Is it possible to manualy update user roles with Symfony2?
In my application, users are able to handle many companies. For each of them, they have different rĂ´les.
At login time, I'd like to give them the roles of their default company and when they switch of company, I'd like to remove the previous roles and add the ones of the new company.
Yes it is possible. But i wouldn't advise you to dynamically remove and add roles on an company switch as it could lead to an security issue. If you want to use the basic role system you could create roles prefixed by company name (this is an bad idea if you have many companies). Or upgrade your security context to use ACLs. Maybe the simplest solution is to create an user for each company with the same credentials (or no creadentials if you manage the user switch) and different roles.
As far as I can see you should consider developing an own role system that meets your multi company requirement.
Related
How would I go about hardcoding a role in ASP.NET MVC within the program itself, rather than through a database, for authentication (and then how could I add people to this role)?
What I'm trying to do is have 3 roles: Progammer, DatabaseAdministrator, and SystemsAdministrator. I'd like to be able to add people to those roles (also hardcoded), and then authenticate people based on role, rather than username. Right now, I am authenticating people like this:
If (#User.Identity.Name == "DOMAIN\\first.m.last")
What I want to be able to do is:
If (#User.Identity.Role == "ROLENAME")
However, I only have three roles and 8 people; I do not want to have to create a table in my database for them. So I'd create the role DatabaseAdministrator, and then add three people into as the string "DOMAIN\first.m.last". Then, I could have the action populate the view based on their rolename.
Everything I've seen so far has you do it through the database. Would appreciate any help. Thanks!
I am assuming that you are using Windows Authentication.
With that said you can easily authorize based on the users Active Directory Groups. This will keep you out of the database and all you have to do is add a user to an AD group if the users change.
Then you can authorize on the controller or action with this annotation.
[Authorize(Roles = #"DOMAIN\ADGroup")]
I'm working on a Symfony app that will have some basic roles that can be assigned to users. Note, I'm not using the FOSUserBundle because I don't need more than half the features in it.
I have my users defined in the database, but I'd like to keep the role definitions out of the database. But several examples and other tutorials I've found keep the roles in the database, and use a ManyToMany relationship to assign them to users. This seems odd to me, since the actual use of the roles is hardcoded into the app.
For example, if I have a custom role ROLE_EDITOR, I have several routes and controllers that I may restrict to ROLE_EDITOR. Why would I "define" this role in the database? That means when developing my application and I add a new user role, I have to either write a script to programmatically insert a new role into the DB or do it manually, before the code is deployed that makes use of the role. I don't want admins to be able to add/edit/delete roles. It should be a design decision done programmatically.
In Drupal, there's a concept of Roles and Permissions. You define permissions in code and check against those, and then roles are defined in the database and are assigned permissions. But it seems that Symfony just has the concept of Roles.
I'm hoping someone can fill in a missing piece of information for me or something. How can I implement a system where the role assignments are done in the database, but the roles themselves are managed via code only?
My instinct is to just create a single entity that relates to User and has a string field for the ROLE_NAME. But this seems to go against the paradigm of having a real Role entity.
I am working on an Intranet Asp.net mvc with windows authentication enabled. I am building an asset management application, and I need to define user groups and security roles. For example I have a group that contains senior HR employees; this group will be linked to a security role. The security role will allow for example to add new vehicles, but only allow reading the information about IT assets such as PC, etc.
But since I am working on intranet and the users exists in the Active Directory, and I want to link the user groups to customize security role. So is it a recommended approach to use my own userGroups table and securityRole table to store the information about the user groups and their security roles.
Currently I only use the users from AD , but stores the info about user groups and security roles inside my custom tables. As this will give me more flexibility of implementing the requirements, OR it is recommended to use the build-in groups and role management that comes with asp.net?
Thanks
If the ability exists to maintain the active domain groups there is no reason to maintain a local groups table isinrole can be used for group access checks
I am starting a new ASP.Net MVC 3 app and I'm hoping to be able to use the built in Membership provider.
The issue I have is that my application can be used by various organizations and it is important that the information shown is only applicable to the organization the user is working for.
The no brainer approach would be to insist all users use their email addresses as their username so everyone is unique and can be associated with their respective organizations. The problem is, some users don't have email addresses so there is no reliable way of ensuring unique names and I don't want people to know the Usernames already in use by different organizations. (USernames should only be unique to the Organization, not the entire app)
Ideally, I would want the User to enter their organization name in one field, then their username in another (and then the password!)
So we could have Jane login from one organization.....
Organization Company1
Username Jane
Password ********
and then someone else also called Jane could login from a different organization..
Organization Company2
Username Jane
Password ********
So my question is, what is the best way of modifying the Membership system to allow for this extra field?
