I have followed the steps of setting up the Introduction Project at https://www.graph.cool/. In the permissions section for the project I can see and edit the permissions for e.g. Posts:
When clicking the row that shows that Everyone can Edit Data for a Post, a dialogue appears. There I am able to edit the permission so that only authenticated users may edit posts:
However, how can I make a rule so that users can only edit their own posts, and not posts created by other users?
Your question is perfectly timed :-) Yesterday Graphcool released a new advanced permission system based on GraphQL queries that allow you to declare arbitrary permission rules based on relations in your data.
Restricting UPDATE permissions to the owner of a post is a trivial example (code below), but i'll encourage you to take a look at the documentation and start thinking about how this feature can help you implement more complex permission rules
Restricting edits of a post to the author
query ($node_id: ID!, $user_id: ID!) {
SomePostExists(filter:{
id: $node_id,
author: {id: $user_id}
})
}
Documentation
https://www.graph.cool/blog/2017-04-25-graphql-permission-queries-oolooch8oh/
https://www.graph.cool/docs/tutorials/authorization-content-management-system-miesho4goo/
Related
I am working on a chat bot where multiple users(Role:owner) can add/edit/remove their questions and answers for subordinates(Role:travelers). When a traveler questions to chat bot, chat bot should only choose answers added by his User(Role:owner).
How can I do this? I want something that I will be able to store the user id corresponding to questions/answers in main.ss file.
I am using SuperscriptJS with Keystone and mongodb
Please help.
Thanks
User based roles and permissions are not currently available in keystone, so this is not currently possible.
However, it's very much in the pipline. To show your interest in this feature, you can upvote it on product pains: https://productpains.com/post/keystonejs/role-based-admin-system
There is no need of core level role implementation for this.You can have your own Role system in your User model. For detailed study you can refer sydJS code.sydJS is developed by he keystoneJS developers.
in sydJS at modesl/User.js you can search for isAdmin and isVerified. Like that you can set Role there.
But I guess , you are not asking for role, Instead in your usecase there is a relation called owner. such that each user of role type travelers has a related User called owner. or something like that. For that You can set a owner field in User model.
role :string,
owner: { type: Types.Relationship, ref: 'User',filters: { role: 'owner' },many: false, index: true,},
Now coming to superscript, I am not expert there but, I can say that you can either create multiple SS file (if possible )per each owner. or You can try to create superscript topic per each owner.
Please feel free to contact me on skype: sachinbhika, because I am also about to start developing chatbot next week, so by heling you I am helping myself.
Afternoon all,
I've got an issue when trying to change the status of an order (from pending to complete etc...) in the admin section.
A warning appears saying
Warning: You do not have permission to access the API!
if i have add my IP to the API IP address section it's working fine
the fields are all in red and the continue button doesn't work.
A similar thing happens if I view an order instead and try to add a new status to the order history.
I've seen this problem mentioned a few times in other posts but, afaik, without any satisfactory answer.
I'm using Opencart 2.0.3.1 and I'm logged in as an administrator and the administrator user group has all Access and Modify permissions enabled.
There is the default API user set up in System > Users > API and I also added (and then removed) another one but I was not sure what to do once I had created a new API user with a username and generated password.
There are no other problems on the site but, despite trying just about all the suggestions in the other forum posts, I can't edit the existing orders from the admin section.
Check this page out with a list of fixes for this issue: http://www.randemsystems.com/support/opencart/api-problems-what-you-need-to-know/msg6218/#msg6218
As far as I know, this issue is resolved in OC v2.1x onwards
The problem is that you need an API user with a valid IP address.
Go to System > Users > API.
Either modify the Default API by adding your IP address in the second tab, or just create a new API.
After that you should make sure the API is selected in System > Settings > Edit > Option > API User.
Click save, refresh and try adding order history again.
I tried the same thing and didn’t have permission to access the API when attempting to add order history. Follow the steps and it should work for you, as it worked for me.
I know it's late, but after trying everything and not getting it working, I deleted everything here /system/storage/cache. It solved the problem.
It works perfect for me .
1- Open index.php file of root directory
2- add the following after define('version',x.x.x.x);
if ($_SERVER["HTTP_CF_CONNECTING_IP"])
{
$_SERVER["REMOTE_ADDR"] = $_SERVER["HTTP_CF_CONNECTING_IP"];
}
I'm having issues with the users I've created being able to actually submit anything into the DB I've listed them under. I've followed the steps listed here (Creating regular users in CouchDB) and reviewed countless pages of documentation trying to sort this out. (Ex: http://wiki.apache.org/couchdb/Security_Features_Overview).
I'm using v1.5 and trying to set the user "testAdmin" as the admin for the "test" DB. superadmin, in this is my admin account created through the futon interface.
