FOSUserBundle proper solution for team consist with multiple users - symfony

I am using FOSUserBundle in my Symfony2 project.
My goal is to make the teams consist with multiple users. Users are invites by administrator (owner) by e-mail confirmation.
If a user belongs to one team, can't set up new accounts using the same address. Of course, each user should have the opportunity to unsubscribe from the team.
Are there any ready-made solutions? I looked for Groups With FOSUserBundle.
Or do you have any good advice?

You were right, groups can be a good ready-to-use solution to make your logic.
The association is already setup and it's also easy to extend.
The documentation (now part of Symfony's doc) contains a great guide to use groups.
Of course, you can make your own entity, take example from the FOSUB User->Group logic (association) .
You should see the Security and Roles part of the documentation to manage authorisations of your different kind of users.
You can assign roles to your different groups, and make your users directly inherit the roles of their group for manage access permissions.
For the confirmation email, see the corresponding documentation too .
And for the unsubscribing, just remove the association between the user you want remove from a Group and the Group (or Team).
This is also part of the association, see the doctrine documentation.
Good use.

Related

Group claims in roles ASP.Net Identity

I'd like to make a system with granular permissions so
Is there a way to make groups of claims and assign them to a role so when a user gets a role it gets all the claims?
Is it possible to create groups of claims or am I misunderstanding something?
I'm failling to find the purpose of claims.
This could be done using groups with various roles and the roles are gonna be the permissions, right? This is the way I should do it? Since roles per se are claims.
Following steps can solve your problem
Create granular level of roles...typically for each action
Group them up into GroupRoles...so that admin can easily manage it
Add individual level claims to user for specific permission
Some good examples of the same are below
http://www.3pillarglobal.com/insights/granular-level-user-and-role-management-using-asp-net-identity
http://bitoftech.net/2015/03/11/asp-net-identity-2-1-roles-based-authorization-authentication-asp-net-web-api/
Hope this solves your problem

Symfony working with different entity managers

I want to create an application with some subsections like a blog and a forum for example. Now I want users to be able to create an account on my site, and with that account they can use the forum and the blog. That's easy so far. But I want to keep the tables in seperate databases to keep a nice and clean structure. Let's say I use 3 databases, one for the UserBundle, one for the BlogBundle and one for the ForumBundle. This requires 3 entity managers. But that means that I can't use relationships from entities from ForumBundle or BlogBundle to the user entity in UserBundle. Simply adding UserBundle under the mappings for the other managers will create new tables in the other databases and that's the thing I'm trying to avoid.
So, is there a way to make bundles 'aware' of entities in other bundles?
I know it technically isn't a good thing to make bundles dependent on other bundles, but how else would I acheive my idea?
One approach that has worked reasonably well for me is to query using the event system.
Assume you are in the Forum Bundle, you have retrieved a list of posts for a given thread and now you need the user information for each post. You make an array of user id's then:
$userIds = array(...list of users you need information for...);
$findUsersEvent = new FindUsersEvent($userIds);
$dispatcher->dispatch('FindUsers',$findUsersEvent);
$users = $findUsersEvent->getUsers();
So now I have a list of user information all nicely indexed by user id from which I can then pull additional information.
The only coupling between the Forum and User bundles is the FindUsersEvent class which could be in a common bundle of some sort. The forum bundles does not care how the users are loaded. The user bundle just needs a listener.
==================================================================
A second approach is to basically use a REST like api for grabbing user information.

Use of session in role based access control (RBAC)

