AUTHENTIK user groups - user-permissions

Is there any way to add user types/groups to authentik? In the current application we have several types of users, each with different rights, and we are adding authentik. I would like to enforce this also with authentik but dont seem to find any documentation on that.

Related

FOSUserBundle proper solution for team consist with multiple users

I am using FOSUserBundle in my Symfony2 project.
My goal is to make the teams consist with multiple users. Users are invites by administrator (owner) by e-mail confirmation.
If a user belongs to one team, can't set up new accounts using the same address. Of course, each user should have the opportunity to unsubscribe from the team.
Are there any ready-made solutions? I looked for Groups With FOSUserBundle.
Or do you have any good advice?
You were right, groups can be a good ready-to-use solution to make your logic.
The association is already setup and it's also easy to extend.
The documentation (now part of Symfony's doc) contains a great guide to use groups.
Of course, you can make your own entity, take example from the FOSUB User->Group logic (association) .
You should see the Security and Roles part of the documentation to manage authorisations of your different kind of users.
You can assign roles to your different groups, and make your users directly inherit the roles of their group for manage access permissions.
For the confirmation email, see the corresponding documentation too .
And for the unsubscribing, just remove the association between the user you want remove from a Group and the Group (or Team).
This is also part of the association, see the doctrine documentation.
Good use.

Asp.net allows users to see specific posts/content

I am implementing something like Facebook posts, but I only want to limit it for users Alice and Bob to see, but John can't see it. May I know what is the proper way to implement this ? I tried googling but all I found is user based authorization, for IIS.
What I had in mind is to implement another table to add allow list, so if the allow list is empty I assume all users' friends are allow to see, but if there are users in the allowed list then only allowed users can see. However I think this might heavily increase the load of my db?

Alfresco: Folder permission by role

Problem: we have a space template that we use as a folder structure for share sites document library. Our aim is to make visible some folders to special users that have a custom role (created in sitePermissions.xml).
generally we can do that with groups but we need to do that with roles (e.g. when we invite an external user, we wish to assign him to an internal role so he can automatically see some folders).
Please help us with some clues.
Short Version: You need need to assign that role (i.e. Collaborator) to the user either directly or indirectly using a group.
Generally speaking, access on a node is controlled by access control lists where each list entry is a triplet (authority, permission, allow-or-deny). Groups and individual people are authorities, Roles are really just sets of permissions.
Alfresco "only" allows you to add/remove (allow-)entries by authority and permission/role.
At the end of the day, a users role (on a space!) depends on whether he/she is assigned that role directly as {john,Collaborator} or indirectly via {group_containing_john, Collaborator}. Furthermore this assignment (which sticks to a node) propagates through the space hierarchy unless inherit permissions is disabled.
It's possible but you don't want to go there like Andreas is suggesting. Even Alfresco's own (older way) of site permissions is the same. The site_manager, site_collaborator etc. are system groups which Alfresco creates and if you're in one of those groups you'll have your permission within the site.
Oke if you still insist, here is the way to go.
There are 2 repository webscripts to get the Documentlibrary (not counting other ways like search, document-details, etc.)
alfresco\templates\webscripts\org\alfresco\slingshot\documentlibrary-v2\doclist.get
alfresco\templates\webscripts\org\alfresco\slingshot\documentlibrary\treenode.get
Open the corresponding .js files (override them). When looping through the items get all the permissionset for the node, then match the permission to the one you need. If it's true go through and if it's false don't add it.
Then again I want to state that this is a heavy operation, so if you have a huge folder collection and you're doing this with like 100 concurrent user, the users won't be happy with the performance.

Why not to allow changing usernames?

There are several services which allow change of usernames frequently like Twitter, LinkedIn etc. Some other have very limited options (example: Facebook for two times). And rest does not allow changing usernames.
The major reasons I can understand is, records are kept against usernames and the URL are cached by search engines against the username. But to solve the first problem, which is much vital, applications can use userid instead of username.
Is there any other important issues/reasons for which I should consider disallow changing usernames?
the main issue is social engineering. people associate a reputation with a name (both the user with the name, and the people who interact with them). if you allow names to change then there is less social pressure to preserve a good reputation and more "bad behaviour".
it's all about coercing users to invest social status in a persistent identity. technically they could implement a system that supports name changes (for example, you could use an arbitrary, unique, auto-generated ID to represent the user in the database/cache/file system and display some (user modifiable) string from the database when showing the name in a web page).
There are technical reasons behind some sites disallowing namechanges, such as if the users have the ability to store files, changing the username may break it if the file paths are based on the usernames. However, a good implementation uses user IDs instead, and avoids such things. For the most part, its a social matter of keeping a permanent link between a user's name and an account. Giving the user the ability to switch names gives other users the ability to impersonate them, or steal their name, and makes it difficult to find people sometimes.
I'd also like to note that there is a difference between login usernames, and nicknames. What you are calling 'username' is moreso a nickname if it can be changed, and usually sites that let you 'change your username' are only letting you change your display name - your login remains the same. Steam is a good example of this, it allows you to change a nickname, but your login name can never change.
I have recently came across this dilemma whether to allow user to change username.
I have entered it on my blog: http://www.dizkover.com/post/423/programming-why-not-to-allow-users-to-change-username-in-social-web-application-design

Assigning a specific (group of) reviewers in Plone (by 'hand' or automatically)

Is it possible to assign a person or a group of people as reviewers in a certain state of a workflow in Plone?
I have been looking at AutoRole en the IRolesplugin, but do not seem to find what I need?
In our case, users need a multiple review step workflow, yet the first reviewer should have control over which reviewers come afterwards...
Workflows can trigger scripts. Scripts can do things like grant roles to users. You'd have to come up with an approach to letting your first specify additional users. There are probably multiple ways to do it, but I could imagine using archetypes.schemextender or a custom content type to provide a field for choosing additional reviewers, only visible to initial reviewers. Then use those values in the workflow script. http://plone.org/documentation/kb/creating-workflows-in-plone/tutorial-all-pages provides a good overview of how DCWorkflow works.

Resources