This is for Plone 4. It is quite a general problem. I have a form (ploneformgen) that I want anonymous users to see and fill in, but I want to hide it from registered users (i.e., users who have logged in). Similarly, I have a "log in" link in the navigation menu. Obviously, anonymous users should see that, but logged-in users shouldn't have to see it. I've tried many options which I won't detail here (workflows, scripts that change local permission settings, etc.) since none of them have worked. There must be a standard way of doing this, but I can't work out what it is.
Any ideas?
Untested, but it might work: Products.AutoRole can assign groups and roles to visitors based on their IP, without creating user accounts for them. It also has a switch to only give automatic roles/groups to anonymous users. A rule 255.255.255.255/0 should match all IPs, so all anonymous users get a group, and you can make the form private and visible to that group.
(Note that AutoRole is not IPv6-ready, though, and has caveats regarding user inheritance, particularly: it will de facto disable the admin account, so you should not activate it in your Plone instance, but in the Zope server acl_users, if at all possible.)
Another untested idea.
There's a not a very know product and I never used it in a production environment (but in my tests it works perfectly): collective.subtractiveworkflow (https://pypi.python.org/pypi/collective.subtractiveworkflow) and the use of workflow chain.
In practice you can design a second workflow where View permission will be subtracted from Member roles.
To be honest I'm not 100% sure of how this can work with Anonymous, just because normally you can't define permission for Anon users but not given to other roles. This can be the same in that situation.
Related
Our Kibana (7.17.1) users would like to share queries (via Discover → Share → Permalinks) with other users that have different roles/spaces assigned. At the moment the target users get just a blank page if they use the permalink URL.
I activated anonymous authentication to enable Public URLs as a try, but the underlying anonymous user in turn needs role(s)/space(s) assigned and I can't add everything there since this would be against our data security policy.
I also tried the built-in role viewer for the anonymous user but this didn't work without an explicit role in addition and "This functionality is in technical preview and may be changed or removed in a future release." and "read access to any index that is not prefixed with a dot" is also against our security policy anyway.
Is it possible somehow else to give users with different roles/spaces access to shared permalinks?
I ended up creating an extra Share space and:
assigned it to all the respective roles and
added all the respective index patterns to it.
The only drawback is that the users have to switch to this space prior to creating a link if they'd like to share it with users of other roles/spaces.
I was looking at the symfony security dynamic roles instructions at knplabs page. It says "Second, there's just one rule that we need to follow about roles: every user must have at least one role. Otherwise, weird stuff happens."
Does anybody know exactly what happens to users which has no role? I assumed they would just be able to access pages which require such rights. But the text makes it sound like something terribly strange happens?
I got response from KnpLabs:
Well... there is some weird stuff :). Internally, even after you
login, you will appear as "unauthenticated" in the web debug toolbar,
and some other parts of your system might thing that you are also not
logged in. The issue is that, internally, in a few places, Symfony
decides whether or not you are authenticated by counting the roles on
the user. If the user has 0, the user appears "unauthenticated". Parts
of your system might work fine, but other parts might behave "weird"
:)
I'm trying to come up with a way to secure a set of Admin CRM pages that control a Meteor application I'm working on. There's just one codebase, with the server, customer facing website and admin facing website in one project.
I need a login page which can verify one username and password pair, and a simple way to check the status of the user on both the client and server side. I also need a way of the admin's authorization timing out if it hasn't been used for x minutes.
I've looked at the meteor accounts package and it's just way too much fluff for what I need. This website will only ever have one admin user, so there will only be one set of admin username and password to store. I don't want it stored in the database, rather loaded with a settings file on the server on application start. It doesn't need roles, emails, password reset functionality.
Any recommendations for a package or approach I could use to implement this?
I know you said that the accounts:password package seemed a little "overkill", but in reality it really isn't. What you are gaining there is pluggable UI (via accounts-ui and other packages that build off it). The approach I have taken is this (which happens to work well even for apps that do support multiple users, since ultimately you still need to bootstrap your start users).
First, I use a combination of accounts:password and alanning:roles. If you absolutely don't need the roles portion, you could probably get away without it, but in all my personal cases I have found it useful to have multiple levels of ACLs for the various users. We could get into a whole philosophical discussion on using roles/groups to lock down individual features, but that's sort of off topic for this discussion.
Next you need to boot-strap the user(s). Somewhere in your /server folder you will do something like:
if (Meteor.users.find({}).count() == 0) {
// No users created...create default users
Accounts.createUser({
username: 'myuser',
email: 'myuser#mydomain.com',
password: 'myp4ssw0rd!',
profile: { profileProp: 'propVal` }
});
// Add new user to whatever roles needed
}
There are some more things I usually do here, like checking to see if my roles exist, and if not, create them before I try to handle the users, but the key here is to do that when the server starts up.
Once you have your user(s) and role(s) created, it's a matter of checking/verifying the user/roles in your app. For menu items you can show/hide stuff based on whether the user is logged in and/or has a certain role, and you should also verify in your application routes that require ACLs, like your admin route. In addition, use the user id in all your publications as well to limit the data your users can see. Don't rely solely on hiding a menu option...security through obscurity just doesn't work.
Why do I suggest doing it this way? First off, it's really not THAT much code. You could literally do this in probably 20 lines, max, and have a full authentication setup. And the benefit of those lines of code greatly outweigh the 30min tops it would take you, as you will now have "real" user authentication in your app and have the ability to do things like OAuth if you ever decide to in the future. Most importantly, you unlock pre-build UI plugins that you don't have to code, built-in and add-on methods to help check ACLs, the ability to lock down data by user, and you don't have to try to implement your own solution.
Currently when one invites anynomous users to join an Organic Group on a Drupal site, the email that gets send out, only contains a link to the Organic Group. But then because the user is anonymous he will not be able to access the group unless he first registers.
So what happens presently is the user gets an emaila to join a group, clicks on the link, but then gets the access denied page.
Is there a way to automate the process, so that the user gets directed to the registration page, and after registering gets redirrected to the group that he was invited too. Either to then automtically become a member, as he was already invited or to then manually join.
thanks
Charles
You can do something like that, but it will be hard to make something that wont be fragile.
You can take a look at the Redirect 403 to User Login module. It redirects anonymous users to the login page. You can either use that as a basis to build your own module, I would imagine only a few tweaks would be needed to make it work how you want.
You might be able to alter the module with your own module, to make it function like you want, but I don't know exactly how it's built and if that's an option.
My users access Drupal through SSO and everytime the server authorizes them, it returns a set of permissions (groups/roles), according to which I need to dynamically set the User's forum permissions.
So for example if a User logs in and the SSO says that he has enrolled in a course, I need to give him specific permissions for that course's forum.
Obviously I need a custom module for that, but it's a little hard to start.
I'm thinking of using the ACL module's API, but I can find any documentation or tutorial online. Is there any?
Is there a better way to get around this?
I'd appreciate any help :)
(note: I know there are modules with GUI that have similar functionality but I need to do it programmatically)
We just put something exactly like this into place - we used the Rules module (with the User logged in trigger), checking the LDAP groups that the user is enrolled in, and assigned the role accordingly.
Check out Forum Access. It can restrict users based on their roles.
You could have your roles be something like "CSC221 Student". If a user has this role, they will be able to access the CSC221 forum.
Create a hook_user function ( see http://api.drupal.org/api/function/hook_user ) in your module.
Then using http://drupal.org/project/permissions_api set the appropriate permissions on the user.