Equality of $is_admin for custom created role users - drupal

I have created a site-admin role for my client to edit page contents.
Are users under this site-admin included to $is_admin condition? I tested and as I see it is not unless I miss something. So, what is the equality of $is_admin for my custom created role users?
Appreciate helps!! Thanks a lot

Looks like the following:
if (user_access('access administration pages')) {
$variables['is_admin'] = TRUE;
}
According to http://api.drupal.org/api/function/template_preprocess/6
But that permission is overreaching, and this really depends on what you are trying to achieve.
Alternatively, you can do something like:
global $user;
if ($user->uid != 0 && in_array('some_role', $user->roles)) {
$user_is_some_role = TRUE;
}

It is recommended that you do not check if a user has a specific role, but if the user has a specific permission. It's a basic rule in security: it's not about who you are, it's about what you're allowed to do.
The $is_admin variable is a little confusing because the name suggests that it checks for a certain role. However, the code Kevin posted shows that $is_admin is in fact checking for a permission.

Related

Piranha CMS Manager Login Session

I would like to know how to check if the user is currently logged in the Manager Area. How could I check this? Thanks.
I want to create something like:
If(Session["Manager"] != null)
bool IsManagerIn = true;
You can use the built in permissions, check the docs here:
http://piranhacms.org/docs/api-reference/permissions
For example you could check if the current user is an Admin with:
if (User.HasAccess("ADMIN"))
DoSomething();
Regards
/ HÃ¥kan

FOSUserBundle: User doesn't get roles of group

I am using symfony 2.5 and trying to check if a user has a specific role. The tables are set up correctly in the database and the data is correct inserted:
In the database exists a user test#example.com with a mapped group admin which has defined the roles a:1:{i:0;s:10:"ROLE_ADMIN";}
I don't know why the roles aren't read correct. The debug-toolbar tells me, that i am only authenticated as ROLE_USER.
Code:
$securityContext = $this->container->get('security.context');
$securityContext->isGranted('ROLE_ADMIN');
if ($securityContext->isGranted('ROLE_ADMIN')) {
echo 'crazy coding magic happens here';
}
I have found this question (Symfony 2 FOS UserBundle users doesn't get group's role) which seems to be related to my question, but i am not satisfied with the answer, because i don't want to check the group-access but the role-access. In my case group permissions could change in the future.
Thanks for your help!
Okay - it seems i have found the solution by myself.
The problem is that you have to sign off the logged in user and sign in again to recognize changes in the group-role-mapping.
The code above is correct and after the is user is logged in again the correct roles are assigned.

Drupal 7 simple social network - how can I only allow friends to see a specific user field?

I want to make a simple social network website using drupal 7. There will be a relationship type like 'friendship'. After a lot of Googling, I haven't found any way to forbid non-friend people from viewing a specific field. For example, there could be a field containing the user's phone number - I would want other users not to be able to see this field unless they are the user's friend. How do you do this? Are there any modules or anything else that could help me?
Your best friend would be your custom module that has hook_field_access() properly set up in it.
EXAMPLE:
function MYMODULE_field_access ($op, $field, $entity_type, $entity, $account) {
switch ($entity->type) {
case 'REFERENCED_NODE_TYPE_NAME': {
///DO YOUR STUFF HERE: SET A $VAR TO 'TRUE' OR 'FALSE' DEPENDING IF YOU WANT TO GIVE ACCESS.
}
}
return $var;
}

Avoid "user cross access" in Symfony

I am currently working on a project based on Symfony 1.4. I am using the sfDoctrineGuardPlugin to authenticate my two kinds of users : users and admins. For each module and each action in a module, I am using credentials to prevent unauthorized actions execution.
But I am facing a problem : if an user wants to edit a project, for example, the URL will look like frontend.php/project/edit/id/1. Here, we suppose that the project #1 belongs to him. Now, let's suppose that project #2 does not belong to him. If he types the URL frontend.php/project/edit/id/2, he will have access to the edit form, and will be able to edit a project that does not belong to him.
How can I prevent that behaviour ?
I would like to avoid verifying the ownership of each editable model before displaying the edit form... But can I do differently ?
Do you have any good practice or advices to prevent this behaviour ?
Thanks a lot !
Since you will have to check in the projet to know if the current user is allowed to edit the project, I don't think you will have other way than verifying before the edit, in the action part. Why don't you want to do it this way?
This check can be done inside the preExcute function:
public function preExecute()
{
$request = $this->getRequest()
if ($request->hasParameter('id'))
{
$project = Doctrine_Core::getTable('Project')->find($request->getParameter('id'));
$user_id = $this->getUser()->getGuardUser()->getId();
$this->forward404If(
$project->getUserId() !== $user_id,
'User #'.$user_id.' is not allowed to edit project #'.$project->getId()
);
}
}

How to perform Request destination in user page

I am trying to redirect any logged user attempts to access /user.
In my module the next code to redirect after login:
function ccmm_user($op, &$edit, &$account, &$category = NULL)
{
switch($op){
case 'login':
$_REQUEST['destination'] = 'admin/';
break;
}
}
This is working. Then I try with case 'view': but it is useless.
It sounds like you want the user to never get to the /user page, whether on login or even by going there manually.
In that case you should do a simple check in a hook_init function like this:
function ccmm_init() {
if ( $_REQUEST['q'] == '/user' ) {
drupal_goto('/admin'); // Or where ever you want to send them
}
}
Of course there are a lot of checks you should do, and you may want to look into using the Global Redirect module, don't worry it's only 8k in size so the concern about adding yet another module is not such a problem in this case.
You could try the Login Destination module rather than writing your own code.
If you're not familiar with the Login Toboggan module, you should be.
A better way could be to use hook_menu_alter in your module to just remove the menu entry for /user/%user_uid_optional, or move it to another URL.
That way you won't only be handling just logins (as you currently do), but ANY access to /user/ (caveat: including those by the admin user). Or you could use the same hook to modify the access check and only grant it to users with higher permissions, like administer users

Resources