I'm using strapi.
User registered with local api getting all data same as super admin.
How to implement or which plugin setting restricts, non-admin user to access data that he has added. (Similar to author-admin role)
This depends. Do you mean access their own data via the default Strapi backend? if yes, you could give them the Author role. Authors can always onle edit their own content.
If you mean access via REST API, you should be able to accomplish this with a policy, where you can restrict specific access based on your code entirely.
Related
In my app I want to have some feed where different users can add activities
How can I do this? Are there any settings of user rights?
It would help if you could elaborate on what you are trying to build (e.g. what kind of user ACL you are trying to offload to Stream) and whether you are using an SDK or the REST API directly. Multiple users can add activities to the same feed.
Regarding user rights, permissions they would be embedded in the JWT token when you're doing server-side authentication, as exposed here.
This question is regarding authorization, not authentication which i will be managing with passportjs. How do i restrict access for data that's bound to specific users without spreading user_id's all over every table in the database?
Should i create a new database user for each new user of my app and restrict access that way? Or is the "user id in every table" approach actually a good way to go?
I'm working on a project right now where someone else wrote the authorization logic and it works using a kind of authorization path in the code so it can find which user a resource belongs to using some breadcrumb logic.
But I'm really at a loss here and I'm having a hard time finding any information regarding this since almost all articles that I find are about authentication rather than authorization. And I do not mean access to a resource, but rather the filtration of data returned from a resource that the user has access to.
If you want to restrict access of users to certain objects, you either have to store that information with the user or with the object.
The latter is the preferred way because it makes permissions disappear with the object. That's the way PostgreSQL does it – it stores an access control list (ACL) with every object.
So you can either use PostgreSQL to implement privileges (then every application user or at least every group with equal privileges has to have a database user, and you can use permissions on tables and columns and row level security), or you implement it in your application and have some sort of ACL with every row in the database.
i'm developing a Symfony2 app which involves users with hierarchical roles. Right now i can register, recover and login into the application without issues as i've implemented roles and users as described in Symfony2 docs.
At that point, i've developed some CRUD's in order to be able to manage objects in the application but in the current implementation i must check current user roles in order to let him or not run "selected" actions. I mean, in each controller i get security context, then user object and check permissions then sometimes i need to check the current user is the owner of the data - i.e if an user has clients i need to check url passed variables/id/whatever are owned/belongs the current user - and then deny access or not.
So, as far i'm used to and feeling comfortable developing the application as mentioned above i'm wondering is there is a better approach or a Symfony2 approach where i can manage roles and data in standard or more understanding way so future developers doesn't need to go through each if or check inside controllers+actions. I also would like to note i would be able to customize how data or objects are fetched or loaded so i can optimize sql's run in background.
Symfony ACLs is exactly what you need. You can assign access rights (i.e. OWNER, EDIT, VIEW etc) to a single user or assign to all users with a certain role (or both).
If ACL is too complex for your needs, than an alternative approach would be to use a custom Security Voter.
I am very new to the CouchDB world! I have a database that can be read by all users, and also can edit the docs except for the design docs. Is there a way I can make a specific user edit only the doc that was created by him/her. I am using CouchApp nd the jquery.couch.js plugin
CouchDB doesn't have per-document permissions, only per-database permissions. If you grant write access to a user, he has write access to all the documents in the database.
Assuming you avoid making all users admin and that you use CouchDB's build-in authentication mechanism, I think that's the default behaviour.
For creating regular users, see Creating regular users in CouchDB.
For more details about how the user authentication and authorization actually works, see Security Features Overview, specifically the section below "Authentication database", which outlines the built in rules in CouchDB.
Only admin users can create new users, but there's nothing stopping your from having a program logging in and doing it automatically (using an admin user, this is assuming you are looking for some kind of "Registration" process where you would do for instance email validation through some other software of yours).
Is user profiles an appropriate place to store things like number of items per page in a custom grid user selected? (I you can store it in the view, but it won't be per user this way).
My first though was to store these settings in user profiles, but there are problems with access permissions for programmatically creating user profile properties boiling down to you either have to give every user 'Manager User Profiles' permission in SSP or you have to run the application pool under a domain user, not NETWORK SERVICE. Both scenarios are unrealistic for me, so I'm now looking for another way to store such 'per user' settings.
Thanks!
Edit: I'm now considering ASP.NET profile mechanism with an additional DB to store user properties.
Given that the information is not sensitive a simple database with values stored against AD login should suffice.
And as you have the ASP.Net user database already, storing the information there would be the best option.
Maybe a Global List, that is only accessible for the SHAREPOINT\SYSTEM User and that you can then Query in a SPSecurity.RunWithElevatedPrivileges Function.
Disadvantage: You require Custom code to read/write to that list.
Cookie?
Sure they have limitations, but it is fairly easy to create the control to run javascript to add/edit the value