I am struggling to get my user permissions/privileges/roles setup correctly to get the behaviour I need.
I am using MarkLogic 8 and Roxy to create and deploy an application.
This application has different users that have content that should be restricted to the individual user. But they also participate in projects in which they need to collaborate together.
I have seen this helpful blog and the discussion on github issue 303 but still not able to get it right.
Default roxy app user role:
<role>
<role-name>${app-role}</role-name>
<description>A role for users of the ${app-name} application</description>
<role-names>
</role-names>
<permissions>
<permission>
<capability>execute</capability>
<role-name>${app-role}</role-name>
</permission>
<permission>
<capability>update</capability>
<role-name>${app-role}</role-name>
</permission>
<permission>
<capability>insert</capability>
<role-name>${app-role}</role-name>
</permission>
<permission>
<capability>read</capability>
<role-name>${app-role}</role-name>
</permission>
</permissions>
<collections>
</collections>
<privileges>
<privilege>
<privilege-name>xdmp:value</privilege-name>
</privilege>
<privilege>
<privilege-name>xdmp:add-response-header</privilege-name>
</privilege>
<privilege>
<privilege-name>xdmp:invoke</privilege-name>
</privilege>
<privilege>
<privilege-name>xdmp:with-namespaces</privilege-name>
</privilege>
</privileges>
</role>
My custom role:
<role>
<role-name>sccss-user</role-name>
<description>sccss default role</description>
<role-names>
<!-- TODO test which roles we really need -->
<!--
<role-name>alert-user</role-name>
<role-name>alert-internal</role-name>
<role-name>rest-admin</role-name>
<role-name>rest-writer-internal</role-name>
<role-name>rest-reader</role-name>
<role-name>network-access</role-name>
<role-name>qconsole-user</role-name>
-->
<!-- cluey app role for rest api access TODO replace with dedicated api user and role
<role-name>${app-role}</role-name>
-->
</role-names>
<permissions>
</permissions>
<collections>
</collections>
<privileges>
<!-- HK -->
<!--
<privilege>
<privilege-name>any-uri</privilege-name>
</privilege>
-->
<privilege>
<privilege-name>devices-uri</privilege-name>
</privilege>
<privilege>
<privilege-name>any-collection</privilege-name>
</privilege>
<!-- to make this role have acces to the REST API-->
<privilege>
<privilege-name>rest-reader</privilege-name>
</privilege>
<privilege>
<privilege-name>rest-writer</privilege-name>
</privilege>
<!-- TODO test this
<privilege>
<privilege-name>xdmp:value</privilege-name>
</privilege>
<privilege>
<privilege-name>xdmp:add-response-header</privilege-name>
</privilege>
<privilege>
<privilege-name>xdmp:invoke</privilege-name>
</privilege>
<privilege>
<privilege-name>xdmp:with-namespaces</privilege-name>
</privilege>
</privileges>
-->
</role>
I have tested and tried what is described in the blog above but with those settings I get no access to any document, apparently no rest extension access.
If I give my users the {app-role} it gives the problem that users can see other users' private content... because the all users have the 'rest-reader' role...
So I need to restrict the default-app role to not use the rest-reader role and use rest-reader privileges but cant get it to work...
One option I am considering is to use document-insert() permissions for the restricted content but this should be possible with the right roles and privileges if I can set it up correctly, right?
ADDITION
In repsonse to Grtjn's answer : thx 4 your comments, I think I am puzzled by the REST roles. If I look at the default roles in a roxy app on git those look empty but when I set my roxy app type to be a REST app things seem to get more complicated. The main confusion is what roles and privileges do I need for a second (independent)role to be able to use the REST endpoint? What are the xdmp:(value,add-response-header, invokes etc etc) privileges exactly doing and needed for? In my example for a user to be able to access the REST api he/she needs the following roles:
<role-name>${app-role}</role-name>
<!-- we need this to amp internal privileges-->
<role-name>alert-user</role-name>
<role-name>alert-internal</role-name>
<role-name>rest-admin-internal</role-name>
And then we get into the discussion if rest-reader should be a privilege or a role?
So a more concrete question:
What is the minimum role/privilege set I would need to access a REST endpoint create by a roxy rest type application?
I'd recommend taking the following approach here:
Use the app-role for application execution, not for content access to start with. For that reason, remove the default permissions from that role, and just give it the rest-reader/rest-writer privilege, and maybe some privs for running MLCP and such.
Next, make sure that REST extensions, and anything else that is not deployed by Roxy directly, get read and execute document permission. Think of triggers and alerts created with custom code, sql-views or schemas not loaded with deploy schemas, etc. The change_permissions function we use in slush-marklogic-node could serve as example of how to handle this: https://github.com/marklogic/slush-marklogic-node/pull/298/files#diff-a529d1d70bd21866e1d12eda3a99f7b6R96
Once there create a dedicated role for each portion of content that needs to be granted access to separately. If you need a set of docs to be accessible by one user only, you will need a user specific role. If you also have a set of docs accessible by project members only, you also need a project specific role. If you need to distinguish between read/write too, make two roles for each (two user, two project roles). These roles will have no privs, and should not inherit roles (except write inheriting the corresponding read role perhaps).