If I check the security document I can see my permissions there that should allow the testAdmin user to access the DB:
curl -X GET http://superadmin:1234#localhost:5984/test/_security
response:
{
"admins":
{ "names":["testAdmin"],
"roles":[]
},
"readers":
{ "names":["testUser"],
"roles":[]
}
}
Then if I run this, I get "You are not a server admin."
curl -X PUT http://testAdmin:5678#localhost:5984/test/ -d '{"abc": "def"}'
response:
{"error":"unauthorized","reason":"You are not a server admin."}
I've tried switching the user to a reader, I've also tried using the other user I've created that's currently listed as reader, and I keep encountering the same error.
Edit: I'm able to log in to Futon with the users I've created just fine, and their permissions all appear to be working fine within Futon, but I'm still unable to use curl successfully.
You're trying to create a database instead of creating a document. If you want to create document without predefined ID - use POST request instead.
Using
curl
curl -u USER:PASS -X PUT "http://host:port/db_target" -d '{...}'
This may have been the resolution to the initial question.
It's worth adding that Fauxton often "forgets" its authentication if you leave it open and doesn't realize it, failing in odd ways until you reload the page and it realizes you need to log in again.
Short story shorter I was having a similar problem and just needed to re-authenticate to resolve it.
#Kxepal has already solved the problem. So just to make it clear this is what is happening.
You have a superadmin who in couchdb terms is a server admin and can do anything. He/She can create databases, delete them, get any document etc.
Then you have other users who have privileges assigned to them by you. So when you created that _security document what you did was tell couchdb that dbadmin was the administrator of the database and dbreader was a member of the database. From futon this is the definition of admin and members
Database admins can update design documents and edit the admin and member lists.
Database members can access the database. If no members are defined, the database is public.
Once you define an admin or a member your database ceases to be public. Only users with sufficient privileges can access them.
With your request as #Kxepal pointed out you tried to create a database. A database admin can't create a database. That right belongs to the server admin, in your case superadmin.
Currently I develop a database for another employee at my company. I have Manager Rights at the database to access everything. The administrator of the database should only be able to create/edit/delete documents. He currently got Editor-Access with selected "delete documents"-option. When he wants to delete a document on the database (i tried it with Simple Actions or with Javascript Code-both don't work) he gets redirected to the same page and nothing happens or with Simple Actions the Server-Login page shows up with the message "You don't have the permission to perform this action".
When im testing the functions with my manager access everything works fine. But when i'm changing my rank to Editor like the normal administrator of the database i also can't delete any documents. Like i already said the option in the ACL is activated.
I hope you can understand my problem and there is a solution for it. Normally that access right works fine on every other database at our company.
Another point: There are no Reader or Editor fields in the Documents. So there is no restriction with fields. Could this be the problem?
Check to see if there is some code in the QueryDocumentDelete event for the database. Perhaps that is failing and / or preventing you from deleting.
Given that you mention redirecting and server login, I presume it's a web enabled database?
In which case have you tried looking at the ACL (Access Control List) for the problem database and clicking the Advanced tab.
In there is a field Maximum Internet name and password, this is the maximum access allowed for internet users. If it's not editor, this could be the problem?
Try deleting with ?DeleteDocument URL. That way it will for sure not try to do anything else.
Check the user's access level at server with Database.getCurrentAccessLevel() and Database.queryAccessPrivileges(String name)
After the great suggestions of you all the problem was the checkbox "Allow document locking" at the database properties was enabled. That caused the problems at deleting documents. As Manager is have enough rights to go over that but for the normal Administrator with Editor Access the deletion request got blocked by the little option.
Thanks to everyone!
I want to make a user class that can edit pages, and save them as a draft without being able to publish it. An admin would have to go in and publish the draft once they approve it.
The idea is similar to TDO Mini Forms except this will be done within the Wordpress admin panel, not be a form, and they must be a registered user in a specific class to do this.
Thanks!
Install the Members Plugin, create a role for these users (or reuse the author role) and do not give them the publish_posts capability.
Here is a screenshot of how I handle this case on one of my clients site:
Update
To forbid publishing of edits you have to hook into the action transition_post_status and watch for changes. This actions tells you the old and the new post status and the post id:
add_action('transition_post_status', 'my_watcher', 10, 3);
function my_watcher($new_status, $old_status, $postid)
{
// Get post content etc.
$post = &get_post( $postid );
// Compare the content and/or the status, do something.
}
In my case, this was overelaborate, plus we were afraid, users would feel patronized too much.
I just made a dashboard widget¹ to list all changes for admins an editors. Now the users see their edits immediately live. The editors clean things up if needed. Works great. The users learn how to make good edits, that aren’t touched again, and the work for the editors declines over time. :)
¹ Be aware: All text strings are in German, you may have to edit them. I didn’t had the time for I18n, sorry.