What i am confused of is how to appropriately apply permissions(enable or disable) access to a JSF / HTML field of a form for some "logged in my application" user. Lets say i have a page with 2 textboxes and a button. I want only a certain user to change one of the textboxes. The permissions would be read from a database.
Is there a link to some internet content about certain techniques. I tried googling but they all stay in explaining authenticating and permissions per calls not objects on the html page. A link, book or an explanation guidance would be appreciated.
I suggest a EL evaluation as Fritz comments: disabled = "#{not currentUser.havePermission (component.id)}". Where currentUser is a SessionContext bean for fetch user information as name, permission list, password...
Then boolean havePermission(component.id) can find if current object ID is allowed by permission list.
For managing a lot of objects, you can use "massAttribute" (Omnifaces library).
http://showcase.omnifaces.org/taghandlers/massAttribute
Related
The first thing that I must say is that I never use a web filter on Java Web Applications so perhaps it could be a stupid idea.
I'm trying to create a method that could check the privilegies of the user and give the access or not to a certains pages if he can or not access to these pages.
For a better explanation I will do an example.
You should imagine a crud web application ok?
This application have these web pages: List.xhtml (that contains all rows and the links to manage these rows); create.xhtml (as the name tell it is used for create a new row); edit.xhtml (used for modify a row); and view.xhtml (used for view the details of a certain row).
Now I have 2 types of user: administrator and guest ok? The privilegies are simple to imagine, the administrator can do all things and guest can only view the details of the rows.
Which is the problem? The problem is that I hide the links for create and modify a row but if a guest modify the url can enter however into create.xhtml and edit.xhtml and create/modify a row...
I read some others question like:
Securing JSF applications and jsf security-contraint to protect link when the user is not signed in?
and I wrote this question:
Are there some issue at inserting some check into template?
and now I'd like to create a generic method to implement the check of privileges. I have the following ideas on how to solve this:
create a filter like the one in the second linked question and insert a check like "if the user has this privilege for that action do ... otherwise redirect to error.xhtml".
insert a check directly into the template, like in the third linked question.
Which of these would be the better approach? How is this typically done?
using php if that matters.
If you create a website that has users and groups. Where do you put this in the web application? Do you just put a function at the top of every page (pseudo):
if someone is in a group then they can see this page
or
if someone is in this group they can see this button
That sure seems wrong. I wouldn't want to edit the web app code just to change who can see what group-wise. I'm not sure what I should do or how to implement something like this.
Thanks.
In MySQL, I always create these 4 tables: users, user_groups, permissions and user_groups_permissions which are linked using Foreign Keys.
So, user A can be in a user group B, which this user group permissions are in user_groups_permissions.
Now, I just do a INNER JOIN on this 4 tables (or better, three: users, user_groups_permissions and permissions), the results are permissions that user have. all we need is selecting permissions.key by INNER JOIN.
Now, before processing request, I need to check that Client::has_permissin('send_post') returns true or not. And better, also on top of each user-group-related function.
Note: Client is a class that loads all user permissions just one time, before processing request, and then uses that permissions for whole request-life-time, without needing to access to database several times in that request. Use static methods and $permissions property for this class so you never need to send it's object over your applications classes/methods/functions :)
You can have a utility function which takes user id and group code and return true or false.
You can use that utility function as pseudo at the top of each page and the same function also be used to hide or show sections in your page.
If your web application is in MVC, embed user authorization logic in your controller.
I am displaying a list of popular public bookmarks to the logged-in user. Some users dont have access to these bookmark-urls and I want to suppress the results so that only accessible urls are shown to the user.
I tried to use the DoesUserHavePermissions method, but the problem is that I am not sure what object does the url points to (item/list/web/site).
I figured it out :|
when getting popular bookmarks from SocialTagManager i need to pass the logged-in users context i.e. SPServiceContext.Current and SharePoint will take care of the rest.
I've created some custom property for my web part with Personalizable(PersonalizationScope.User) attribute. I changing this property in EditorPartClass in ApplyChanges() Method only. The main problem is user with contribute permission for a site can't save this property when editing personalized view of a page. Changing property applies when user click OK button on EditorPart, but after page postback value returns to its previous condition. Users with full control privilleges saves this property without a problem.
If User has an "Add and Customize Page" privilege property saves too.. But than User can modify web part in shared view too.. It's bad...
you need to explicitly change the SafeAgainstScript attribute on the SafeControl tags. This is new in 2010 because of the Client OM. you can't ever be sure that the user won't type malicious JS - so make sure you also encode any input your property takes!
we created one page and placed under LAYOUTS folder.so can u tell me can all users access this page by giving their AD credentials.
some users are not able to login to this page.
pleage give me some suggestions.
The default Application Page setup will require the View Application Pages permission, and all derived permissions. You can manually configure the permissions of the application page by defining the RightsRequired property of the page. This is usually defined OnLoadComplete, but you can specify to occur after OnPreInitComplete by configuring the RightsCheckMode property.
But, without fiddling in these settings, it is still possible that certain users who have the read permissions on the general site may be barred from the Application Page. This can arise whenever you have controls that require different permission levels. For example, if you have a custom application page that has a field control associated with a specific list and item, if that control is in Edit mode then the user needs Edit permissions for that list and item in order to view the application page. It does not actually matter if this field control has anything to do with the list in question! For example, I once had an application page designed for bulk-downloading files which are in two folders. I wanted to re-use this page for a few different document libraries, so I decided to create a custom multi-lookup field control that would take the List query string as if on a New Form, and build the list of items to download that way. But this page was blocked for a subset of users who were not allowed New item permissions in one of the two folders, even though the page technically didn't do anything involving adding new items.
Any other elements on the page which require a separate set of permissions than general site permissions will also interfere, but the general case is with item-level and list-level permissions conflicting with the site-level permission. Simply check all of your controls, especially ones based on SharePoint web controls. As long as the user has permissions necessary to operate all of these, the user should be able to view the application page.
The entire user who has read permission, they can access this page.
If this page trying to do any manipulation, which needs hire permission, you may get access denied.
For trouble shooting comment all cods and try to access this page with read permission.