I have resources to which I want to bind visibility for many roles of user. How can I bind the Zend_Auth with the Zend_ACL and get resources from the database.
There are more than plenty of ways to accomplish what your doing... Presuming you already have an ACL class created in your library and another class that does the actual verifying, I like to store the actual roles/resources in a config file and just load it in during bootstrap, then using the ACL class to iterate through and create the roles and resources.
Like I said there's plenty of places to find this, one would be here on SO Need guidance to start with Zend ACL
I would also suggest, that with any site you find info or a tutorial on - start with the actual documentation first: http://framework.zend.com/manual/en/learning.multiuser.html
The learning curve is the hardest boundary with it, but once your past it gets simpler.
I hope that helps even slightly.
Related
I'm having a bunch of apis which return several types of data.
All users can query all data by using a GET rest api.
A few users can also change data. What is a common approach when designing REST API, to query only the data that can be changed by the current user but still allow the api to return all data (for display mode).
To explain it further:
The software manages projects. All projects are accessible for all users (also anonymous) via an api (let's call it GET api/projects).
A user has the ability to see a list of all projects he is involved in and which he can edit.
The api should return exactly the same data but limited to the projects he is involed in.
Should I create an additonal parameter, or maybe pass an http header, or what else?
There's no one-size-fits-all answer to this, so I will give you one recommendation that works for some people.
I don't really like creating resources that have 'complex access control'. Instead, I would prefer to create distinct resources for different access levels.
If you want to return limit results for people that have partial access, it might be better to create new resources that reflect this.
I think this might also help a bit thinking about the abstract role of a person who is not allowed to do everything. The abstraction probably doesn't exist per-property, but it exists somewhere as a business rule.
I'm new to MVC and currently working with MVC6 (EF7, Identity3, VS2015)...
I would like create two different/independent WebApps in one company domain (in different sub domains).
I would like use common/shared identity/login system for both Apps - in different words I would allow user to have one account across both Apps.
I do not have option for domain authentication (the company doesn't use the domain - I know it's weird), so I must? use Individual User Accounts...
What is the best way/practice to create and use common user account across multiple apps ?
In first place I thought about creating two different DBContext in both App: one for Identity (Users DB) and second for App-Related Db...
Such an approach would give me three different databases:
IdentityDb - common for both WebApps,
App1Db
App2Db
However I have doubts if it's good practice and the best way ?
Probably will be enough one DBContext with proper configuration, but I don't have idea where I should start.
I have read about SSO (Single Sign On) - but as far I understand it's about Authentication process, so it's little bit later - so I'm not sure about this direction.
Anyway can't find example how to create common user account/profile across multiple apps.
UPDATE:
My original question is probably too open... I would like ask not only 'what to do' but also 'how to do in MVC6'...
So my additional question is: how can I achieve this in MVC6? What I have to do? Perhaps some example?
If I decide for a separate User DB - then from the point of view of the application I will have two DB? What to do with this in code? Should I create two separate DBContexts - or just one?
Also I have read few opinion here on SO, that using only one DbContext is better and simpler option...
Anyway I have try yesterday works with 2x DBContext - everything works when I create new controller for IdentityDbContext, but I have error when trying create any controller for second DBContext (not associated with Identity)...
(I've put description of this error to new question: MVC6 Working with two DBContexts and error when create new controller)
Thanks in advance for any advice :)
The answer to your question if having three databases is the best way, is: It depends.
The answer to wether or not this is a good practice is irrelevant.
Let me elaborate.
The notion of every app having its dedicated database stems from old fashioned thinking. Big enterprise architectures are made up of all kinds of persistence storages, each chosen to do what it can do best. So it has nothing to do with good practices. You should store the data where it is suited best. Have a look at Domain Driven Design and Bounded Contexts in particular to get a better understanding of what I am talking about.
So the question if you need three databases, if in your particular situation this is the best option, then that is what you should do. To make this answer complete I' ll describe our situation. We have an old user database with users in it. We can't get rid of it untill all web apps have been phased out. To minimize the effect it has on our customers. So for our new web apps we only use this old database for the users and use azure storage for everything else we need to store. In other words, conceptually our situation is like what you describe. A seperate storage for the users that all other web apps use.
sounds like a good solution to the problem to you?
Update
As to MVC6, Identity Server 3 specific. ID server 3 has the ability to use custom User Service which allowes you to couple any user storage you want. Here are the details: https://identityserver.github.io/Documentation/docs/advanced/userService.html. This is exactly what we have done.