I am trying to understand access control based on RBAC model. I referred to the following link.
NIST RBAC Data Model
I haven't understood this part clearly as mentioned in the excerpt -
*"Each session is a mapping of one user to possibly many roles, i.e., a user establishes a session during which the user activates some subset of roles that he or she is assigned. Each session is associated with a single user and each user is associated with one or more sessions. The function session_roles gives us the roles activated by the session and the function user_sessions gives us the set of sessions that are associated with a user. The permissions available to the user are the permissions assigned to the roles that are activated across all the user.s sessions."*
Question - How can session be used to activate roles ? The relationship between the user / group and roles are inserted as admin data. So, how does session activate subset of roles for a user ?
P.S -> I asked this question earlier here but without an answer. May be this question is too basic to ask but I am keen to understand it. Any use case or a link will definitely be helpful.
Thanks for your time.
In RBAC, administrators give permissions by assigning them to roles, and in addition by assigning roles to users. As you know, for a user to be able to use a particular permission, he will have to have been assigned at least one role that provides said solution.
So each user has a set of roles assigned to him. During a session, he can choose to activate (or deactivate) any of these roles, but no other. The activated roles determine which permissions are available to the user at a given time during the session. This is useful, for example, for dynamic separation of duty constraints, where two roles A and B can be assigned to the same user U, but can't be used together. Therefore, if U wants to use A, he will have to deactivate B before activating A.
From my experience in implementing RBAC, I pretty much avoided using dynamic management of multi-sessions.
At first it sounded like a pretty neat and flexible idea, but as you questioned on who activates/deactivates roles (and when), I realized the complexity and security risks wasn't worth the effort (my personal opinion).
The important thing to understand here and for which #Imontriux (above) mentioned:
"This is useful, for example, for dynamic separation of duty
constraints, where two roles A and B can be assigned to the same user
U, but can't be used together. Therefore, if U wants to use A, he will
have to deactivate B before activating A."
Most of the time, there are separation of duty constraints that must apply and in order to honour this, I simply chose to only have/manage one valid session per user at a time. If a user wants to authenticate under different set of roles, he/she is responsible in logging out and logging back in.
It pretty much simplified a lot of my code. It was a compromise I chose and could easily live with.

Symfony2: how can I load a user taking into account its mapping entity?

Although I'm using Symfony 2.1 with FOSUserBundle and everything works perfectly, I don't know how I can resolve a problem.
Basically, I would like to know if there is a way to find (load or get) a user from the database taking into account a relationship with another entity.
This is the situation:
I have made that users can also login into my site thru a social network (Google, Facebook, LinkedIn, etc). I besides ask them for an offline access, so I can access their social accounts any time.
As each user can have as many connections as they want (or maybe none cause they are optionals), I've decided not to save this information in the user table. I've created an abstract entity called "SocialConnection" which is extended by the real ones (Google, Facebook, ect). In this entity I store the user information that I get when the user logs in my site thru those networks (user_id, social_id, access_token, etc), so in my User class I have mapped a collection of the abstract "SocialEngine" that allows me to have all networks together.
In order to be able to add others networks like Twitter, Yahoo and so on in the future, I think it is the way it should be.
So, the problem now is that when the user logs into my site thru any of these social networks I need to load him from the database knowing his social id, but I don't know how to do it.
I've seen that the method $this->findUserBy of UserManager find a user regarding a property but I think this is not the case.
What should I do to find a nice solution?
Thanks in advance.
Best regards,
Izzy.
To achieve this, you need to get deeper into doctrine's api. The base repositories methods (find, findBy etc...) won't be enough.
You need to use doctrine's DQL. It looks like SQL but you query based on your mapping metadata and not based on the database schema directly.
If your User has a OneToMany $socialAccounts property to the SocialEngine. You will be able to do something like:
SELECT u
FROM Bundle:User AS u
JOIN u.socialAccounts AS sa
WHERE sa.id = 34
But you can only query on SocialEngine's properties, not on the subclasses one ... (ie: You can't query on a SocialFacebookEngine's facebookId).
You either have to put all the twitter/facebook/etc data in the base SocialEngine class, on in the User class.
Or you could create an entity for each "Social Engine", and create a OneToOne relation relation between each of theses engines and the User.

Variable Role Management

How to implement Variable Role Management in Forms Authentication.
The case is: We are tracking various projects across various stages... A Particular person Emp1007 could be involved in various projects in different roles... Project Lead for Pr001,
Beneficiary for Pr002, Associate for Pr003.
There is a page, where in the user will be listed all the projects he is involved in, and can click on a particular project to perform some action on the same. From next screen onwards he must assume the role corresponding to the selected project, until such time, he comes back to the project listing screen.
How do I do this... Trust I made my requirement clear.
Included Later :
My situation is the Role of a particular user must be decided on the basis of the Project he chooses... Further the same user will be needed to assign different roles during the same session... Is this possible? if yes, how?
Raja
I think your problem is to assign roles at runtime.
For this you can use Roles class.
Msdn Document
Roles.AddUserToRole("King","Lead");
Also know that you can read user's roles when your projest listing screen is loaded
string[] userRoles = ((RolePrincipal)User).GetRoles();

Resources