a users and user_types table along with a user_types_views and a views table as part of the database structure and I want to be able to give access to particular views at usertype level. So I need to reference the database to see if there are any user_types_views records for the usertype logged in, and set the access to authorised for each of these views.
Is this the best way to do it? and are there any hidden little gems in CakePHP which may speed up the process(like the 'cake bake' options).
the CRUD permission setup would do this for you. you'd have to set all the $permKeys to 1 or -1 for access or deny at each function(view) level.
remember to use Crud as the authorize option in the auth properties.