I'd go about writing a custom MembershipProvider to suite the requirement.
http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx
The provider pattern used by membership is designed so that you can extend it. You can inherit from the default provider and from the default membership use class to add the fields you need. This saves you from having to write a provider from scratch. As #mare pointed out, there are potential pitfalls though.
I would overcome these by perhaps having a login form that prompts for organisation, username & password, but behind the scenes combine the org & username & use that as the internal username.
The built-in (default ASP.NET) membership provider does not provide a concept of an Organization/Company/Firm or Department. You will have create your own tables in the database for those with a foreign key to the aspnet_users table to be able to store that additional information (I wouldn't go changing the default aspnet_users table because it might make it incompatible with the current default provider or future ones). You will then need to use the default provider for the default functionality and create a Service class to support the extended functionality. I know, I have done it. It gets complicated and dirty, takes time but it's completely doable.
Most likely you will end up creating your own provider and that starts with the requirement to support Users in Companies. In case you thought that changing the default provider to support that wouldn't be necessary. The requirement about uniqueness within the company is another one you will have to implement.
I think there is a built in option in the membership. look into the APPLICATION field in table my_aspnet_users.
reference here:
http://msdn.microsoft.com/en-us/library/system.web.security.membership.applicationname.aspx
I am faced with a security model problem when migrating my code to ASP.NET.
In the application:
There are multiple roles. (Role A, Role B etc)
There are multiple input/output fields. (Field A, Field B etc)
There are multiple permission levels controlling access to each field. (Read, Direct Edit, Edit With Approval, None)
Each role has its own permissions to fields. (Role A has Read Permission to Field A; Role B has Direct Edit permission to Field A etc)
Every role can be assigned to users and they are assigned by Geographic information. (User A is assigned to Role A for Continent: Europe - Country: Germany; User B is assigned to Role A for Continent: Europe - Country: France; User A is assigned to Role B for Continent: Europe - Country: France etc)
Users can have multiple roles
User identity is coming from Windows Authentication.
So my question/problem is: is it possible to represent this type of kind of multi-layered security model using ASP.NET internal membership/role providers?
If so, what should my starting point be? Creating only custom role provider with custom methods and fields be enough?
Even with the built in features of ASP.NET, the Membership Provider, and user controls, you will still have to write and manage the custom behaviors and interactions.
As example, the Membership Provider has easy ways for your to create roles and check for the existence of roles. But you will have to create the business specific dashboard call the features of the API that are appropriate to expose for your application. As example, at many of the organization that I have worked with role creation was a database only activity. User controls or site behaviors based on role were a code only activity. Managing which roles were assigned to users was a feature exposed via an admin page in the application. If a need for a new role was identified, it had to be first created by a DBA, then code/controls that were responsive to that role had to be written. After these items were deployed, application administrators could assign or remove roles to users.
To address you comment to your question, if you have Europe_Germany_RoleA, the Membership API provides methods for you to create that role, map it to a user, and to check for its existence on a particular user. like...
if(User.Roles.Contains("Europe_Germany_RoleA")) {
//your code here
}
but you would need to map that particular role to information or features specific to your application.
In retrospect, maybe what you really want to look at is the Profile Provider. Still part of the Membership set (Membership, Roles, Profiles), it is more designed to carry information. You could customize the Profile object to meet the needs of your application. For example, if you looked at this as Sectors (for lack of a better term) that could be loaded when the user logged in, you could do queries like...
if(Profile.Sectors.FirstOrDefault(sd=> sd.Name == "Europe_Germany_RoleA") != null) {
//bind to a grid, show a control, do something significant
}
and that might fit your problem better. Roles are truly only meant to act as flags (Does he have this role or not, then do something or dont), but the Profile object is designed to be customized to carry pertinent data for a user.
You can always extend it. The ASP.NET Membership model uses GUIDs as IDs for users and roles. You can add new tables that represent the added functionality and have them reference the original Membership tables.
Your problem is not in the role provider, or the membership system. This system is suitably flexible enough for your needs, and allows you to assign multiple roles to individual users. You can either use a SQL table to store these roles, or you can use Active Directory, AD is probably easier to manage the users with.
Your primary problem is going to be how you assign permissions to the fields and other objects. This means you can't just use standard drag and drop web forms, but will have to build your fields dynamically.
It's easy enough to check whether a user is in a role, this is a one-line call. But, your roles will likely not be hard coded, so you need a way to store fields and the roles associated with them, and a way to build the fields based on the users privileges.
EDIT:
Another option is to build the forms as if there was no security, then in your pre-render event go through and apply your security to each field, disabling and/or hiding fields you don't want the users to see. This may require relaying out the fields if you choose to hide them.