We have given anonymous user to upload files to nexus repository manager.But it was not a good practice.We need to limit access to each project.Only relevant users should have read access.How can i fulfill this requirement.
Currently we have created two repos lib-release-local and lib-snapshot-local and inside those repos we are managing our projects.In this design how we can implement permission schema.
NXRM3 has a piece called content selectors, which are pretty much designed for what you're describing. Using a query language you can create a privilege which limits what folks can see or do in a certain repository (or format). Then you can assign that privilege to a role and that role a set of users (also removing the ability for them to view *).
See documentation for more. I also advice if you have questions about content selectors and their implementation asking on community.sonatype.com forums where the development team as well as support monitor.
Related
I've never worked with any CMS and I simply wanted to play with such ones. As originally I come from .NET roots, so I was thinking about choosing Orchard Core CMS.
Let's imagine very simple scenario, together with my colleague I'd like to create a blog. As I'm used to work with web based systems and applications for a business for me it's kinda normal to work with code repository, having multiple environments dev/test/stage/prod, implementing CI / CD, adjusting database via migrations or scripts.
Now the question is do I need all of this with working on our blog with a usage of CMS.
To be more specific I can ask few questions:
Shall I create blog using CMS locally (My PC) -> create few articles and then deploy it to the web or I should create a blog over the internet and add articles in prod environment directly.
How to synchronize databases between environments (dev / prod).
I can add, that as I do not expect many visitors on a website I was thinking to use Orchard Core CMS together with SQLite. Also I expect that I can customize code, add new modules, extend existing ones etc. - not only add content (articles). You can take that into consideration in answering the question
So basically my question is what should be the workflow of a person who want to create / administer and maintain CMS (let it be blog) as a single person or as a team.
Shall I work and create content locally, then publish it and somehow synchronize both application and database (database is my main question mark - also in a context how to do that properly using SQLite).
Or simply all the changes - code + content should be managed directly on a server let's call it production environment.
Excuse me if question is silly and hard to understand, but I'm looking for any advice as I really didn't find any good examples / information about that or maybe I'm seeking in totally wrong direction.
Thanks in advance.
Great question, not at all silly ;)
When dealing with a CMS, you need to think about the data/content in very different terms from the code/modules, despite the fact that the boundary between them is not always completely obvious.
For Orchard, the recommendation is not to install modules in production, but to have a dev - staging - production type of environment: install new modules on a dev environment, test them in staging, and then deploy to production when it's safe to do so. Depending on the scale of the project, the staging may be skipped for a more agile dev to prod setting but the idea remains the same, and is not very different from any modular application.
Then you have the activation and configuration of the settings of the modules you deploy. Because in a CMS like Orchard, those settings are considered data and stored in the database, they should be handled like content. This includes metadata such as the very shape of the content of your site: content types are data.
Data is typically not deployed like code is, with staging and prod environments (although it can, to a degree, more on that in a moment). One reason for this is that a CMS will often feature user-provided data, such as reviews, ratings, comments or usage stats. Synchronizing all that two-ways is very impractical. Another even more important reason is that the very reason to use a CMS is to let non-technical owners of the site manage content themselves in a fast and direct manner.
The difference between code and data is also visible in the way you secure their changes: for code, usual source control is still the rule, whereas for the content, you'll setup database backups.
Also important to mention is the structure of the database. You typically don't have to worry about this until you write your own modules: Orchard comes with a rich data migration feature that makes sure the database structure gets updated with the code that uses it. So don't worry about that, the database will just update itself as you deploy code to production.
Finally, I must mention that some CMS sites do need to be able to stage contents and test it before exposing it to end-users. There are variations of that: in some cases, being able to draft and preview content items is enough. Orchard supports that out of the box: any content type can be marked draftable. When that is not enough, there is an optional feature called Deployments that enables rich content deployment workflows that can be repeated, scheduled and validated. An important point concerning that module is that the deployment only applies to the subset of the site's content you decide it should apply to (and excludes, obviously, stuff like user-provided content).
So in summary, treat code and modules as something you deploy in a one-way fashion from the dev box all the way to production, with ordinary source control and deployment methods, and treat data depending on the scenario, from simple direct in production database instances with a good backup policy, to drafts stored in production, and then all the way to complex content deployment rules.
I'm currently using a free trial version of Azure to be able to create a QnA service as a PoC at work. I have created one and am now looking to collaborate with colleagues so we can provide a full assessment of the tool. I have followed the How To Guide 'Collaborate on your knowledge base', but found that when the person I have added as an Owner (or Contributor, as I tried both) logs in to their free Azure account, they are unable to see the knowledge base.
If they go to 'Create a knowledge base', whilst they are able to select both their own Default Directory and mine, if they select mine, when they go to select an Azure QnA service, they are unable to see mine, only services they have created.
Within Azure Active Directory, I can see the individual with a User Type of Guest and when I click into the detail of their account, I can see that the value for Invitation accepted is set to Yes. I added them within Access control (IAM) and can see that their Role is 'Owner' and the Scope is 'This resource'.
If anyone can provide any explanation as to why this still isn't working or how my colleague can best test whether it is working as expected, then it would be much appreciated.
