How to Access Data / Field just One User
I was create crud data with Laravel backpack And confuse about limited access data for just one people with delegation. I try using Request file
public function authorize()
{
// only allow updates if the user is logged in
return \Auth::check()->user_id;
}
but nothing. still have access for other and some user.
I use this project like Task Manager.
User A : Manager (Role)
User B : Client (Role)
User C : Client (Role)
User A Create File / Data / Upload Doc (sample.txt) for User B and User B Just See thats.
User C : Can Access that index methode and see none file and can't see sample.txt (Owned by User B)
What i have to do?
Related
I want to create authentication apis in Hasura. My user can have differrent roles when signing up. Thinking of maintaining an Enum table for the same. So that I can have a foreign key/type from it in the user table. However, I intend to create a postgress trigger on this enum table, such that everytime, new role is added, a new hasura role should also be created to allow for JWT authentication and authorization accordingly.
Where does hasura stores its Hasrua role.
Answer 1 (direct answer)
Not sure this is something the app developer should edit.
All Hasura metadata (including roles/permissions) is in Postgres.
The schema is "hdb_catalog". The table is "hdb_metadata".
You can query this using:
SELECT * FROM "hdb_catalog"."hdb_metadata" WHERE id = 1;
It contains a large JSON document. It's better to look at it using PGAdmin.
Answer 2 (dynamic roles)
It looks like you're trying to get dynamic roles in place.
There is a great Youtube video that explains how to model it:
https://youtu.be/-18zZO3DrLY?t=1370
Is possible to have user in one realm to manage another realm in keycloak?
My goal is to have 2 realms - adminRealm & userRalm. In adminRealm should be users, which will be able to log in to our admin app and there they could create via Keycloak rest api "ordinary user" which will be placed into userRealm.
Currently my solution working over one realm, where I have admin user which is able to log into my admin app and there he can create users in the same realm. But if I want create users to another realm, I get 403 error. So is there any way how to allow admin user to manage another realm (eg create users etc.)?
You should use master realm for storing admin accounts. Non master realms are isolated from each other. If you look to the clients list in master realm you should see that every realm represented by client with OIDC id like "foo-realm". This clients represents administration REST API for corresponding realms, and users with granted roles from this clients could perform admin requests to corresponding apis.
For example you have foo realm which will contain ordinary application users. To achieve your goal to introduce admin accounts that will be able to manage users from foo you have to create foo-admin user in master realm and grant him foo-realm.realm-admin role. Now this user has total control over foo realm and no control over master realm. You also can map foo-realm.realm-admin role to some group in master realm and add users to it (so if any changes appears in future you will have to change only group role settings)
In case you use terraform your solution would look like this:
data "keycloak_realm" "master" {
realm = "master"
}
data "keycloak_openid_client" "realm_management" {
realm_id = data.keycloak_realm.master.id
client_id = "foo-realm"
}
data "keycloak_role" "query_users" {
realm_id = data.keycloak_realm.master.id
client_id = data.keycloak_openid_client.realm_management.id
name = "query-users"
}
data "keycloak_role" "manage_users" {
realm_id = data.keycloak_realm.master.id
client_id = data.keycloak_openid_client.realm_management.id
name = "manage-users"
}
resource "keycloak_user_roles" "user_admin_roles" {
realm_id = data.keycloak_realm.master.id
user_id = keycloak_user.users_admin.id
role_ids = [
data.keycloak_role.query_users.id,
data.keycloak_role.manage_users.id,
]
}
round 2: trying to make this clearer:
I have two totally and completely separate services (both laravel 5.3).
One is an authentication service that has access to a user mysql database, permissions and role.
The other is a resource service. It couldn't care less about the user table and does not have access to any user table.
That means that any type of Auth::loginById()... would never work in this service because there is no user table.
I want to use JWT to have users access the resource service API, and have the user Auth to act as if a user is authenticated - but again - all I have are the claims inside the JWT - no user table. The claims include some information about the user - id, name, etc. I want to do something like this:
$userObj = JWTAuth::parseToken()->getPayload()->claims; // { id:4, name: Birdman, email: birdy414141#gmail.com}
Auth::login($userObj)
and then have access to the user object like usual
echo Auth::user()->name // Birdman
Has anyone tried anything like this?
I have found that doing this more or less works:
$u = new User();
$u->user_id = (JWTAuth::parseToken()->getPayload()->get('sub'));
$u->name = (JWTAuth::parseToken()->getPayload()->get('name'));
Obviously I can't $u->save() here because again - there is no user database.
I can do this though:
Auth::login($u);
and then I can later call Auth::user()->name properly...
I'm asking if I'm doing something exotic here or is this good stuff. Where will this fail?
Suppose we have following entities (representing a m:n relation, with additional column on the join table):
public class User {
private String name;
private List<Login> logins;
}
public class Login {
private User user;
private Website website;
private String login;
}
public class Website {
private String name;
private List<Login> logins;
}
I want to create a User edit form that contains one login input field per each existing website (so that all existing websites are in the form). E.g., having 2 websites defined (website1, website2), I would like to see:
My problem is with achieving following behavior on submission of the form: if login input field is filled for a website, it should be added to user1's logins, and if it's empty, it should not be added/get removed.
I created the form using User model (for user name), and website's fields use ListView backed by a model of all logins (taken straight from DB). This makes my form look as expected, but the behaviour is not there, as websites model is independent from the User model. What is your recommended approach?
Use a ListView backed by a list of all possible Login objects, ie the existing Login object if it exists and a dummy/empty/new Login object for each Website for which it doesn't exist.
Then on form submission save those Login objects which have a not-null and not-empty login field.
You could create a bean instead of directly using the Login object but it would work the same way.
If you also want to delete Login objects for which the user removed the login value, create some way in which you can check the Login object has been saved before (ie, its login field was notempty once) and delete the object if it is empty now.
Changing ListView to PropertyListView did the trick. Model gets updated properly and therefore I can do any required postprocessing in onSubmit(). With the ListView, form was rendered fine, but changes in login input fields were ignored.
I have task to build application for user registration. I have 3 types of user (profiles)
1. "Normal" user
2. "Company" user
3. "Company2" user - similar like 2. but with few additional fields..
All users share some specific info, like e-mail and password (Login data), role, registration date etc.... So, I'm trying to "design" classes for this type of app using only EF Code First approach, but with no luck..
Do I need table (class) for :
USER - all kind of users with all their Login data (email and password) and UserType
USERTYPE - list of all user types (1,2,3)
USER_DETAILS - details of normal user
COMPANY_DETAILS - details of company
COMPANY2_DETAILS -details of company2
My problem is how to reference USER table with USER_DETAILS, COMPANY_DETAILS, COMPANY2_DETAILS. I hope so that you understand my problem :)
My classes (user management and profile) is implemented like http://codefirstmembership.codeplex.com/ example.
Thank you in advance!
You can use a normal inheritance model with Entity Framework.
I would just use a base class User that contains the login data (please don't store the password in the DB though, use a hash - Membership should do this for you already) and other user info, then you can add another class CompanyUser that inherits from User and contains the additional properties. Finally CompanyUser2 (needs a better name) can inherit from CompanyUser.
Having this in place there are different models you can use on how EF maps your classes to tables:
1.) Table-per-Hierarchy
2.) Table-per-Type
3.) Table per Concrete Type