Restrict scopes to certain users - doorkeeper

Say I have 2 scopes: read, write. What would be the cleanest way for me to only allow specific users (for example, current_user.admin?) to authorize on the write scope?

I did this by extending the AuthorizationsController, and adding a before_action for new/create.

Related

REST API: Authorize access based on given permissions rather than pre-determined roles

You all are familiar with the ability to share a Google Doc with certain people, and provide those people with the ability to view, or edit.
I'm trying to understand how such an architecture would be organized in a REST Api.
For instance, for my document I want to grant read access to:
myself
some#email.com
users who belong to domain.com (everybody who belong to my network)
I'd like to give write access to:
myself
another#email.com
In addition, users with the role of admin also have write access regardless of the permission I define, and users with the role moderator have read access regardless of the permission I define.
What would be the ideal (or best practice) architecture for such a thing? Where would I deligate permissions? On the document itself? Would I have another model handling permissions? How would I create the complex rule-based system where access is granted based on a specific email, a broader domain affiliation, and an even broader site-wide roles.
I can imagine a situation where each document has field for different permissions. For instance:
owner: my id
admin: all the site's admins
moderator: all the site's moderators
viewers: a list of emails / domains
editors: a list of emails / domains
But, is this scalable?
I'd love to get some advice.
Thanks!

Include groups (along with roles) in Keycloak token?

Is there a way to include the list of groups a user is a member of inside a Keycloak access token, along with the roles they are in? I've created several groups and mapped them to roles. However, I may have more than 1 group that maps to a particular role. I'd like to be able to make fine-grained authorization decisions so I know that User A is in Role A but also Group B. Is that possible?
Found the answer to this right here. All I had to do was add an additional mapper to my Client. Worked like a charm.

In aem access control list evaluation, when a user is part of 2 groups one has allow permission and other has deny which will get applied?

the ACL evaluation rules I found are
Allow rights have higher precedence than deny rights.
Group principals are evaluated in order, both within the hierarchy
and order within a single access control list ie on the same node
(CONCURRENT).
This list is then scanned bottom-up until the first appropriate
permission to apply to a page is found
so when a user is part of both group which rule gets applied when deny permission is at bottom of list? the first rule or third rule?
In case of group-hierarchy how is ACL created according to group hierarchy or in order we give the permission to the group-principals?
It depends on the sequence of allow/deny rep policy. If the deny is placed after allow the user will not have access. The best practice is to always set a deny for all followed by selective allowed permissions.
Sequence matters a lot!
The one which is at the bottom will be applied. If deny is placed after allow then no access will be provided to that user. Similarly if allow is placed after deny then permission is allowed. AEM best practice is to first deny for all then allow permissions selectively & accordingly.

Confluence: best way to add public restrictions of a page

Currently we have a user guide sitting in Confluence. We want to give access to this page to all users of the product. What is the best way to do this?
Do I put the user guide into its one space and make it public. Then would I need to make a group defining all my users on our product?
It would be ideal if the users did not have to log into confluence in order to view the user guide. The most important piece is we do not want to give access to the user guide to everyone to view.
If you want to grant access to the users of that product, you need to create a group, and then, give access to only that group. If users don't need to log into Confluence, then, anyone could access.
Another approach is to use Comala Share It (disclaimer, I work in Comalatech). This add-on allows you to create a unique URL, which could be shared with the users of your product, so only them could access. Of course, if the URL is shared with anyone outside the group, that person could access too. Guess the public URL is not possible, since it uses a secure token.
Regards,
Gorka

In the Yii framework, is accessControl and accessRules independent of RBAC?

In Yii, there is an accessControl filter and a accessRules method that handle simple authorization to certain tasks. In my application, I have RBAC to authorize users into roles.
My question is should I use the accessControl filter and accessRules method in addition to RBAC or can I remove them and use RBAC exclusively?
You can make use of RBAC along with the accessRules() method by passing an array with the roles you want to check (of course, those roles need to be defined in your RBAC schema for it to work).
Further information on that: http://www.yiiframework.com/doc/api/1.1/CAccessControlFilter
Also you can use RBAC by its own, by calling Yii::app()->user->checkAccess() everytime you want to check if a user's got the permissions to access a resource, task or anything else.
I would recommend you to make use of accessRules + RBAC when you need to restrict access to controllers/actions according to user's roles, and use RBAC alone when it comes to a more granular access control.