As for your other question; we will put the users in Azure Table Storage probably and retrieve it from there via IdentityServer4 when all old apps are gone. Right now there is nothing left in the legacy MySQL DB but users for us. But there are some old apps still using it, so...
Does this answer your questions?
In previous version of ASP.NET Identity (2) sharing identity cookie across subdomains was the sloution. I'm not sure about ver 3 but you can test it:
change Identity config in Configure method of Startup class:
services.AddIdentity<ApplicationUser, IdentityRole>(config =>
{
config.Cookies.ApplicationCookie.CookieDomain = ".domain.com";
})
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
I am new to Zend and still learning.
I need to read some configuration data from the database and keep it in session. I want this data in all the pages, so I need to intercept all the request and check if the session contains the required data, if not I will fetch it from the database and put it in the session.
I would like to know the best place to put the code in. In Java we used to check that in a filter. I am guessing here I have to put this is in an Action Helper. Just wanted to check what options I have and what are the best practices.
Thanks for any suggestions.
for that purposes you may use Zend_Registry singleton class for providing accessibility of session data from every point of ZF-project. For storing session data there are also several classes, e.g. Zend_Session class
I would definitely put this in a Controller Plugin class. eg.
Application_Controllerplugins_SessConfig extends Zend_Controller_Plugin_Abstract
This way you can catch the request early on, and do whatever you want with the data...
This is another answer of mine on SSL routing, but the logic is the same for the plugin class: How to implement SSL in Zend MVC
i am about to implement a similar solution whereby an application instance (which is to be rolled out to various customers) needs certain settings-data to be editable by admin via cms and thus am storing it in the db. i am then going to retrieve and add these settings [as a sub-object] to the config class (which in turn is added to the registry in the bootstrap. this seems like the cleanest solution to me as then all config data are stored in the one place, regardless of their source being an ini file or the db.
i'd be interested to hear other opinions on how this is done.
rob ganly
I'm currently working on a project with Zend Framework & Doctrine 2, I'm really happy with both of those tools, but I'm wondering on how work with this special User object, which shares database data, session data (authorization, paramaters, acl, etc..)
I often see this kind of implemtation :
if (User::isConnected())
The problem for me is that my User class, is an entity which is used by Doctrine, well it's not a problem, but it may add some business logic if my User has some complex role and/or privileges.
By the way, I don't know why (just a feeling, maybe wrong) but it doesn't look like a good idea, I'm pretty sure it has design limits.
Currently my idea, is to use a UserService, I already try to use such layer for my other entity and it looks really interesting.
What about something like :
$service = new UserService($entityManager);
if ($service->isUserConnected($user))
It may let me use another service, like IdentificationService which may stores "user" (or any other "resource" which may be authorized) into session and check for authorization.
The same could apply to AuthorizationService with method like :
$service->isAuthorized($user, $resource, $action)
Do you have any feedback on this kind of implementation? And/or any examples?
What are your thoughts?
Thank you.
You're right to think about some kind of service, separate from your User entity, to manage this stuff. The entity shouldn't know about data access, etc.
Have a look at Zend_Auth. You'll want to create Zend_Auth_Adapter to work with Doctrine2. A little googling turned up this example, which might be instructive. Zend_Auth is nice and simple, and works nicely with the Zend_Acl stuff for managing authorization, once you have authenticated your users.
I am designing a to-do list manager for the iPhone using GAE as the back end. My end goal is to create user sharable lists, and I was looking for some advice/examples of how to go about designing something like that. I know the google user API provides functionality for authenticating users, but from what I can tell any additional user management would be something I would need to implement myself.
Can something like this be done by simply adding usernames to a list that is a property of the data I want to share? I am guessing I am oversimplifying things, but any suggestions would be appreciated.
Thanks
you're right, app engine doesn't have any built in support for user ACLs or permissions, and a few quick web searches didn't immediately turn up any obvious open source libraries.
how to implement full-fledged permissions and ACLs for group sharing is definitely a nontrivial design question. there are a number of other questions here about it.
having said that, as a very rough first pass, you're probably on the right track with storing lists of users. i'd suggest that you abstract the list into separate Group entities, and attach those to yor data instead, so that users can define groups once instead of for every piece of data. i'd also consider storing separate lists of groups that can read vs write. finally, i'd store User properties in the group entities, instead of string usernames or email addresses.