In my admin module I have a controller called email and I want most actions to be accessible only by logged in admin user. However I want to one action to be accessible to anyone. (It's an email function that will be fired remotely via the URL.). At the moment I'm using Zend_Auth with Zend_Acl like this:
if ($request->getModuleName() == 'admin') {
// access resources (controllers)
$acl->addResource('index');
$acl->addResource('reports');
$acl->addResource('email');
$acl->addResource('error');
// access roles
$acl->addRole(new Zend_Acl_Role('visitor'));
$acl->addRole(new Zend_Acl_Role('user'));
$acl->addRole(new Zend_Acl_Role('admin'));
// access rules
$acl->deny('visitor');
$acl->deny('user');
$acl->allow('admin');
$resouce = $request->getControllerName();
$action = $request->getActionName();
$identity = $auth->getStorage()->read();
if (is_object($identity)) {
$role = $identity->role;
} else {
$role = 'visitor';
}
if (!$acl->isAllowed($role, $resouce, $action)) {
$request->setModuleName('default')
->setControllerName('auth')
->setActionName('login');
}
}
How do I alter the code above to allow 'visitor' to /admin/email/process action?
You can create a role hierarchy with Zend_Acl that will allow you to set a minimum role to acces a page, which can be accessed by anyone with role x or higher.
$acl->addRole(new Zend_Acl_Role('visitor'));
$acl->addRole(new Zend_Acl_Role('user'), 'visitor');
$acl->addRole(new Zend_Acl_Role('admin'), 'user');
This way, anyone with an admin role can have access to anything a visitor and a user has access.
You can also pass an arrayas parameter instead of a string.
For more info you can consult Zend framework official doc on ACL
This should do the trick:
$oAcl->allow('visitor','email','functionname');
//or if you want to do both visitor and user
$oAcl->allow(array('visitor','user'),'email','functionname');
Put this code after the access rules you've already written.
Related
I'm using Keycloak version 20.0.2 with stock LDAP Federation Provider, unsynced. I need for roles to be loaded from an external database but not necessarily synced with Keycloak, roles can be synced with Keycloak but preferably I would like for the roles to be looked up from external database at login and when I view the user from admin console but roles not defined in keycloak.
I don't want roles synced when LDAP users are loaded from LDAP, I need for the roles to be dynamically looked up from the database.
I have tried to use AbstractLDAPStorageMapper with JTA datasource and I am able to retrieve a list of roles in a List format when I view my user in admin console but the roles aren't defined.
#Override
public Stream<RoleModel> getRoleMappingsStream() {
System.out.println("]--> getRoleMappingsStream");
Stream<RoleModel> roleMappings = super.getRoleMappingsStream();
String email = delegate.getEmail();
List<String> rolesDB = getRolesFromDB(email);
for (String roleDB : rolesDB){
System.out.println("]--> " + roleDB);
RoleModel roleModel = realm.getRole(roleDB);
if (roleModel == null){
roleModel = realm.addRole(roleDB);
logger.debugf("Adding role [%s] ", roleDB);
System.out.println("[--> Adding role " + roleDB);
}
logger.debugf(
"Granting role [%s] to user [%s] during user import from LDAP",
roleDB,
email
);
System.out.println("Granting role " + roleDB + " to user " + email + " during user import from LDAP");
delegate.grantRole(roleModel);
roleMappings = Stream.concat(roleMappings, Stream.of(roleModel));
}
RoleModel role = getRole(realm);
if (role != null) {
roleMappings = Stream.concat(roleMappings, Stream.of(role));
}
return roleMappings;
}
It turned out that my code worked, my function getRolesFromDB wasn't returning any values. After fixing the function the code started working.
I have this script below to add roles and members and permissions
Import-Module sqlserver
$Server = new-Object Microsoft.AnalysisServices.Tabular.Server
$Server.Connect("SERVER\INSTANCE")
$TabDB = $SERVER.Databases["DATABASENAME"]
$AddRole = new-Object Microsoft.AnalysisServices.Tabular.ModelRole
$AddRole.Name = 'NewRole1'
$AddRole.ModelPermission="Read"
$RoleMember = New-Object Microsoft.AnalysisServices.Tabular.WindowsModelRoleMember
$RoleMember.MemberName = 'DOMAIN\ACCOUNT'
$TabDB.Model.Roles.Add($AddRole)
$AddRole.Members.Add($RoleMember)
$TabDB.Update([Microsoft.AnalysisServices.UpdateOptions]::ExpandFull)
$server.Disconnect()
How can I remove a permission, a member, and a role?
