'default_role' => 'guest',
'authenticated_role' => 'user',
'identity_provider' => 'BjyAuthorize\Provider\Identity\AuthenticationIdentityProvider',
I have the previous default roles defined and Developer Tools shows that they're taking, however, Developer Tools is showing my logged in authentication (for a User which does not have a role defined) to be undefined. Shouldn't the default become user, unless I choose to overwrite it?
So confused by this module. Maybe it's because I'm also using Mongo ODM with it.
Edit:
I've figured out how to add the default role that I want via a hook into ZfcUser registration, but I still feel like I shouldn't need to do that.
Related
In Keycloak, by default, users are able to change their first and last name in the account manager page. However, is it possible to disable this behavior?
Removing both fields in the theme results in those values not being sent and the form failing, and a hand-crafted POST request would defeat this method anyway.
I came across a similar problem and after reading this SO post, came to know that although you can disable/hide fields in ftl, you cannot disable form validation
For e.g I hid firstname field , but still cannot submit. Same was the result with disable as well:
I am not aware about disabling a particular field in some other way. However there is a workaround in which you can disable the entire account modification flow (Password can still be changed by Forgot Password option).
Bu default, account modification is enabled, but you can disable it for a particular realm by going to Realms -> Clients -> Account.
The result of this will be, the account page will be inaccessible:
You can remove the client role 'manage_account' for client 'account'.
In Keycloak, by default, users are able to change their first and last
name in the account manager page. Is it possible to disable this
behavior?
That can be done out-of-the-box (since Keycloak 14) by using the user profile functionality. First, the preview feature declarative-user-profile has to be enabled. For that start the server with:
--features=declarative-user-profile.
for the Quarkus version, or with
-Dkeycloak.profile.feature.declarative_user_profile=enabled
for the Wildfly version.
Bear in mind that:
Declarative User Profile is Technology Preview and is not fully
supported.
After starting the server with the aforementioned option, go to the Keycloak Admin Console and:
Go to the according Realm;
Go to the tab General;
Set User Profile enabled to ON
A new tab named User Profile (top right) will show up; click on it, and a set of configurable attributes will be shown.
Click on firstName, and then go to Permissions
In that section the permissions can be changed, accordingly. For example, if one sets Can user edit? to OFF, then when the user tries to change the firstName field in the account UI, that UI throws the following warning message:
The field First name is read only.
The same configuration can also be applied to the lastName attribute.
For the new Keycloak UI the workflow is exactly the same as the one I have just described. More information about the feature can be found in the official keycloak documentation (link)
You can use readonly property to disable email you can just change the following line:
<input type="text" class="form-control" id="email" name="email" readonly autofocus value="${(account.email!'')}"/>
Within the multi-user application I have in my View index.phtml:
<a href="<?php echo $this->url( array( "module" => "myModule", "controller"
=>"myController","action" => "edit", "id" => $objThings->thingsid),
'default', TRUE )?>
Clicking this link will lead to the url:
http://website/mymodule/mycontroller/edit/id/228
where user can edit the record.
Once logged in a user could copy this url and change the parameter to 229 or 130 etc. and get access to information from other users.
What is the best practice to prevent this, set authentication on the level of records and deny access to records of other users? (Of course the records have a userid).
Hiding the parameters in the url would be a step to not tempt a user, suggestions for this are welcome.
Necessary is also authentication on module/action level.
I have been searching but can not seem to find the solution.
Do both. If you want to edit a logged in users profile details, you don't need the id in the URL as you already know who they are.
Then, in your update code, only allow them to update their specific data.
If you have a logged in user, you may well have an object you have for them which will make updating their data easy (depending if you are using ActiveRecord or something else), otherwise ensure you use id in your SQL.
I have configured request tracker4 to be an interdepartmental helpdesk solution. The current setup is that users will login to RT using LDAP. Once logged in there account is automatically created. However, their account is created with no privileges.
To fix this I have been having to go to Tools-->Configuration-->Select then put in the users DN name and clicking add I then have to check the box "Let this user be granted rights (Privileged)" I have also tried setting Set($AutoCreate, Privileged); but no luck.
I looked at the user accounts in the sqlite database and noticed that when new user logs in they are indeed created in the database. But with no privileges.
