In my Application layout i have one segment which represent ADMIN PANEL. I render that segment by the partial('admin_panel.phtml'); ?> view helper.
Now, I want to render 'admin_panel.phtml' if a user have 'admin' role and not if it doesn't. My idea was to check users role and based on that render admin panel or not.
I have service registered with ServiceManager as invokable, which return current users role, but how to get ServiceManager from layout?! How to call my service to check users role?
Related
I have a situation where during login, after a user has entered their username/password, they would get transferred to an additional page where they would have to enter an additional field (or select something from a select box)
Today, I use a simple session id over a cookie. When a user enters their credentials I create a session, and after they had entered the field in the additional page, I update the session.
I was wondering what would be the best way to achieve something like that in Keycloak. I would also like to include that additional field in the token.
I guess the obvious way would be to keep my login frontend as it is now and use the direct credentials grant API that Keycloak provides, but I would rather avoid that.
Please advise.
Clarifications: Each user in the system can belong to multiple organizations. That additional field corresponds to the organization that the user logs in to. All applications that interact with the token have to be aware of that organization field
According to your requirements i would suggest following:
Continue with UserStorageProvider implementation. Refer to following docs. Your implementation should also provide list of available companies for every user. You can expose this list as an UserModel attribute.
Implement custom required action (components like that runs after successfully passed credential challenges) that will get list of available companies from UserModel object of authenticated user. Offer this list to user as separate login form, so after user submits his choice it will be persisted in user session note. As example check out implementation for UpdateUserLocaleAction and javadoc for RequiredActionProvider. Here is example of logic for storing selected company:
#Override
public void requiredActionChallenge(RequiredActionContext context) {
List<String> availableCompanies = context.getUser().getAttribute("companies");
... // form rendering
}
#Override
public void processAction(RequiredActionContext context) {
String company = context.getHttpRequest().getFormParameters().getFirst("selected_company");
context.getAuthenticationSession().setUserSessionNote("company", company);
}
Add UserSessionNote oidc mapper to required client (or to shared client scope), so it will extract 'company' note saved by required action implementation from step 2
???
Profit
How do I assign a specific role from drupal core(D7) upon automatic registration with Simple FB Connect? I currently am using auto role assign and have a custom registration for 2 roles, One is a basic role with limited permissions and the other an advanced role with more edit/creation permissions. My problem is that the simple FB connect link works great but is registering people for the wrong roles. How can I choose the role that is being assigned based on the url?
Maybe something in template.php that would allow the following url to be placed on my facebook buttons?
/user/simple-fb-connect?registration=1&role=my_custom_role
YOu can use use hook_user_insert and check for the url and assign desired role,
function module_name_user_insert(&$edit, $account, $category)
{
if($_SERVER['REQUEST_URI'] =="url")
{
//add code to assign desired role;
//assuming rid of custom role is 1
$account->roles[1]='custom_role';
}
}
I encourage you to take a look at the rules module: https://www.drupal.org/project/rules/
This module allows you to create automated tasks based on events. What you want to do is:
Download and enable rules module: https://www.drupal.org/project/rules/
You'll need to enable rules UI as well
Go to rules configuration: example.com/admin/config/workflow/rules
Create a new rule
The rule event should be something like: "User registers a new account connected to Facebook"
The rule action should be something like: "Assign role to user"
Interface should be pretty straight forward.
Here's some additional resources:
Rules Handbook
https://www.drupal.org/documentation/modules/rules
I was being searching to password protect apiglity admin ui without using htpasswd, but i did not got any information about. Can anybody help me out with this?
Thanks in advance
You don't need password protection for ApiGility UI. Access should only be allowed in the Dev environment.
php public/index.php development enable <- to enable the UI
php public/index.php development disable <- to disable the UI
If you consist of having password protection for it. Then you can add an event to the Application Module.php that check if the identified user is allowed to access that resource.
Edit - If you do want to protect something by password
The following code should be placed in the Module.php file. (In many cases under the Application module).
It call the event manager and attach action to the Dispatch event.
Every time the application reach the dispatch phase it will fire this event.