Once you have the read/write roles, you can start thinking about how to apply them correctly for document permissions at ingest. With this level of complexity, you might wanna avoid default permissions, and choose document permissions explicitly. xdmp:document-insert, MLCP and /v1/documents all take explicit document permissions, so you should have a reasonable amount of control with those.
ADDITION
Note on Roxy's out of the box ml-config file. It is not properly tuned for REST type applications. That is why the slush-marklogic-node generator patches the ml-config: https://github.com/marklogic/slush-marklogic-node/blob/master/slushfile.js#L346
The bare minimum to have read access to the REST api, is rest-reader priv, and to have update access to the REST api, is rest-writer priv. REST extensions are running from modules database, not from filesystem, so you need module access for that in addition. The change_permissions function mentioned above fixes that for you.
Anyhow, my general advice would be to use app-role for app execution, like mentioned before, and the other roles for data access. Any user that wants to use the app should inherit app-role, as well as some of the other roles to provide the appropriate amount of data access.
HTH!
Related
With the API of Connections community we can add member as described in this URL :
https://www-10.lotus.com/ldd/appdevwiki.nsf/xpAPIViewer.xsp?lookupName=API+Reference#action=openDocument&res_title=Adding_a_member_programmatically&content=apicontent
I try to add a owner not a member in a community but he always become a member even if I am posting this informations for the user :
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:app="http://www.w3.org/2007/app" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/" xmlns:snx="http://www.ibm.com/xmlns/prod/sn">
<contributor>
<email>michel.nico#connelink.fr</email>
<snx:userid xmlns:snx="http://www.ibm.com/xmlns/prod/sn">My user ID</snx:userid>
<snx:userState xmlns:snx="http://www.ibm.com/xmlns/prod/sn">active</snx:userState>
<snx:isExternal xmlns:snx="http://www.ibm.com/xmlns/prod/sn">false</snx:isExternal>
<name>Michel NICO</name>
</contributor>
<snx:role xmlns:snx="http://www.ibm.com/xmlns/prod/sn" component="http://www.ibm.com/xmlns/prod/sn/communities">owner</snx:role>
<category term="business-owner" scheme="http://www.ibm.com/xmlns/prod/sn/type"></category>
<category term="person" scheme="http://www.ibm.com/xmlns/prod/sn/type"> </category>
<snx:orgId xmlns:snx="http://www.ibm.com/xmlns/prod/sn">The ID of our cloud</snx:orgId>
</entry>
It always create me as a member and not as an owner.
How can we create a user with the owner role in a community ?
Suport send a response to me :
No need to add so many field to add a person :
<entry xmlns="http://www.w3.org/2005/Atom">
<contributor>
<email>mailadress</email>
</contributor>
<snx:role xmlns:snx="http://www.ibm.com/xmlns/prod/sn" component="http://www.ibm.com/xmlns/prod/sn/communities">owner</snx:role>
</entry>
is enouth to create a person.
But I try to add me as a owner of a community that was the problem : when the admin account try to add him, he can be member only. When you try to add someone else, you can add him as an owner.
This limitation was not described in the documentation.
Now it works
It looks good, but I think the term=person item is for activities and not communities, at least that what the docs show. You might remove that and see what happens. I have a feeling it's overriding the owner role you're trying to set.
I've looked at the documentation for creating profiles for FHIR, and I've used Forge to create some xml that I believe is valid to describe a profile. I can't find in the documentation where it actually states what request I need to make to the RESTful api to actually add a new profile.
Any ideas?
You can of course just "store" your profiles on a FHIR server by POSTing them to a FHIR endpoint, but you probably mean: can I actively let instances be validated against the StructureDefinition?
There are two ways, both of which require a bit of experimentation to see which public servers support them:
Any FHIR instance may declare it adheres to a StructureDefinition, by adding the canononical url (StructureDefinition.url) to the instances meta.profile as shown below. Servers may pick this up on a POST and validate the instance against the stated profile:
<Patient>
<id value="44Q3"/>
<meta>
<profile value="http://example.org/StructureDefinition/PatientNL"/>
</meta>
</Patient>
Actively ask a server to validate your instance using the $validate FHIR operation (see http://hl7.org/fhir/resource-operations.html#validate)
How do I assign a specific role from drupal core(D7) upon automatic registration with Simple FB Connect? I currently am using auto role assign and have a custom registration for 2 roles, One is a basic role with limited permissions and the other an advanced role with more edit/creation permissions. My problem is that the simple FB connect link works great but is registering people for the wrong roles. How can I choose the role that is being assigned based on the url?
Maybe something in template.php that would allow the following url to be placed on my facebook buttons?