Many thanks
Gareth
Try asking your colleagues to sign out and back again, that did work for my colleagues.
In our case, we have an Azure Active Directory group that allows to have access to some of the QnAMaker Cognitive Services and therefore, to the Knowledge Bases.
Colleagues that didn't see any of the KBs, even though they were members of that group, didn't accept the invitation. So, I had to send it again to each one of them. But, even after accepting the invitation they couldn't see any of the KBs.
Right after one of these colleagues sign out and back again, he got the list of KBs in the QnAMaker.
Currently I have a task of exploring Alfresco Community 4.2.
What I need to do is to build a workflow that allows users to upload document, an admin to verify it, and other higher level users to allow the document to be released, how it is released is not my concern. e-mail notifications will also be sent to higher level users or admin when the document is about to expire.
I have downloaded the Alfresco Community 4.2 exe from their website, and install it in a Windows 7 32-bit laptop. But I cannot access to /alfresco and /share, I learnt that I need MySQL for this, so I'm currently installing this one, http://dev.mysql.com/downloads/windows/installer/ , am I correct?
And do I have to do all this separately, for example, first I need to set up users, then configure their restrictions, then move on to documents?
I'm really really new in this. I've searched Google but so far everything seems complicated to me.
Thanks in advance!
First of all if you are using installer which you seems to be you do not need to install anything separately. Alfresco installer comes with everything bundled into it's installation.
Unless you have specific requirement where you want to use MySQL instead of bundled postgres database.
Now For workflow one everything is up and running you can check various existing out of box workflows available with alfresco if any of that meet your requirement you can use that directly no other efforts required.
In case you feel none of those workflow meetup your requirement then you need to create your advance workflow.
http://wiki.alfresco.com/wiki/Workflow
This link contains all you need to know regarding alfresco workflows.
I am currently working on a school assignment which requires us to perform security testing on a website created by one of our peers. The website is created using ASP.Net 3.5/4 and an MS-SQL database.
The website's main features are:
Registration & Login using Roles
Uploading documents
Sharing of uploaded documents
Leaving comments on shared documents
I already have started testing the website using:
XSS in the Register, Login and Leave Comment Sections
SQL Injection in the Register and Login pages
Upload of executables, with a different extension (I have changed an executable file to .doc to test whether the system is checking the extension of the file or the actual contents)
These tests have been carried out manually and I have access to the source code!
Can you suggest any other tests I might want to carry out?
Cheers
A good resource for things to lock-down would be OWASP - I linked to their "top ten" items as I have followed it myself for locking down apps and found it really helpful.
Drilling down into any item on their top ten list will discuss how to recognize a particular vulnerability and suggest how to remove the vulnerability. All code-agnostic stuff, high-level descriptions so it can be applied to any project be it .Net, Ruby, PHP, etc.
Check for Local File Inclusion and Remote File Inclusion vulnerabilities as well.
You can also check the login system: If the website lets you login (and you have an account or can make one), login and check to see how the login code works (i.e. check your cookies to see if they are PHP sessions [secure] or some other method [usually not secure]). If you find a vulnerability in the login system, you could elevate your privileges from regular user to admin.
Also, "Upload of executables, with a different extension." Could you clarify that for me?
The best thing to do is to use your imagination.
You should also use Cat.NET's engine (which is a free Microsoft provide security focused static analysis tool).
I have been working on making Cat.NET easier and faster to use inside VisualStudio and here is a pretty cool PoC of how it in action: Real-time Vulnerability Creation Feedback inside VisualStudio (with Greens and Reds)
If you are interested in Cat.NET you can download it from http://www.microsoft.com/en-us/download/details.aspx?id=19968
When my user registers in Drupal and his account is created, I'd like to be able to create an account in a 3rd-party system (e.g. some moodle site).
Is that possible with an existing module? If not, what would be the preferred way to add this functionality?
You'll need to create a new custom module and implement the hook_user().
Specifically, you'll need to support the 'insert' operation, but of course you could add support for many others (such as delete or update) so you can manage users from your Drupal installation as well.
BTW: no existing module will couple exactly with your system, unless you're referring to a 3rd party application - in which case it'd help if you could tell us which one you're using :)
I second Sebs suggestion of using hook_user() for this, either after the fact on the 'insert' action, or upfront on 'validate', or on both, depending on how you need to deal with an eventual failure of Drupal itself or the 3rd-party-system.
Also, given your other question in this context, it looks like you might be interested in the following posts/discussions concerning external authentication in general:
Distributed Authentication changes (A short note/description of changes compared to Drupal-5)
Refactor distributed auth out of user.module (lengthy but informative discussion leading to the current state of things)
External Authentication in Druapl 6 (Some user experiences with the current state)
You might also want to take a look at the OpenID integration in Drupal core as a somewhat 'authoritative' source of examples.
You might also check out the Moodle module for Drupal. I used it a couple years ago and it was kind of a headache, but I'd guess that it's come a long way since then.
Interestingly, they recommend using OpenID to manage users between the sites. That may be easier than implementing your own hook_user instance if you aren't very comfortable writing Drupal modules. Just a thought.