In portal_workflow - tab Groups, one can specify the group to role mappings.
In the Sharing tab one can select roles for groups on a folder basis.
What takes precedence for a user, the mapping or the local role assigned on a folder in a given state of the workflow and a specific folder?
Are they additive?
Eventually, they are the same thing. Workflows modify (during transitions) those same settings that are manually editable using the Sharing-tab. Therefore, a transition could override the settings you had made earlier.
Let's say you'd like a certain user group to have the Editor role for all objects that are in the private state of simple_publication_workflow. You'd configure the workflow to manage that group and edit group to have the Editor role in private state, but not in other states. Now, when you click Update security settings, the group gets the defined role in all private objects controlled by that workflow. If you now make manual modification through the Sharing-tab for that particular group, your modifications will be lost after the next workflow transition or Update security settings-run.
Related
I like to include the entities in the paths generated by ApiPlatform.
In practice, I want the build URL contains the IDs of the "parent" entities, the ones to which belong the entity I'm retrieving.
As in the object, I'd like URLs like those:
/{account_id}/channels: here the Channel entity has a property Account $account with a many-to-one relation (one Channel can have only one Account but one Account can have multiple Channels)
/{account_id}/{channel_id}/another_entity: here I want to retrieve AnotherEntity that have property Channel $channel (it may have also the property Account $account, but it may not have it).
How to build those URLs?
The idea is to permit the User to have multiple tabs open with different accounts, without force him/her to see one account a time: I want the User be able to open at the same type Account 1 and Account 2.
Ideally, on each {account_id} should be a check that confirms the User has access to the Account in the URL (starting from its ID).
On our company's Phabricator site, for example, I have an Approver select (dropdown) field that is part of the form when I create a new Task. I want only a specific group of people to be able to see this Approver field when someone creates a new Task or edits the Task. Is there any way to accomplish this?
You can create forms for creating maniphest tasks and pre fill them with values. Therefore go to https://<phabricator-uri/transactions/editengine/maniphest.task/ .
You can additionally set permissions to different groups to grant access to these forms.
For more details just read: https://secure.phabricator.com/book/phabricator/article/forms/
I'm working on a project where I have to handle unregistered user - users that have been added to the group but still they do not have registered in the app.
What I'm doing now is to create a new child in my 'user' db, putting all the info that i know about this unregistered user.
Of course, it also has an id.
This id will be used to represent that user and so it will be used in a lot of places of the db.
The problem comes when this user tries to register itself. Since when creating a new user it's not possible to force the 'id' that he already had, Firebase will create a new id for him.
Then, in the db I need to change all the references of the 'old id' with the new one.
Is there any better way to do it ?
1) You can use another "fake" table to remap the IDs, that is, instead of changing the old id and its references you can add new instance to your "fake" table when user registered. And when needed using simple service you can find the corresponding id.
2) Secondly, you can do authentication yourself, what I mean is that, you can develop your own registration service and define the id yourself in registration. If system is already big and hard to change. First option would be suitable but will have some cost in terms of time.
If we keep edit="false" and create="false" then we can remove the edit and create button. But is it possible to remove these buttons bases on groups?. That is for admin it should be visible and for user it shouldn't be visible.
Security in Odoo
Access Control
Managed by the ir.model.access records, defines access to a whole
model.
Each access control has a model to which it grants permissions, the
permissions it grants and optionally a group.
Access controls are additive, for a given model a user has access all
permissions granted to any of its groups: if the user belongs to one
group which allows writing and another which allows deleting, they can
both write and delete.
If no group is specified, the access control applies to all users,
otherwise it only applies to the members of the given group.
Available permissions are creation (perm_create), searching and
reading (perm_read), updating existing records (perm_write) and
deleting existing records (perm_unlink)
So you need to create a file with the model permissions (module_name/security/ir.model.access.csv) in order to get what you want.
The content of this file should be something like this:
By the way, if you want to make something only visible for the administrator then you should add this attribute to the element: groups="base.group_no_one"
In my MVC3 application I have ASP.NET Membership roles like - Manager, System Admin and Editor
I am using Windows Authentication for the website and I am adding the users in the Network to the Membership just like in the following example -
http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.aspx
But, my problem is there are people who require multiple permissions. For example
User-John is the Manager of Department-ABC and he can see all the Actions in Department-ABC.
User-John is also Editor in Department-XYZ and he should be able to see all the Actions of an Editor in Department-XYZ;
but NOT the Actions of Manager; because he is not the Manager of Department-XYZ.
User Mathew is the Manager of Department-XYZ and he is an Editor in Department-ABC.
If I use normal role privileges, it will allow User-John to be the Manager of both departments and it is not right.
My solution is to store the DepartmentID, UserID and RoleID in a seperate table in SQL database and allow according to this table.
How can I get the role ID from ASP.NET Membership in C# and also in SQL?
Is it safe to do?
Is there a better solution?
Activity based membership would probably fit here.
In activity based membership your users get access to actions, not to roles.
Typical usage is:
One action = one activity
There are still roles given to users, but they are used to group activities
There is n..n relation between roles and activities
Activity is just a custom action filter that is applied to the action.
Typical example is here (although I don't like this approach, so I made my own implementation).
[Activity(Name="DoSomething")]
public ActionResult DoSomething()
{
...
return View();
}
Membership can be stored in ASP Membership database table, custom table or represented as AD group. Depends whether you implement custom membership provider or you use default implementation.
At the end, there has to be n..n relationship like RoleActivity, where you link the particular role to the activity (like Manager1 to both AddMemberToDepartment and AddComment, and Manager2 to just AddComment). This relation can be classic n..n database relation or 'virtual', where role is in AD and database table relates to it only via group name.
EDIT:
If you use default database role based authorization, table aspnet_Roles will be generated for you. To support activity based membership you will have to add your own activity table manualy, along with additional role-activity relation.
This schema should help you proceed.
aspnet_Roles (autogenerated)
* ApplicationId
* RoleId
* ...(other autogenerated columns)...
aspnet_MyActivity (add manually)
* ActivityId
* ApplicationId
* Name
* Description
aspnet_MyPermission (add manually)
* ApplicationId
* RoleId
* ActivityId
You can fill roles using membership provider.
Then fill manually your activities as your application needs them, say, one activity per action method.
Finally, manually add your activity permissions to roles.
Real world scenario
If your organization is small enough, it may be acceptable to add one role per department and one activity per action/deparment:
role: Dep. mgr. of ABC,
role: Dep. mgr. of XYZ,
activity: createAbcUser,
activity: createXyzUser
Connect them using appropriate permissions and you have your requirement covered.
However, for a large number of departments adding one role per department and giving activity permission for each of them can be a little awkward. In that case you should stick with simple role "Department manager" and simple activity "Create user", and give your manager permission to create user. However, you have to stop manager to create user in a different department - use your hierarchy for that, meaning, check if your user belongs to your manager.
Your action filter will then look like this:
check if any of current users roles has a permission to run that activity
check your hierarchy: does your current user have a permission to work on referenced user?
If both of these are true, action method can be executed.
NOTE: You will probably reference user by some input parameter, so your action filter has to access that parameter. See Getting the values of action parameters within an action filter to solve that.