I am a begginer in Sling and I want find a way to get access and create file in /var resources of JCR.
I tried using ResourceResolver but I can not find the path as example below
request.getResourceResolver().getResource("var"); it returns null.
Getting resourceResolver from SlingHttpServletRequest is a good way to get it?
First, JCR paths should always start with a /. So your code was almost correct.
Change:
request.getResourceResolver().getResource("var");
To:
request.getResourceResolver().getResource("/var");
If your ResourceResolver has permissions to read /var, you will get a Resource. Otherwise, you get null. If you get the ResourceResolver from the request, the permissions depend on the permissions of the user doing the request.
Getting resourceResolver from SlingHttpServletRequest is a good way to get it?
It depends. There is a lot to say about "where to get your ResourceResolver" from, but to make it simple:
If you want to limit access to a resource based on a users permissions, you should get the ResourceResolver from a request. In all other situations, get the ResourceResolver from the ResourceResolverFactory.
The ResourceResolverFactory is its own rabbit hole. So I would point you to the documentation for that:
https://sling.apache.org/apidocs/sling9/org/apache/sling/api/resource/ResourceResolver.html
Related
I am adding ACL to an nodejs/express application. I have already read the documentation for the modules acl and express-acl but there is a something missing.
They don't provide examples on how to handle access to single resources.
Typical example: users can edit their own comments but can only read other users comments. So having a role that either grants or deny edit permissions to the resource comment/edit is not good enough. The permission depends on which comment the user is accessing.
Is there a way to achieve that with one of the module provided on npm or is it something that one must implement in the controller after the acl module has provided access to the resource?
Thanks
We searched a lot, but found no good ACL for Node for this kind of stuff.
However in Node.js, it is really easy to just write the method as middleware, which checks the rights on specific resource and allow/deny user to it. If you do not write something really big, this is reasonable approach.
I was trying to find it in docs or anywhere on the web but I did not find.
What I am asking about?
I am building website for multiple users. Frontend is not important, back backend API is being build in Loopback.
Every user will be assigned to some, let's name it GROUP.
Group content will be then exposed on subdomain but it is not important now.
Users will be kind of admins of their group.
I will have plenty of different models, but I will always have to protect user from accessing elements which not belongs to his group.
How should I do it? I think it will be some middleware but I do not know how to do it properly.
Of course, every user and every element have field "group_id".
I am also trying to find a good solution... I did find this npm package that looks worth a try: https://www.npmjs.com/package/loopback-component-access-groups
Here is a short description of what the package is used for:
"This loopback component enables you to add multi-tenant style access controls to a loopback application. It enables you to restrict access to model data based on a user's roles within a specific context."
I'm struggeling with the same problem, and I did not yet find a satisfatory response.
My workaround is explained in this question. I've got my user ID and with this, I retrieve the data I need to restrict the access. Then I alter the query in accordance with fetched data.
I've got a Symfony application that has multiple subsites.
Each site has it's own set of users, but all users are stored in the same table. All users are linked to 1 subsite, never 2 or more.
Allowing a user to use a single account on multiple sites is not an option given the use-case of this website.
I've got a RequestSubscriber which figures out what site is currently being requested (based on hostname) and pushes some extra information into the Request object attributes.
When a user attempts to login Symfony should only attempt to load users from the current subsite, not all users.
I've got a Doctrine Repository class that implements the loadUserByUsername method, but this only receives the requested username.
What would be the best way to adjust my UserProvider so only users from the current site are attempted to be loaded?
Can I configure the security in such a way additional information is passed?
One possible solution I've already got is to inject the RequestStack into the Repository class, and use that to add additional parameters to my query.
I would need to write a decorator for the Doctrine EntityManager to make sure it is injected when the Repository is requested, but that is not really a problem.
I don't really like this solution, so I'm looking for better alternatives (if any).
We plan to implement a company-internal portal with Liferay 6.2. Since many of the team members are not within the company's network, the access has to be allowed from the internet.
Now I see a big problem with the Guest role, since it 1) can access Guest-viewable content without login and 2) this is the default selection when for example uploading a document.
What I really need, is that only the login page is generally viewable, but all other sites and content is only visible to logged-in users, without the need to explicitely assign the permissions for each item correctly.
So the question is, can I prevent the guest role to access anything beyond the login page, so to say eliminate it from everything within the portal?
Update:
It was proposed to use only private pages. While this might work, it implies as far as I know, that each user has to be member of the site. But then it's no longer possible to have a site structure with different users participating in different sites and still be able to view public infomation (meaning public for all logged-in users) - or am I wrong?
Update 2:
I agree to a solution where one has to prevent the assignments to the guest role programmatically, via hook or via deeper changes in liferay. Yet, I like to double-check that administrative and think of a periodic database job or program using the API which check for relations to the guest role which came in around the hook or by wrong permission settings of a user and delete them again. How could that be done?
When a document is uploaded through a private page, the permissions actually default to be not accessible to "Guest". This is guaranteed easiest if you don't have any public pages.
Also, you can access the API and change the default permissions once a document gets uploaded (no need to override core Liferay functionality like defaults): Just write a service hook that overrides the upload of a document with a version that sets the permissions you want right after a document has been uploaded. This will catch all other upload attempts, e.g. through services, Webdav etc.
Edit (after your comment): Added the link to Dev Guide. The actual use of the API is a bit too much to update this answer with on the fly. You might want to look at old examples like sevencogs (part 2) to get used to the actual API, but DevGuide will describe how to write the plugin in the first place.
You could still use the public pages etc. and disable the guest's VIEW permission on every element but the login page and it's resources.
Now, as you have already noticed, the fact that, by default, whenever creating any content the Guest gets the VIEW permission is a substantial problem.
I'd suggest to simply override the <guest-defaults> values in Liferay's core portlets' resource permission files (the ones in ROOT/WEB-INF/classes/resource-actions/) to remove these default values. If it's not clear to you on how to do it, see, e.g., this forum topic: https://www.liferay.com/community/forums/-/message_boards/message/486154 .
All you need to do is delete all public pages. Every page that you create should be private. Don't worry about login page, reset password and self-registration (if allowed), by default they are public.
Hope this helps.
So I can assign permissions to Roles from this list,or should I must store these permissions in database? Sometimes, I am not sure wether they are the same.
For example,if there are #RequiresPermissions like
#RequiresPermissions("resourceA:create")
#RequiresPermissions("resourceA:update,delete")
#RequiresPermissions("resourceA:read")
#RequiresPermissions("resourceB:create,read,update,delete")
I can get permissions list like:
["resourceA:create","resourceA:update","resourceA:delete","resourceA:read",
"resourceB:create","resourceB:update","resourceB:delete","resourceB:read"]
or like
{"resourceA":{"create","update","delete","read"},
"resourceB":{"create","update","delete","read"}}
Declaring permissions like this is just for shiro to use them to check if they match what a user can do, it is never meant to be exposed via an API.
If you really want to be able to query permissions, you are better of using a JdbcRealm, putting them in a database so you can query them.