709|tuser3|*NO-PASSWORD*|||||||tuser3|||||||tuser3||tuser3|||||||||||||1|2013-03-08 13:47:38|1|2013-03-08 13:47:38
791|Mayra|*NO-PASSWORD*||||Mayra#**************||Main Office|Mayra Hernandez|||||||Mayra||Mayra||**************|||||||||||1|2013-04-03 21:46:36|1|2013-04-03 21:46:36
797|sdrakeford|*NO-PASSWORD*||Autocreated when added as a watcher||sdrakeford#**************|||Sophia C. Drakeford|||||||sdrakeford||sdrakeford|||||||||||||1|2013-04-04 13:18:58|1|2013-04-04 13:18:58
827|Robert.Troy|*NO-PASSWORD*||||Robert.Troy#*******************||Main Office|Robert Troy|||||||Robert.Troy||Robert.Troy||***************|||||||||||1|2013-04-04 16:11:58|1|2013-04-04 16:11:59
Am I missing something, because usually these things are quite obvious.
The $AutoCreate option takes a hashref with all of the default options you want to pass to the User Create method. Try something like:
Set($AutoCreate, {
Privileged => 1
});
(As an aside, it's generally not recommended to run a production instance on sqlite. You might want to consider converting to MySQL or Postgres.)
I'm using devise/omniauth to do facebook authentication and works great. However, I would like to add a flow where an existing (non-facebook) user has ability to connect his account with facebook. This would require different facebook permissions. so i can't seem to find two things
how to use devise/omniauth to request facebook connect without logging out current user
request different extended permissions from user (different from those specified in the devise configuration file)
any ideas? thanks
Answer to 1 is pretty easy: just add a if path into the omniauth_callbacks_controller::process_callback method like this
# If a user is signed in then he is trying to link a new account
if user_signed_in?
if authentication.persisted? # This was a linking operation so send back the user to the account edit page
flash[:success] = I18n.t "controllers.omniauth_callbacks.process_callback.success.link_account",
:provider => registration_hash[:provider].capitalize,
:account => registration_hash[:email]
else
flash[:error] = I18n.t "controllers.omniauth_callbacks.process_callback.error.link_account",
:provider => registration_hash[:provider].capitalize,
:account => registration_hash[:email],
:errors =>authentication.errors
end
redirect_to edit_user_account_path(current_user)
This is what I do in my application and it works fine.
Regarding question 2 I do not know how to support 2 different facebook authentication configurations however I have hard time seeing how that is useful to users since they need a consistent experience across both path: "sign in using facebook" and "link your account to facebook".
(If you still want to pursue this path one idea I would explore is to create a new facebook application with its independent keys and configuration...)
Hope this help.
One simple way to implement multi-tier permissions is to use Facebook Javascript SDK(in addition to omniauth, if you want). You can simply specify different "scope" parameter, which specifies permissions required, at each call you want. What I'm doing is making omniauth provide a basic set of permissions, then, after the user has connected through omniauth(and thus stored their data in our DB), if further permissions are needed, we show them JS-based buttons which provide expanded sets of permissions. If you want to check what particular permissions a user has granted to you, you can simply use me/permissions API call.
Working from the Bugzilla API, I've written a quick Perl script to clone a Bugzilla Product (recreating all the Components under their new Product). The Bugzilla Perl API is quite easy to use from the command line. I could have just worked on the database directly, but I wanted a longer-term solution. Another option was the webservice, but I thought I'd try using the API directly this time.
The one problem I'm running into is authenticating as my Bz admin user so I can create the new components. Looking at Bugzilla's Bugzilla.pm file, I see that they just run login() from a Bugzilla::Auth object. I'm not sure how to get the username and password in there. I suppose I could just add the script to the Bugzilla admin interface...
Can any of you point me in the right direction?
Oh, I'm being rather ignorant today, I focused on "web services" and didn't understand what you really wanted.
If you're just using the API to communicate with the database (as opposed to manipulating the database directly), do you really need to authenticate as any user at all?
In the 3.2 source tree, look at merge-users.pl for instance, which uses Bugzilla::User objects. Couldn't you do the same with Bugzilla::Component?
You should also look at sanitycheck.pl, which uses Bugzilla->set_user.
There's been some significant upgrades in the web services capabilities since 3.2, can you upgrade?
In 3.6 at least, check out contrib/bz_webservice_demo.pl for how to use the User.login method.
http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/WebService/User.html
The following code snippet might enter the question.
Here we check also that the user has the correct "editcomponents" credential.
my $user = new Bugzilla::User({ name => $login })
|| ThrowUserError('invalid_username', { name => $login });
# Authenticate using this user account.
Bugzilla->set_user($user);
$user->in_group('editcomponents')
|| ThrowUserError("auth_failure", {group => "editcomponents",
action => "add",
object => "products"});