I see lots of examples some even with great details on how to apply claim based authorization for resources.
Unfortunately, all are aimed to a specific resource so you do something like :
GetEntity(int id)
CheckAccess(id, user);
Then in few examples I see the permission/claim for the action
GetEntities()
where you have a true or false access to the result view. (which is ok)
What I don't seem to find or understand, is how on a GetEntities action, I can return a list of entites and get the permission of the data using claims.
Practical example:
I have a shared address book for some X users in some group.
So group 1 have contact A, B, C
user 10 have permission to list contacts of group 1
user 10 have permission to see full details of contact A and B
user 10 have permission to see basic details of contact C
So I will end up showing in the view something like :
Contact A: name, phone and address
Contact B: name, phone and address
Contact C: name only.
Another thing is not quite clear, is where in the database should I store and how claims so I can later filter the result set from the database.
Let's say user 9 don't have permission to list contacts of group 1 but 2.
How is this claim stored and used to filter results on query ?
I know this is a pretty basic question, but i just don't get it!
Related
i have a problem with airflow.
Does Admin creates variables and controls access to each variable for each user?
Example: admin create Variable a, b and user userA, userB
Does admin can create role that allow userAread, edit variable a, can't edit b and userB read, edit B, can't edit a
Interesting question!
Part 1
As an admin you can create the following permissions .
So perhaps you can first ensure the users cannot delete Variables.
Part 2
If User A and only User A knows the Variable value. I would take advantage of a lesser-known Airflow feature to mask sensitive fields. I have provided 2 URLs for ways to approach this. So essentially the variable output will be masked, allowing User A to only know the answer. User B will see a variable exists however the value is masked. I believe you might also have to ensure you restrict CLI access.
source a
source b
Part 3
FYI - Airflow can automatically obfuscate any values when the variable name contains either secret or password. The check for this value is case-insensitive, so the value of a variable with a name containing SECRET will also be hidden.
I'm wondering whether WebAuthN APIs can be used to identify an individual. Do any of the following hold
Can the authenticator ever return info about the individual e.g. First name, email etc
Will the authenticator always give us the same ID back for Alice when she uses this device regardless of which website I'm requesting from?
Will different devices ever give back the same ID for the same user?
Can the authenticator ever return info about the individual e.g. First name, email etc
It can if you set personally-identifying information to the value of user.id in the options you pass to navigator.credentials.create(). Also referred to as the "user handle", the spec includes a section specifically about how this value is one way the API can leak personally-identifying information if you're not careful what value you set user.id to.
Will the authenticator always give us the same ID back for Alice when she uses this device regardless of which website I'm requesting from?
The authenticator will not give back the same ID on every website. Every successful invocation of navigator.credentials.create() generates a unique credential bound to the website, meaning every website would have to use the same value for Alice's internal user ID for this to even have a chance of happening. And for any given website the authenticator only gives back the value of user.id (as passed into navigator.credentials.create()) as userHandle in the response from navigator.credentials.get() when Alice logs into that site.
Will different devices ever give back the same ID for the same user?
Different registered authenticators would give back the same ID for Alice provided you specify the same value for user.id whenever Alice registers an authenticator.
Am looking at the data structure in this post and want to know how you would go about getting the emails of users who belong to a certain group when they could belong to several groups and the GroupID stored against that user is the current group they are participating in?
Do you store the email addresses with the userid under the "members" or, instead, for each member of the group, get that user's email address from the "users" document userid (this would mean iterating through the group/members collection and doing a query for each user. Not very efficient).
Am used to SQL so this is all new to me.
You should have a single node for each user
/users/UID/emails/
/users/UID/emailunread/
/users/UID/settings/
/users/UID/details/
/users/UID/payments/
So you can simply do a subscription for a singular node path this.myDatasubscription = this.DB.list('users/' + this.uid).snapshotChanges() ensuring changes like new emails or account settings will detected and rolled out in real time back to the app, so your are using angular/ng or something similar client side then your variables {{this.email_list}} should update real time with no page changes.
Take a look at this one.
error: Property 'getChildren' does not exist on type 'DataSnapshot'
I'm building a simple web form which allows user to edit there data like email, emergency contact etc.
The edit form is rendered using Asp.NET MVC 5. Proper html fields are rendered for Id, email, emergency contact etc.
Lets say the request to save the data is received by the following controller method.
SaveData(recordId, email, emergencyContact)
{
;
}
Question: How do I make sure that recordId was indeed the id that was rendered as part of the edit form? We don't want this user to update another user's record.
I have the following options in mind
1. Create a hash of the record id and send the hash as well.
2. Ensure user is authorized to modify the record indicated in given record id.
Is there any other way? Does MVC 5 provide any features so that I don't have to put this sort of logic in my application logic?
Typical approaches are:
Store the ID of the record as a hidden field. If you are concerned with hijacking, encrypt the value and decrypt on the server.
Store the ID of the record in session; this way, you always pull back the record and keep the value on the server. But when session dies, so does the link to the record.
Yes I'd highly recommend check permissions to the record if you store the ID in the URL.
Question No 1
I am familiar with role management, a particular member in a particular role can do this and access this functionally. What I need to do is Manage individual user, not the role he is in.
For example, lets say I create a role, called "Sales". I setup the role permission what the sales persons can do. Now i want to keep a check on individual user. For example if this is "john", i want to show him the records only he created. If his is peter, I want to show him only that records which he created, not by john or other sales people.
Is there a thing called "User Management" in ASP.NET that we can use? If not we have to create it ourselves and I believe the integration with ASP.NET "Role Management" will not be that smooth.
Question No 2.
I am using control for user login. I want to create a session at this time so I can keep track of which user is signed in so I can show him the records only pertaining to him. How can I do that?
Your Q1 isn't really about Role vs User management (ie: authorizations) at this point. It's about audit tracking within your application.
And the way you do that is you capture the ID of the user who created the record in question with the record, so that later you can filter on that ID.
Pseudo database structure
Table Sales
Field...
Field...
Field...
CreatedByUser int not null, -- Populate this on creation and never change it again
ModifiedByUser int not null - populate this on every row update including insert
See ASP.NET Profile Properties.
Assuming the records in the database correspond to a unique ID for a user, you can store the unique id in a profile property per user.
1) If you want to filter records by the creating user, you need to record in your table the ID of the user who created the record. You can access the name of current user through User.Identity.Name and their ID (provider-dependent) through User.ProviderUserKey.
2) Sessions are created automatically in ASP.NET and provided you have a properly configured MembershipProvider, you can retrieve all the needed user info using the User object as shown above.
It sounds like you are a little unfamiliar with ASP.NET Membership and Roles capabilities, because they are actually set up quite well to accomplish what you are describing. I would recommend checking out this tutorial series:
https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx
You are talking about Authentication and Authorization. For question 1 you and implement a custom authorization provider to allow for user level control http://msdn.microsoft.com/en-us/library/aa479048.aspx For question 2, once you log in and are Authenticated, the session contains a userprinciple object that has the info in it automatically.