Does anybody have a hint how to get two different searches on a Drupal 8.8 site?
This means, if a guest uses the search, only pages of type page and article should be listed in the result. If an authenticated user uses the search, all pages of any type should be listed in the result.
In the module description of search_api can be read:
In general, the Search API doesn't provide any kind of access
restrictions (as this cannot be done on a generic level). It is
therefore your responsibility to take care that only accessible items
are indexed or results displayed (e.g., by using appropriate filters).
I understand this in a way that content can be excluded while indexing but not when presented.
You could create 2 Search API Views and grant each access to the relevant roles or permissions with filter to restrict node types in your anonymous user View. If the only difference is access to the node types, then you can just use a single Search API index for both Views.
Related
I need some advice on how best to implement a security mechanism in a ASP.net core application. The application users are authenticated using AD authentication. Is there a best practice for this type of implementation?
I have a list of project records. Users should only be able to retrieve a list of projects that they have permission to access. I have three user types that have different levels of access as detailed below.
Approvers – assigned to individual projects.
State approvers – Can view state-wide projects.
Global approvers – Can access all projects.
Does anyone have any suggestions on what model and logic to implement to achieve what is required?
Well, I secure pages with information "limited" to logged on users. So if they have membership in a particale role, then only those users can jump/see such pages.
However, in your case, and often?
Well, it not so much the web page the user can use, or be restricted from.
However, when a web page can be restriced based on IIS security and not your code, then that option should be used.
However, often in code, for example, we have indivdul users from a given company, and ONLY some can and are allowed to see all projects. (so some only can see their own projects, but from that company, some have rights to see + use all projects.
So, we often have code say like this:
Dim cmdSQL As New SqlCommand("dbo.GetProjects", GetCon)
cmdSQL.CommandType = CommandType.StoredProcedure
cmdSQL.Parameters.Add("#LogonID", SqlDbType.Int).Value = Membership.GetUser.ProviderUserKey
cmdSQL.Parameters.Add("Email", SqlDbType.NVarChar).Value = Membership.GetUser.Email
cmdSQL.Parameters.Add("#PortalMaster", SqlDbType.Bit).Value = IIf(Roles.IsUserInRole("PortalMaster"), 1, 0)
so, if the user is a PortalMaster, then they can get and see all projects belonging to that company. (each company that logs into teh site can have 1 or 20 employees that belong to the given company).
So, in above, the query going to pull projects by EmployeeID (their logon), and thus they can only ever see their own projects.
If you are a member of the PortalMaster group, then we pull projects based on ComapnyID.
So, while you might not be using the older secuirty provider like above? Your queries that pull projects simple have to restrict rows returned based on above.
Once those projects are returned (in a nice grid - searching options included), then they can select (click on) a project. that next page does not really care anymore, since you can't get to the project details page until you selected a project.
So, obvious you must have for a given Project who created it. And thus your ability to display their current projects will be restriced based on their logon ID or whtever you using now.
But, for state level users? Then your critera is by their logon id and their state they belong to based on that logon.
And then there is the "admin" role or group - they can search and pull on all projects.
So, while we do restrict web pages by "role" security (based on IIS), that just means that all users can, or cannot hit some web pages based on their role memember ship (and such security does not require code on my part - the IIS secuirty assinged to those web pages can do all that dirty work for you.
However, if you are a legal logon, then you can only ever work on projects that belong to your company. But then it is a question if that user also has the role of "PortalMaster", and if they do, then we pull all projects for display to select from for that given user.
And of course we never use say URL "query parameters", and such internal database company ID, or ContactID (user id) are never exposed, nor possible allow display of information or data that don't belong to the given user.
So, you need to build some sql or some store procedures, and having a few "parameters" for those stored procedures that returns rows of data based on their role membership is quite much how you would approach this. So in above, if the user is a portal master, then the stored procedure simple queries the data based on company they belong to as opposed to their contact id.
Now, this of course asseumes the database schema is setup, and for example, we hvae a company table, a employee table (that has their logon information), and then of course each project created has both a created by, and the company the project belongs to. So, that simple information is enough to provide the 2 levels of security.
We actually don't have a "super user" that can look at and see all projects in the system, but it actually not all that bad of a idea, since for testing, or checking a project that has some problem is a "pain" right now, since we in theory have to create a logon for that company, or get a password.
So, all logons we create belong to a given company. And thus when a user creates a new project, it can only be created under that one company, and of course a project also requires the user that created the project.
So, you simple have to restrict records returned in the page in which they can select a project to work on. IIS security, or in fact SQL server security as a general rule can't do this type of security for you - you the developer have to.
I am trying to implement a user-content ACL mapping service in alfresco using CMIS where I will allow a user to see a content if he is having permissions for this content.
I have get list of ACE for a content using CMIS ACL service but I am still trying to find out a way where I can get to know if a user has permissions on this content or he belongs to any of ACEs of this content. Or there are some common ACLs/ACEs between content and user which I can match before I can allow/deny access for content.
As CMIS is repository agnostic standard, I hope if I can get something to complete the mapping service.
