Avoid "user cross access" in Symfony - symfony-1.4

I am currently working on a project based on Symfony 1.4. I am using the sfDoctrineGuardPlugin to authenticate my two kinds of users : users and admins. For each module and each action in a module, I am using credentials to prevent unauthorized actions execution.
But I am facing a problem : if an user wants to edit a project, for example, the URL will look like frontend.php/project/edit/id/1. Here, we suppose that the project #1 belongs to him. Now, let's suppose that project #2 does not belong to him. If he types the URL frontend.php/project/edit/id/2, he will have access to the edit form, and will be able to edit a project that does not belong to him.
How can I prevent that behaviour ?
I would like to avoid verifying the ownership of each editable model before displaying the edit form... But can I do differently ?
Do you have any good practice or advices to prevent this behaviour ?
Thanks a lot !

Since you will have to check in the projet to know if the current user is allowed to edit the project, I don't think you will have other way than verifying before the edit, in the action part. Why don't you want to do it this way?
This check can be done inside the preExcute function:
public function preExecute()
{
$request = $this->getRequest()
if ($request->hasParameter('id'))
{
$project = Doctrine_Core::getTable('Project')->find($request->getParameter('id'));
$user_id = $this->getUser()->getGuardUser()->getId();
$this->forward404If(
$project->getUserId() !== $user_id,
'User #'.$user_id.' is not allowed to edit project #'.$project->getId()
);
}
}

Related

Set WP User Role conditionally using Auth.0 rule at SSO

Currently building a WordPress intranet site, that authenticates users using Auth.0 SSO, against the company's Azure AD. The SSO functions properly, but I'm trying to get more granular with access control using Auth.0's "rules". The ideal result is a rule that specifies (updates) the user's WP Profile with a user role based on their job title from AD. The code below has been modified from one of Auth.0's rule templates, and runs clean. However, it doesn't work - I'm not sure what particular arguments/functions I need to actually update the role in WordPress. I'll be up-front and admit that I'm far from proficient in JS. Any thoughts?
function (user, context, callback) {
if (user.job_title === 'IT/Marketing Coordinator') {
user.vip = true;
}
callback(null, user, context);
}
In the example above, it successfully sets "user.vip" to "true" (which really doesn't prove much except that the rule executes without error.
this rule, as you said, is fine and will add this attribute.
The issue is that you will need to do something from the wordpress side to make it work (that the user has a vip flag doesn't mean anything to WordPress).
What you can do is hook to the auth0_user_login action that is fired each time a user logs in and based on the user profile set/change the user role.
This is how you hook to the action:
add_action( 'auth0_user_login', 'auth0UserLoginAction', 0,5 );
function auth0UserLoginAction($user_id, $user_profile, $is_new, $id_token, $access_token) {
...
}
I think you will find this WP doc useful to update the user role: https://codex.wordpress.org/Function_Reference/wp_update_user

What is the url to edit other users profile

I can't figure out though how to edit another users profile.
If i'm logged in as an admin I want to be able to edit other users profile.
What's the url for that ? Can someone please point me to the right direction ?
I didn't see anything about what you're looking for....
Every time I've to working with it, I just use the User Manager as it's told in the official documentation...
Here is the specific documentation
Maybe should you think to create your own views :
List of Users
Edit of one User
And a Form mapping your User class.
Here is an extract of how to modify user only with UserManager:
$userManager = $container->get('fos_user.user_manager');
$user = $userManager->findUserByEmail($email);
$user->setUsername('John');
$userManager->updateUser($user);

FOSUserBundle: User doesn't get roles of group

I am using symfony 2.5 and trying to check if a user has a specific role. The tables are set up correctly in the database and the data is correct inserted:
In the database exists a user test#example.com with a mapped group admin which has defined the roles a:1:{i:0;s:10:"ROLE_ADMIN";}
I don't know why the roles aren't read correct. The debug-toolbar tells me, that i am only authenticated as ROLE_USER.
Code:
$securityContext = $this->container->get('security.context');
$securityContext->isGranted('ROLE_ADMIN');
if ($securityContext->isGranted('ROLE_ADMIN')) {
echo 'crazy coding magic happens here';
}
I have found this question (Symfony 2 FOS UserBundle users doesn't get group's role) which seems to be related to my question, but i am not satisfied with the answer, because i don't want to check the group-access but the role-access. In my case group permissions could change in the future.
Thanks for your help!
Okay - it seems i have found the solution by myself.
The problem is that you have to sign off the logged in user and sign in again to recognize changes in the group-role-mapping.
The code above is correct and after the is user is logged in again the correct roles are assigned.

