I would like to use Zend's ACL (Zend\Permissions\Acl) not (only) based on static roles but also on (variable) user points.
In my application every user has points. A resource has a minimum of points needed to view it. Access to a resource should be based on the number of points the user currently has.
Example
Resources:
Resource 1: 20 points
Resource 2: 100 points
Resource 3: 150 points
Users:
User 1: 70 points => Access to resource 1
User 2: 135 points => Access to resources 1, 2
User 3: 170 points => Access to resources 1, 2, 3
What would be the best way to do this?
My thoughts so far
Create ACL object dynamically for the currently logged in user based on his points (set each $acl->allow() based on points). This isn't clean.
Create a generic ACL and somehow pass the user's points (I managed to do it with assertions. See my answer below.)
Some (possibly easier/cleaner) way suggested here...
I would greatly appreciate a push in the right direction :)
So this is not just about Zend but working with ACLs in general.
Usually when you implement access rights in an ACL you assign it to a group rather than an individual user. Then you can easily (and dynamically) add or remove users from groups.
In Zend ACL you can think of these groups as the roles. In your case you assign the access rights for a resource to a group (or role) that represent a certain number of points. Now you only have to worry about moving users between these groups based on the points they have earned.
Okay, I tried to implement it myself. Maybe it's not pretty, but it's the best solution I came up with myself. Is this the right direction? I would appreciate any feedback!
Solution:
Instead of strings as resources and roles i use my models (suggested here). I use PointResourceInterface to mark resources that require a specific number of points and implement Zend\Permissions\Acl\Role\RoleInterface in my user class. Now I create a new NeededPointsAssertion:
class NeededPointsAssertion implements AssertionInterface
{
public function assert(Acl $acl, RoleInterface $role = null,
ResourceInterface $resource = null, $privilege = null) {
// Resource must have points, otherwise not applicable
if (!($resource instanceof PointResourceInterface)) {
throw new Exception('Resource is not an PointResourceInterface. NeededPointsAssertion is not applicable.');
}
//check if points are high enough, in my app only users have points
$hasEnoughPoints = false;
if ($role instanceof User) {
// role is User and resource is PointResourceInterface
$hasEnoughPoints = ($role->getPoints() >= $resource->getPoints());
}
return $hasEnoughPoints;
}
}
PointResourceInterface looks like this:
use Zend\Permissions\Acl\Resource\ResourceInterface;
interface PointResourceInterface extends ResourceInterface {
public function getPoints();
}
Setup:
$acl->allow('user', $pointResource, null, new NeededPointsAssertion());
Users have access to resources that need points. But additionally the NeededPointsAssertion is checked.
Access:
I'm checking whether access is allowed like this:
$acl->isAllowed($role, $someResource);
If there's a user $role = $user otherwise it's guest or something else.
Inspiration is from http://www.aviblock.com/blog/2009/03/19/acl-in-zend-framework/
Update: Looking back at it now, it would have also been possible to add the needed points via the constructor and store it as an attribute. Decide for yourself and what makes sense in your application...
Related
I am getting an error when trying to add AppRoleAssignment for a user:
{"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"One or more properties are invalid."},"date":"2017-10-21T14:49:42","requestId":"3aacf13e-5620-40da-8fd0-fb2d4130f171","values":null}}
When i use an actual ApproleId, everything works fine. However, when i set
AppRoleAssignment.Id = new Guid(); i get the above error;
This does not make sense, because the documentation says that this is allowed
by setting zero GUID and the same has been stressed in other posts on SO.
What am i missing here?
Full code:
AppRoleAssignment appRoleAssignment = new AppRoleAssignment()
{
Id = new Guid(),
ResourceId = Guid.Parse(servicePrincipal.ObjectId),
PrincipalId = Guid.Parse(user.ObjectId),
PrincipalType = "User"
};
user.AppRoleAssignments.Add(appRoleAssignment);
await user.UpdateAsync();
Based on my experience, there are two scenarios we may get this issue.
First, if there is customize roles in the service principal you want to assign the default role.
Second, if we have already assigned the default role to that person before.
Please check whether you are in one of these two scenarios and let me know if you still have the problem about this issue.
Just a question to poll how you guys would tackle this in Laravel:
I have a user preferences page defined in UserController.php which creates the view at user/preferences.blade.php.
Administrators should of course be able to edit the user's preferences and have some extra administrative fields shown to be changed. Furthermore I'd like to collect all admin functionality concerning users in a separate controller called AdminUserController.php
I'm thinking of some possibilities to achieve this functionality:
Create an additional view (e.g. admin/user/preferences.blade.php) and almost replicate the GET and POST methods of UserController.php to accommodate the extra fields. However this seems to me like a lot of redundant code...
