I am using Windows Authentication for Roadkill Wiki. Has anyone attempted to add additional user roles in Roadkill Wiki for fine grain access control? If so, do you have any guides to help with this.
Cheers.
I'm pretty sure that you can't add additional user roles in Roadkill Wiki. You can find proof of this fact in documentation:
Roadkill has just two types of user roles: editors (or standard users) and admins. The only difference between the two is that admin users who belong to the admin role can access the "site settings" page, delete and lock pages.
Also you can find authentication implementation details in code:
public interface IUserContext
{
// ...
/// <summary>
/// Gets whether the user (if logged in), is in the editors group.
/// </summary>
bool IsAdmin { get; }
/// <summary>
/// Gets whether the user (if logged in), is in the editors group.
/// </summary>
bool IsEditor { get; }
// ...
}
You can see that there is no UserRole type. Just two flags: IsAdmin and IsEditor. Not very flexible :) Of course, you can create an issue or pull request.
Related
I have a situation where during login, after a user has entered their username/password, they would get transferred to an additional page where they would have to enter an additional field (or select something from a select box)
Today, I use a simple session id over a cookie. When a user enters their credentials I create a session, and after they had entered the field in the additional page, I update the session.
I was wondering what would be the best way to achieve something like that in Keycloak. I would also like to include that additional field in the token.
I guess the obvious way would be to keep my login frontend as it is now and use the direct credentials grant API that Keycloak provides, but I would rather avoid that.
Please advise.
Clarifications: Each user in the system can belong to multiple organizations. That additional field corresponds to the organization that the user logs in to. All applications that interact with the token have to be aware of that organization field
According to your requirements i would suggest following:
Continue with UserStorageProvider implementation. Refer to following docs. Your implementation should also provide list of available companies for every user. You can expose this list as an UserModel attribute.
Implement custom required action (components like that runs after successfully passed credential challenges) that will get list of available companies from UserModel object of authenticated user. Offer this list to user as separate login form, so after user submits his choice it will be persisted in user session note. As example check out implementation for UpdateUserLocaleAction and javadoc for RequiredActionProvider. Here is example of logic for storing selected company:
#Override
public void requiredActionChallenge(RequiredActionContext context) {
List<String> availableCompanies = context.getUser().getAttribute("companies");
... // form rendering
}
#Override
public void processAction(RequiredActionContext context) {
String company = context.getHttpRequest().getFormParameters().getFirst("selected_company");
context.getAuthenticationSession().setUserSessionNote("company", company);
}
Add UserSessionNote oidc mapper to required client (or to shared client scope), so it will extract 'company' note saved by required action implementation from step 2
???
Profit
In a project that I am working in AEM 6.1, we are using the "new" way to obtain a valid ResourceResolver object through the line resolverFactory.getServiceResourceResolver(). As you know, is neccessary to have a System User created with the right permissions in the environment, to perform some tasks in the JCR. We have created a System User with Admin rights.
Attach of the permissions: useradmin page
This user is assigned to the Apache Sling Service User Mapper Service config as a Default User, so we do not have to pass anytime in the code the Map object with the subservice name. The page path that I am testing is /content/test/test-1/test-folder/test-unlock-page/. Attached the related CODE. When the line page.unlock() is executed this throws a WCMException
#Override
public void unlock(String userId, String pagePath) throws LoginException, WCMException {
ResourceResolver resourceResolver =resourceResolverFactory.getServiceResourceResolver(null);
PageManager pageMgr = resourceResolver.adaptTo(PageManager.class);
Session session = resourceResolver.adaptTo(Session.class);
Page page = pageMgr.getPage(pagePath);
if(!page.isLocked()) {
log.info("Page is NOT locked, unlock operation not mandatory: " + pagePath);
} else {
log.info("Unlocking page on behalf of: " + userId);
page.unlock();
}
The exception cause is:
javax.jcr.lock.LockException: Not an owner of the lock /content/test/test-1/test-folder/test-unlock-page/jcr:content
I read the documentation of this link and according my understanding when you specify a modify permission for this user the user can lock (locking) but this paragraph does not tell anything about unlocking:
At the JCR level, users can modify a resource by modifying its properties, locking, versioning, nt-modifications, and they have complete write permission on nodes defining a jcr:content child node, for example cq:Page, nt:file, cq:Asset
I am thinking if is possible to assign in other place a permission to unlock to this System user, because it seems that is imposible to do it with the current privileges.