/user/simple-fb-connect?registration=1&role=my_custom_role
YOu can use use hook_user_insert and check for the url and assign desired role,
function module_name_user_insert(&$edit, $account, $category)
{
if($_SERVER['REQUEST_URI'] =="url")
{
//add code to assign desired role;
//assuming rid of custom role is 1
$account->roles[1]='custom_role';
}
}
I encourage you to take a look at the rules module: https://www.drupal.org/project/rules/
This module allows you to create automated tasks based on events. What you want to do is:
Download and enable rules module: https://www.drupal.org/project/rules/
You'll need to enable rules UI as well
Go to rules configuration: example.com/admin/config/workflow/rules
Create a new rule
The rule event should be something like: "User registers a new account connected to Facebook"
The rule action should be something like: "Assign role to user"
Interface should be pretty straight forward.
Here's some additional resources:
Rules Handbook
https://www.drupal.org/documentation/modules/rules
I am trying to read Magento product list via REST API using guest account. My Magento instance responds to GET /api/rest/products/1 as expected, with:
<?xml version="1.0"?>
<magento_api>
<entity_id>1</entity_id>
<type_id>simple</type_id>
<sku>simple_sku</sku>
<name>simple</name>
<meta_title/>
<meta_description/>
<description>description</description>
<short_description>short description</short_description>
<meta_keyword/>
<tier_price/>
<is_in_stock>0</is_in_stock>
<regular_price_with_tax>100</regular_price_with_tax>
<regular_price_without_tax>100</regular_price_without_tax>
<final_price_with_tax>100</final_price_with_tax>
<final_price_without_tax>100</final_price_without_tax>
<is_saleable>0</is_saleable>
<image_url>http://localhost/media/catalog/product/cache/0/image/9df78eab33525d08d6e5fb8d27136e95/images/catalog/product/placeholder/image.jpg</image_url>
<url>http://localhost/index.php/catalog/product/view/id/1/s/simple/</url>
<buy_now_url>http://localhost/index.php/checkout/cart/add/uenc/aHR0cDovL2xvY2FsaG9zdC9hcGkvcmVzdC9wcm9kdWN0cy8x/product/1/form_key/6DQ0mBsIua4HpuGN/</buy_now_url>
<total_reviews_count>0</total_reviews_count>
<has_custom_options/>
</magento_api>
However, asking the same Magento instance for a list of products using GET /api/rest/products returns empty result, when I would expect a list containing that product:
<?xml version="1.0"?>
<magento_api/>
The result is populated correctly when calling as oauth authenticated user, but I need it working for guest account.
Guest REST role has been configured to get "All" resource access and "All" attributes. I have this behaviour for Magento versions 1.9.0.1 and 1.9.1.0, for both formats: xml and json, (json returning []). Also changing "All" guest settings to manually selected checkboxes didn't solve this issue.
Thanks to this blog post, I found out that Magento doesn't show out of stock products for guest role in REST API. To change this behaviour, edit setting System > Configuration > Catalog > Inventory > Stock options > Display out of stock products
Reason for that behaviour could be, that guests shouldn't see unavailable products because they cannot order or do anything with them. At the same time admin can see them, because they are potentially edible for him (if admin role has been granted that permission).
I am creating a startup hook script for liferay to add and preconfigure Roles for Liferay 6.2 behind the scenes.
Specifically I am looking to add the type of permissions that can be accessed through Control Panel > Roles > Actions> Define Permissions.
Currently I am able to add Liferay Roles, but have so far been unsuccessful in finding the correct way to add custom permissions to the Roles programmatically. I see there was a way to do this in prior Liferay versions, but do not see it here.
https://www.liferay.com/community/forums/-/message_boards/message/2965424
https://www.liferay.com/web/guest/community/forums/-/message_boards/message/124558
So far I have investigated RolePermissionUtil, RoleLocalServiceUtil, among other available services.
Let me know if this is available through the service to be added to a startup hook or if this can only be done in the UI.
It appears that the API has changed since these posts.
Thank you in advance for your help
Figured it out using ResourcePermissionLocalServiceUtil.setResourcePermissions and RoleLocalServiceUtil.
Eg.
RoleLocalServiceUtil.fetchRole(CompanyThreadLocal.getCompanyId(), "Role Name");
ResourcePermissionLocalServiceUtil.setResourcePermissions(CompanyThreadLocal.getCompanyId(), Role.class.getName(), ResourceConstants.SCOPE_GROUP_TEMPLATE, String.valueOf(role.getRoleId()), role.getRoleId(), new String[] {ActionKeys.VIEW, ActionKeys.UPDATE, ActionKeys.DELETE});
I used CompanyThreadLocal to obtain the Company Id because I am using this in a hook not a portlet, where typically it would be accessed through the theme display. Here I am just adding access to Roles, but other class namespaces could be added. (eg. "com.liferay.portlet.dynamicdatalists.model.DDLRecordSet")