Convert the GET and POST methods of UserController.php to something like this:
public function postPreferences($user = NULL, $admin = FALSE) {
if (!isset($user)) $user = Auth::user();
// Process regular fields.
if ($admin) {
// Process admin fields.
}
}
Add the admin fields to user/preference.blade.php and conditionally show them if $admin is TRUE, and then call the UserController's methods from within AdminUserController, e.g.:
public function postPreferences($user) {
return (new UserController)->postPreferences($user, TRUE);
}
However, there are some drawbacks. First: controllers shouldn't call each other... Second: this only works for the POST method. Upon requesting the GET method from UserController an exception is being thrown...
I'm curious about how you would tackle this!
Thanks.
This is mostly a question of preference, but I really suggest you to completely separate all that is possible here. Administration is a process that is very sensitive and not in any way should it be possible, that a normal user will be able to see it under any circumstance.
I believe that we all are humans and we make mistakes more or less often, that's why we need to make sure that our mistakes in not assigning right value to the right variable or making a type of = instead of == not to ruin business logic.
I think you should make a separate view and a separate controller for user self management and administration and never tie them up. If you want to keep your code DRY as much as possible, you may extend your user controller and model from your admin controller and model, but not the other way around. That's just my 2 cents, it all depends on what type of application you are working on and what the stakes are.
<?php
class AdminController extends UserController
{
public function __construct(AdminModel $model)
{
// Use dependency injection
$this->model = $model;
}
// In the original UserController class:
public function postPreferences($user) {
$this->model->edit($user, Input::all());
// you may do it this way so your user only saves user data and
// you admin model saves all the data including administrative
}
// ...
}
I've been working on this for sometime now, and I keep running into a wall. I think I'm close, but I figured someone out here in the land of SO might have some deeper insight if not a better way of doing what I'm trying to do.
Basically lets look at this scenario. I have a logo w/ some text that can be set from a few different places. If we look at the setup here is what it looks like.
Hiearchy:
Homepage [has designPath]
- Child Microsite Page [has designPath]
- Logo Component
Logic Flow (in logo component):
if properties.get("logoText") {
use this
} else if currentStyle.get("logoTextFromStyle") {
use this
} else if parentStyle.get("logoTextFromGlobal") {
use this
} else {
be blank
}
My query is with how to get the "parentStyle" of this page. Looking at the docs here: http://dev.day.com/docs/en/cq/5-5/javadoc/com/day/cq/wcm/api/designer/Style.html
I've been able to come up with the fact that I can get a Style object from the "designer" object made available via defineObjects. This is defined with the other utility objects like "pageManager, resourceUtil, resource, currentPage, etc".
With that being said this doesn't seem to work.
//assuming we have getting homePage earlier and it is a valid cq Page resource
Resource homePageResource.slingRequest.getResourceResolver().getResource(homePage.getPath());
Style homePageStyle = designer.getStyle(homePageResource);
at this point homePageStyle is null. To do some more testing I i tried passing currentPage.getPath() instead of homePage.getPath(). I assumed this would give me the currentPage resource and would in end yield the currentStyle object. This also resulted in a null Style object. From this I think I can safely conclude I'm passing the incorrect resource type.
I attempted to load the the cq:designPath into the resource hoping to get a Designer resourceType but to no avail.
I am curious if anyone has run into this problem before. I apologize if I've gone into too much detail, but I wanted to lay out the "why" to my question as well, just in case there was a better way overall of accomplishing this.
I've figured out how to return the style. Here is the rundown of what I did.
//get your page object
Page targetPage = pageManager.getPage("/path/to/target");
//get the Design object of the target page
Design homePageDesign = designer.getDesign(homePage);
//extract the style from the design using the design path
Style homePageStyle = homePageDesign.getStyle(homePageDesign.getPath());
it's very interesting the definition of "getStyle" is a little different from the designer.getStyle vs a Design.getStyle. designer.getStyle asks for a resource whereas Design.getStyle will take the path to a Design "cell" and return the appropriate Style.
I did some testing and it looks like it does work with inherited Styles/Designs. So if my cq:designPath is set at level 1 and I look up a page on at level 2 they will return the Design/Style at the cq:designPath set at level 1.
I hope this helps someone else down the way.
I tried this approach but was not getting the Styles in the Style object.
When we do this:
Design homePageDesign = designer.getDesign(homePage);
In this Design object we get the path till the project node i.e etc/design/myproject
After this if we try to extract the Style from the design path we do not get it.
However I implemented it in a different way.
In the design object, we also get the complete JSON of designs for(etc/design/myproject).