In case you are using CMIS 1.1 against Alfresco, you could try using the ACE principal ID to retrieve the corresponding person / group. This is possible through the introduction of the cmis:item base type in CMIS 1.1. See http://ecmarchitect.com/archives/2014/04/28/3703 for information about those possibilities.
Unfortunately, it is not possible to resolve user-group or group-group memberships as those relations are child associations which Alfresco does not exposes as a CMIS relationship.
This is not possible because the standard does not care about a principal's effective rights on a documentary database object.
And I needed exactly the same thing, but I had to give up.
I work for company A. Company A has a sister company B. Both companies A and B use the same ERP database. I have created an SSRS 2005 report that can be used by both companies. It has a CompanyID parameter that determines whether to display data for company A or company B.
For most reports this will be OK, but for company sensitive information (such as payroll), this will be an issue since anybody at company A can change the CompanyID parameter to company B's ID, and visa versa.
My initial idea to handle this was to create a linked report for each company in their own respective folders, A and B, where security on folder A only allowed company A users and folder B security only allowed B users. Then I would add a default CompanyID parameter to each linked report and hide the parameters from the user. So far so good. The problem with this is that you can still change the parameter values using the URL query string. For example, a user at company A could change the report url from:
http://server/ReportServer/ReportViewer.aspx?/Payroll/A&rs:Command=Render
to:
http://server/ReportServer/ReportViewer.aspx?/Payroll/A&rs:Command=Render&CompanyID=B
Now they have completely bypassed the hidden default parameter.
What is a good approach to solve this? I would like to share reports between both companies if possible.
Update:
We also have company specific ASP.NET intranets that already restrict access based on company via AD domain. I suppose I could use the ReportViewer control on an intranet page to apply the appropriate parameters at run time. I could probably incorporate this logic into a generic report page that could be used for any report, right? (Please excuse my ignorance, I'm a total SSRS n00b)
What is your security apparatus here? It seems to me a solid and secure solution would be to drive the access to data based on the user account. How is the report data gathered? Is it SELECT directly in your data set? Are you calling procedures? selecting against a view?
EDIT: Since you are selecting against a VIEW which unions the respective company data, if you grant rights to the views to the users or roles which have access you may be able to create a scenario where the data is returned to the user based on their rights.
You could use Expression Based Connection Strings in order to not have to use linked reports, but it still means passing information as a parameter which will get exposed in the GET request.
There's no getting around that you have to distinguish for whom the report is going to be displayed/run for.
We are currently transitioning our website to Drupal 6.x from a non Drupal source. One of the first issues we need to deal with is that of authentication. We have a central database where we keep member information. We will create a module to authenticate against this database however a question of whether or not to create users in the drupal is needed.
I'm worried that if we do not add user to the user tables and have our module keep sync that with the other database, then we will not be able to take advantage of other modules that may use the user module
My colleague on the other hand believes that this is not an issue we can add all necessary attributes to the global $user at authentication with our module.
Is there a standard way of dealing with this problem?
Thanks!
David
Look at the LDAP_integration module, they do something similar. When logging in and a local user cannot be loaded, a user is searched for in another application and when user&pass are equal, the user is copied in the Drupal usertable.
If you want any Drupal functionality (read: core and modules) to be associated with that user account, then you will need to use that user table.
This is especially true for anything node-related, so if you want people to be able to create nodes with referenced data you will need it. uids are stored in the nodes table in order to show who authored the node. Storing a uid in the nodes table with a something that doesn't exist as a relational key to somewhere else will only return an empty object. For instance, if a person wants to see the author of X node they will get an empty user object. Keep it. There's no sense in working harder just to remove it. Besides, you can store as little or as much as you want in the user object for each account.
I'd also suggest looking at the LDAP module. I was able to use it as a jumping in point to interface with a custom WSAPI authentication method for an external database that we have at my company.
Do you need to have both sites running in parallel? If not, then you don't need to sync the user tables. A conversion will be enough then.
a web application I work with requires a form which allows an Administrator to add users into the web applications user table. The web application is intranet based and is run in a number of countries world wide.
They need the ability to search Active Directory to find users to add from across multiple domains. Searching domains that are geographically located further away takes much longer than searching closer domains...
Is there faster ways to search Active Directory, e.g. certain search parameters or eliminating fields to search?
and how would you populate say a session dataset and have a grid or other control refresh to retrieve the data as it is retrieved from each domain...i'm not sure how you could do this as it sounds multi-threaded which i haven't done in an asp.net webapp...
thanks heaps!
In Active Directory the Global Catalog contains a subset of account attributes from all domains in the forest. Since it looks like you just want to find the names that information should be in the GC. If you are doing an LDAP search bind to port 3268 instead of 389 to access the GC on the domain controller. You may need to work with our AD administrator to make sure you bind to a Domain Controller that is also a GC.
http://technet.microsoft.com/en-us/library/cc978012.aspx
http://technet.microsoft.com/en-us/library/cc737410.aspx
This page had information roughly what I was after...Talking about optimising searches etc
http://www.informit.com/articles/article.aspx?p=30117&seqNum=5