how can a wordpress wesite show the visitor's name when he visit the website ? like welcome <visitor name>>

If someone visit my website then how can I show them their name when they visit and show them a welcome message like welcome Atul. My website is created in WordPress.
Your visitor need to be registered on your website. This is the only way WordPress can find his information. To know more about displaying information of USER read this article "http://codex.wordpress.org/Function_Reference/get_currentuserinfo"
To allow this to happen the user of the site will have to be registered as otherwise there is not a method to find their name. When they are logged in by default it will say something like "Welcome, Woolnut". There are some small plugins that can change the welcome message for you but you will need to get the user to log in before you have access to name for them. If they are logged in already and you want to display their username / name then take at look at this >> link, it may be of use!
Edit
Turns out my link is the same one as the other answer! (Is probably the best link however...)
A slightly better way is to call wp_get_current_user instead, like so:
$user = wp_get_current_user();
if ( 0 !== $user->ID ) {
echo $user->display_name;
}
This is a wrapper for the get_currentuserinfo that actually returns the user to you directly instead of just setting a global variable. It returns a WP_User object with the information of the current user in it.
If the user is unknown or not logged in, then the function will return a WP_User with the ID set to zero, so you can check for that and also handle unknown users.

Change 'edit account' URL in Drupal

When going to edit account or edit profile in Drupal 7, the URL looks something like http://localhost/user/123/edit where 123 is the user id. Because of this, anyone can see how many users the site has, which I don't want. Is there a way that I can change it to something like http://localhost/user/edit or something without an ID?
I've tried setting up a menu entry in my module, that acts as the edit account/profile page, but had no success.
Also, I don't want to install a new module for this, I'd rather just write my code.
In theory, you could combine the Pathauto module (the widely-used module, used on over 250,000 D6 and D7 sites, which provides URL aliases for normal node and user paths, etc) with the Sub-pathauto module (a new D7 module, currently used on only a few hundred sites). The Sub-pathauto module is the only Drupal 7 module I'm aware of which will allow you to alias the user/uid part of a user/uid/edit -type path.
On the other hand, if your goal is simply to create the illusion that you might have more than a handful of users, when launching a new Drupal site, you could simply increment the UID index by adding (then deleting) a bunch of auto-generated users (with Devel generate), or since this is an auto-increment index, you could likely manually create a user entry in the database with an index of 1507 or something, and then any entry created by Drupal after that would start at 1508, even after you've removed the dummy entry from the table. (Caveat: I've never done this, but in theory it should work.)
Hope that helps. :-)
There is already a module that allows to do what you are trying to do, but as you want to avoid installing a module, you can create a module that contains the following code:
function mymodule_url_outbound_alter(&$path, &$options, $original_path) {
if (preg_match('|^user/([0-9]+)(/.*)?|', $path, $matches)) {
if ($user = user_load($matches[1])) {
$path = 'user/' . $user->name . $matches[2];
}
}
}
function mymodule_url_inbound_alter(&$path, $original_path, $path_language) {
if (preg_match('|^user/([^/]+)(/.*)?|', $path, $matches)) {
$uid = db_query("SELECT uid FROM {users} WHERE name = :name", array(':name' => $matches[1]))->fetchField();
if ($uid) {
$path = "user/$uid" . $matches[2];
}
}
}
This code works if usernames are unique, on your site. This is what normally happens on Drupal sites, where the username is forced to be unique; if a user tried to create an account using a username that already exist, he will get an error message.
The first hook rewrite paths such as "user/100" in "user/username," and the other hook make the inverse operation. This is necessary because Drupal expects user paths in the format "user/userid" and it would not be able to handle a user path containing the username (except when you are using a path alias).
As you are said you don't like that people can know how many users your site has, there is an easier way to avoid that. The fact people know that 123 is a valid user ID, though, doesn't mean they know how many users are registered in your site: You could have 1,000 users, 140,000 users. They just know that you could have 123 users, but if you have blocked users in your site, then some of the user IDs are not usable.
Create a user account that will never be used to log in, and create content on your site.
Editing the "users" database table increase the user ID of the account you created. Supposing that its user ID is 146, increase that number of 100.
Now, the next user that will register on your site will have a user ID equal to 247.
Increase the user ID of the dummy account you created incrementing the higher user ID.
In this way, if somebody notice that there is a user account with ID equal to 247, he will wrongly suppose you have 247 users.
What I did after all, was to create a hook_user_insert and to add 2 URL aliases in the urlalias table:
user/$user->uid/edit -> user/$user->name/edit
and
user/$user->uid/edit/profile -> user/$user->name/edit/profile
Hope this helps somebody.

Resources