Thanks for any idea about it.
It is not possible. only the admin user and lock owner can remove the lock.
Just the lock owner can remove the lock. Even a member of an administrators group isn't able to unlock a page. However, the admin user can remove the lock of any page using the CRX Content Explorer.
How do I assign a specific role from drupal core(D7) upon automatic registration with Simple FB Connect? I currently am using auto role assign and have a custom registration for 2 roles, One is a basic role with limited permissions and the other an advanced role with more edit/creation permissions. My problem is that the simple FB connect link works great but is registering people for the wrong roles. How can I choose the role that is being assigned based on the url?
Maybe something in template.php that would allow the following url to be placed on my facebook buttons?
/user/simple-fb-connect?registration=1&role=my_custom_role
YOu can use use hook_user_insert and check for the url and assign desired role,
function module_name_user_insert(&$edit, $account, $category)
{
if($_SERVER['REQUEST_URI'] =="url")
{
//add code to assign desired role;
//assuming rid of custom role is 1
$account->roles[1]='custom_role';
}
}
I encourage you to take a look at the rules module: https://www.drupal.org/project/rules/
This module allows you to create automated tasks based on events. What you want to do is:
Download and enable rules module: https://www.drupal.org/project/rules/
You'll need to enable rules UI as well
Go to rules configuration: example.com/admin/config/workflow/rules
Create a new rule
The rule event should be something like: "User registers a new account connected to Facebook"
The rule action should be something like: "Assign role to user"
Interface should be pretty straight forward.
Here's some additional resources:
Rules Handbook
https://www.drupal.org/documentation/modules/rules
I have a page say xyz which contains many sub pages. Some of the subpages are "CUG enabled". In my jsp I am calling currentPage.listChildren() but this is listing the CUG enabled pages only if I login as an admin. If anonymous user hits the url for this jsp then the CUG enabled pages are not listed. Below is my jsp code:
Iterator<Page> itr = currentPage.listChildren();
while(itr.hasNext()) {
Page ctxPage = itr.next();
String url = hostName + ctxPage.getVanityUrl()+".html";
%>
<a href="<%=url%>"><%=url%><br/>
<%
}
}
I also tried logging-in to the workspace as an admin using the method described here, but it didn't work.
Any help is appreciated, Thanks!
I think this behaviour is intented - only users belonging to the user group specified as the CUG can view these pages.
Now it depends for what purpose you need to list those pages.
The easiest solution would be to add the "everyone" to the Admitted Groups in the CUG-Section of those specific page properties. But that's defeating the purpose of having CUG in the first place.
CAUTION: Doing so would allow "everyone" to access those pages - which might not be what you want.
ADDITION:
If you want to preserve access rights you need to go down to node level and access the repository directly.
Here it is shown how you can get a "Resource Resolver with admin rights":
https://cqwemblog.wordpress.com/2013/12/29/ways-to-access-jcr-repository-in-cq5/
You could then use this resource resolver to fetch your page and access it's children.
We have implemented custom roleprovider. This provide us to restricts access to parts of our site using roles. Now we have situation when two users have role Administrator. But one user1 can add comments, and user2 can not add comments(user1 and user2 have role Administrator).
What the best way to solve this problem?
Can we add roles like it Administrator.AddComment and put it in controller action?
How about using a Commentors role:
[HttpPost]
[Authorize(Roles = "Commentors")]
public ActionResult Create(Comment comment)
{
...
}
Add a 'SuperUser' role. The purpose of the roles are to group common access/privileges. I think you need to add a new role.