The action is passed as a call back so you can attach function, classes ans etc. In this example I passed a new class that have access to the MvcEvent ($e).
For example, that class can check if a user is logged in. If it is not then redirect him to /login.
public function onBootstrap(MvcEvent $e)
{
$eventManager = $e->getApplication()->getEventManager();
$eventManager->attach(MvcEvent::EVENT_DISPATCH, array(new UserAccessChecker($e), 'getResponse'));
}
For the purpose of auth You should further investigate ACL & RABC
I'm absolutely new of Symfony, and I'm trying to implement a registration form that works only with invitation
but that can redirect two different forms for two different roles.
In practice if I send an invitation for an USER_TYPE1 role the client can only register like USER_TYPE1, if I send an invitation for an USER_TYPE2 the client can only register like USER_TYPE2 (and, of course, assigns the corrispondent role).
Is it possible?
thank you in advance for your help
UPDATE:
I want two different form because one user will be allowed to update file, but will also have to set his position and other important settings. The second user will only allow to download the files uploaded by the first kind of user, and his profile needs completely different information.
I do not have enough reputation to ask for details, but one thing that is not clear in your question is: why do you need 2 different forms? In your question, you mention 2 different roles, but why do you need 2 different forms? If you really need 2 different forms, then you should first:
- create a new form type
- create a new view (twig)
Like Boris suggested, I would keep some kind of token for every invitation sent, and associate an email address, and a role to it. Then modify your registration route so you can pass a token in there, like this:
register:
pattern: /signup/{token}
defaults: { _controller: MyBundle:Registration:signup }
In the registration action of your controller, you created the correct form type and display the appropriate twig, depending on the ROLE associated to the token you just got. And when handling a POST, you check the Token again to see if it matches the email address, and assign the proper ROLE when creating the User.
public function signupAction($token) {
// 1. Get the Token entity matching the $token variable
// 2. Create the correct form type
// 3. Display the correct twig for GET, assign correct ROLE to new User for POST
}
But you can't use FOSUserBundle as-is. You will have to overwrite the registration process. You can read the FOSUserBundle documentation about that.
What's certain is that, for every invitation you send, you should keep a token with a matching email address and ROLE (the role you want to give to that person).
When I go to /_layouts/groups.aspx in my site collection, I only see the first 100 groups. There is no pagination control visible. How do I correct this, to work with more than just the first 100 groups?
You can also modify this view through the standard UI, rather than using code if you need to:
Browse to "http://<site collection url>/_catalogs/users/AllGroups.aspx"
Site Actions-> Edit Page
Modify the List View web part
Under Selected View click the "Edit the current view" link.
You can now edit the view settings like any other in SharePoint.
That list is a sharepoint internal list which cannot be accessed through the API and must be hit by utilizing the object model.
Assuming you're familiar with the SharePoint API,
You need to access your site programmatically
then access the users and groups list, then access the default view on it, and set it's paging property to true.
static void Main(string[] args)
{
//Access the site
using (SPSite _site = new SPSite("http://myurlwithport:800"))
{
//Substitute the appropriate web if it is not the root
using (SPWeb _web = _site.RootWeb)
{
// This is always the name of the users list
SPList userList = _web.Lists["User Information List"];
//This is the view that is causing you trouble
SPView allGroupsView = userList.Views["All Groups"];
//Set this value to true if it is false.
Console.WriteLine(allGroupsView.Paged);
//Set this value to whatever you want if you don't want paging
Console.WriteLine(allGroupsView.RowLimit);
Console.ReadLine();
}
}
}
Hope this does it for ye.
EDIT
Based on OP comments
There is a RowLimit property that you can change instead if you want.
I've added it into the code provided.
I want to share some additional clarification to Michael M's suggestion on updating the "AllGroups.aspx".
Initially, I used a regular Site Collection admin account to access the
"http:///_catalogs/users/AllGroups.asp" page and got access denied.
I then used another Site Collection admin account who's also in the Windows admin group for the SP server and still got access denied.
Finally, I used the SharePoint 2010 Farm admin account that we used to setup the Web App/App Pool, and that finally gave me access to the page.