Get the sling:resourceType of the target page and get the value after last index of "/".
Check if this JSON contains the last value. If it contains, you can get your styles, i.e. image, etc.
I want to customize Surf Platform Root-Scoped API specifically user object. That means add new property or method to user object to check the user is in certain group in header.inc.ftl [in share] like `<#if user.isAdmin>
How can I implement this?
Is Alfresco Root Scoped Objects can be used as Surf Platform Root-Scoped object?
I have no idea of customizing surf platform root object. Can anyone help me???
Not quite sure what you are trying to accomplish, but the role security model is hardcoded in spring-surf/spring webscripts. There is guest, user and admin. If what you want is another analogous role you'll have to hack the spring-surf libaries, namely:
org/springframework/extensions/surf/mvc/PageView.java
org/springframework/extensions/webscripts/ScriptUser.java
org/springframework/extensions/webscripts/Description.java
org/springframework/extensions/webscripts/connector/User.java
This is what I had to do to implement user.isEmployee. This approach allows you to literally treat your new role just as the others.
you can use
<authentication>employee</authentication>
in page descriptors or
<item type="link" permission="employee" id="people">/people-finder</item>
on the navigation.
Just checking whether the user is in a certain group in a certain webscript is a whole diffrent story and does not provide the same functionality.
If what you want is the latter, you should make a call to
/alfresco/service/api/groups/{shortName}
miss
and works through the response.
Update: The item permission attribute requires a little more tweaking.
In header.get.js, propagate the new role to it gets processed properly in header.inc.ftl:
model.permissions =
{
guest: user.isGuest,
admin: user.isAdmin,
employee : user.isEmployee
};
you could try (in JavaScript I managed something like) this:
user = Application.getCurrentUser(context);
String userName = user.getUserName();
user.isAdmin() >>> result return true if user logining is admin
or in JSP:
#{NavigationBean.currentUser.admin == true}
Sorry, i noticed now you was talking about Surf Platform root objects, but the link you put there, is deprecated for Alfresco versions above 3.3. You still use something so old?
If you manage to use JavaScript API's you could use "person" root object, with boolean isAdmin().
Hey guys, I'm starting with Zend, and trying to understand the way it works (getting there), and with Acl classes, people seem to declare all the roles and resources in one file. Now to me this seems a bit of a waste of system resources if the person is only logging in as a basic user, or even just a guest/visitor to the site. So I was thinking is it possible to have different classes which set the roles dependant on the role/resource of the current user.
My current idea is to use switch/case on the role in the bootstrap, and load individual Acl classes based on the role name (for example sake, 'visitor' => 'Model_VisitorAcl', 'users' => 'Model_UserAcl' and 'admin' => 'Model_AdminAcl'), each with a corresponding class file. Then within the class files do something for each one. This is working, and currently I could define all my 'admin' acls in one (backtracking through the rights heirarchy of admin-user-visitor), then in 'user' have 'user'-'visitor' roles and resources.
However this doesn't seem the best way, as if I wanted to change the role permissions for 'user' I'd need to change it for 'user' and 'admin'. This is obv not a problem with 2 roles, but on bigger systems it obviously is.
So I tried something like
class Model_AdminAcl extends Zend_Acl{
function __construct(){
$d = new Model_UserAcl();
//defining the admin role and permissions, with inheritance from the roles
//set in Model_UserAcl
}
}
To try and get the Model_UserAcl construct function to run, thus setting the role 'user', however this does not seem to work, throwing "Uncaught exception 'Zend_Acl_Role_Registry_Exception' with message 'Parent Role id 'users' does not exist'"
error.
So whats the next step? Having individual include files for each module, and have the required classes include them as needed?
Or am I just making mountain out of molehills with this issue?
Thanks,
Psy
Ok, solved this, not sure why I didn't think to try this in the first place (Friday brain frazzle I think)
I just put the contents of the constructor into its own function, and then called that function in the constructor, and make the classes inherit from the class below it.
//Model/VisitorAcl.php
class Model_VisitorAcl extends Zend_Acl{
function __construct(){
$this->addVisitorRules();
}
function addVisitorRules(){
//adding the role and permissions
}
}
//Model/UserAcl.php
class Model_UserAcl extends Model_VisitorAcl{
function __construct(){
$this->addVisitorRules();
$this->addUserRules();
}
function addUserRules(){
//adding the role and permissions
}
}
//Model/AdminAcl.php
class Model_AdminAcl extends Model_AdminAcl{
function __construct(){
$this->addVisitorRules();
$this->addUserRules();
$this->addAdminRules();
}
function addAdminRules(){
//adding the role and permissions
}
}
If this is not the way I should go about it, then by all means please let me know.
Psy