I tried this at least for the role, but the console returns back "False"
$TabDB.Model.Roles.Remove($AddRole)
When working with ssas from powershell (or C# for that matter) you can use the analysisservices namespace of microsoft:
Microsoft analysisservices.
This is an object oriented way of working with ssas databases.
This is an old script I wrote for maintainers:
function addRoleToDb {
$roleName = Read-Host "How should this role be called?"
if ($global:dataBase.Roles.findByName($roleName)) {
echo "This role already exists"
return
} elseif ($roleName -eq "") {
echo "You can't give an empty name for a role."
return
}
echo "Warning: this role will start out empty and will have to be modified in order to be used. (it wil have read permission)"
[Microsoft.AnalysisServices.Role] $newRole = New-Object([Microsoft.AnalysisServices.Role])($roleName)
$global:dataBase.Roles.add($newRole)
$dbperm = $global:dataBase.DatabasePermissions.add($newRole.ID)
$dbperm.Read = [Microsoft.AnalysisServices.ReadAccess]::Allowed
$global:dataBase.Roles.Update()
$dbperm.Update()
return
}
At this point I already had a global variable database.
This is a method that would add a role to the database. Deleting the database would work practically the same, you would get the instance of the role with:
role = database.roles.findbyname()
or
role = database.roles.findbyid()
and then
role.Drop(DropOptions.AlterOrDeleteDependents);
You should check that last line before using it because the alterordeletedependants is something I now use in my c# program, I don't remember if it worked in powershell.
Good luck!
I have a cakephp2.3 based project with table name "user_master".
I am using ejabberd chat application and ejabberd user table name is "user".
I am using convers.js client.
Now i am facing problem to use my existing project user with XMPP ejabberd to authenticate , send friend request , chat with friends.
I tried using external auth but it allowed me to login even if I add wrong credentials on ejabberd server using http://localhost:5280/admin link.
I am using Ubuntu and i have add all types of setting.It is working fine if i use it as stand alone application but when i want use it for my existing user it stopped working.
Ejabberd Server : http://localhost:5280/admin
External authentication configuration in "ejabberd.cfg" file.
{auth_method, external}.
{extauth_program, "/etc/ejabberd/auth.php"}.
External authentication file "auth.php".
<?php
require 'ejabberd_external_auth.php';
class Auth extends EjabberdExternalAuth {
protected function authenticate($user, $server, $password) {
$stmt = $this->db()->prepare("SELECT username FROM users WHERE username = ? AND password = ? ");
$stmt->execute(array($user, $password));
if($stmt->rowCount() >= 0 )
{
return true;
}
else
{
return false;
}
}
protected function exists($user, $server) {
$stmt = $this->db()->prepare("SELECT username FROM users WHERE username = ? ");
$stmt->execute(array($user));
if($stmt->rowCount() >= 0 )
{
return true;
}
else
{
return false;
}
}
}
$pdo = new PDO('mysql:dbname=ejabberd;host=localhost', 'root', 'root');
new Auth($pdo, 'auth.log');
Thanks in advance
I am facing a strange problem with zend_acl, I have successfully added role and resources , but the isAllowed() function is always redirecting to the error controller.
$usersNs->role = 'admin';
$acl->addRole(new Zend_Acl_Role($usersNs->role));
$acl->add(new Zend_Acl_Resource("dashboard::stats"));
$privilageName = $request->getControllerName()."::".$request->getActionName();
if($acl->has($privilageName)){
echo "has privelage"; //echo every time whenever i go to dashboard,stats
}
if(!$acl->isAllowed($usersNs->role,$privilageName )) {
$request->setControllerName('error');
$request->setActionName('error');
}
I am going insane trying to distinguish between the Index controller and Index action in my Admin Module and the Index controller and Index action in my Default module using ACL.
I want logged in users to be able to have access to the Default Module's index controller but not the admin module at all. No matter what I try, if I allow access to the default module's index, the admin modules index is available as well.
Any suggestions would be greatly appreciated. Thank you
Define your resources as module-controller and privileges as action then you can have something like this
...
// Default module, index controller
$this->addResource(new Zend_Acl_Resource('default-index'));
// Admin module, index controller
$this->addResource(new Zend_Acl_Resource('admin-index'));
// Allow user to access default module, index controller, index and about actions
$this->allow('user', 'default-index', array('index', 'about'));
// Allow admin to access admin module, index controller, all actions
$this->allow('admin', 'admin-index');
...
[EDIT] And in your controller plugin predispatch
...
$module = $request->getModuleName();
$controller = $request->getControllerName();
$action = $request->getActionName();
$resource = "{$module}-{$controller}";
if ($acl->has($resource)) {
if (!$acl->isAllowed($role, $resource, $action)) {
}
}
...