In my current setup I am using Nuxeo with LDAP and CAS integration. Now my requirement is, for some scenarios one user upload the document after login but after certain period of time due to company change the user id may change for that user but will remain part of same tenant. So, after change of the user id too the user wants to see the documents uploaded with earlier user id. A example given below.
User Name:
user1#abc.com –> Uploaded a document name “User1ABC”
user2#abc.com –> Uploaded a document name “User2ABC”
Now due to business need the user name (domain name) may change in the system.
user1#abc.com –> Becomes user1#xyz.com
user2#abc.com –> Becomes user2#xyz.com
In this scenario also the user1 & user2 would like to see the documents uploaded during the earlier user name(user1#abc.com & user2#abc.com).
when this domain name change it will be applicable for all the users under that tenant.
So, how we could achieve that though program or with some other API.
If it's a single shot migration and you're running with a VCS repository (Postgres for instance), you can execute the following request on the acls table :
UPDATE acls SET user="user1#xyz.com" WHERE user = "user1#abc.com"
Depending on where you store your users, you can automate that with a Postgres plpg/SQL procedure iterating over the users table :
CREATE OR REPLACE FUNCTION migrate_user(from_domain varchar, to_domain varchar)
RETURNS integer
AS $$
DECLARE
u RECORD;
i int;
BEGIN
i := 0;
FOR u IN (SELECT username
FROM user
WHERE username like '%#'+ from_domain) LOOP
UPDATE acls SET "user"=replace(u.username,from_domain,to_domain) WHERE user = u.username;
i := i + 1;
END LOOP;
COMMIT;
# Rebuild the read ACLs optimization
SELECT nx_rebuild_read_acls();
RETURN i;
END;
$$ LANGUAGE plpgsql;
I did not test the function (it compiles ;-)), but the idea is here and should work.
After that, restart the Nuxeo server so that all cache is resetted.
Related
how to check whether a user is able to update or insert any document in marklogic database or not ?
For example , there are 4 user and some have permission to update and some have permission to read document in marklogic database
try{
let $uri := abc.xml
let $doc : <a/>
if (condition)
then check whether the current user is able to update or insert the doc in marklogic or not , if it is not then throw fn:error()
else
xdmp:document-insert($uri,$doc) (:it will throw error, when user have no permission to insert the doc:)
}
catch($e)
{$e}
The permissions that a user needs in order to insert and update a document will depend upon the user's explicit roles and permissions, as well as default permissions and any explicit permissions set on the document.
https://docs.marklogic.com/guide/admin/security#chapter
https://docs.marklogic.com/xdmp:document-insert
Required Privileges
If a new document is inserted, the unprotected-uri privilege (only if the URI is not protected), the any-uri privilege, or an appropriate URI privilege is also needed. If adding an unprotected collection to a document, the unprotected-collections privilege is needed; if adding a protected collection, the user must have either permissions to update the collection or the any-collection privilege.
If you are updating a document, then you must have the necessary permissions specified for that document (which can include default permissions).
You can list the permissions of the document with xdmp:document-get-permissions() or use the Query Console Explore to select the file and view the permissions tab.
You can list the users roles with sec:user-roles() and privileges with sec:user-privileges()
Use xdmp:document-get-permissions to return which roles have which permission on that specific URI and then intersect that with roles attached to the user of interest, and you will know whether the user can access or update the document or not.
So, to check whether a user has the ability to insert or update a URI, you would want to get that users roles and then see if the permissions from the default permissions or the document permissions have that role and the insert or update capability:
xquery version "1.0-ml";
import module namespace sec="http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";
let $name := "user-foo"
let $uri := "/bar.xml"
let $user-roles := xdmp:invoke-function(
function(){ sec:user-get-roles($name) },
<options xmlns="xdmp:eval">
<database>{xdmp:security-database()}</database>
</options>)
let $permissions := (xdmp:default-permissions(), xdmp:document-get-permissions($uri))
return
exists($permissions[sec:capability=('insert', 'update') and sec:role-id/xdmp:role-name(.) = $user-roles])
Within an SS2.0 BeforeLoad script, I'm trying to retrieve the current user/role permission level for a specific record.
The custom record name is customrecord_payments with an internal id of 368.
Using the following:
var permission = runtime.getCurrentUser().getPermission({name:'LIST_CUSTRECORDENTRY368'})
Always returns a value of 4 ("FULL") regardless of the user role logged in, so the code above cannot be correct.
What is the correct "permission" to look up?
To my knowledge, you cannot access the specific permissions of a record, only the permissions that are available on the employee record, which pertain to records as a whole. To get around this, you'll need to maintain the logic in your record as well as the code. So it would be something like:
if ((user.role === role.id) && (context.type === context.UserEventType.EDIT)) {
// ...
}
If you find out otherwise, please let us know!
name:'LIST_CUSTRECORDENTRY368' this would be different for different accounts.
I have retrieved that id by creating a search of type: 'customrecordtype' and then comparing the scriptId , to get the id and then appending it to LIST_CUSTRECORDENTRY. and then getting the permission using getpermission api.
I have this small problem i am using open cart v 2.0.1.1 and when the user is logged in it shows my account with the drop down. I want to display the username of that particular user instead of " my account" can anyone help me with this problem?
in case of you don't know how start
(1) you will need to read this post How to become an open cart guru
(2) steps
you will need to pass the name of the customer in some variable to the template file by adding it to $data array in catalog/controller/common/header.php # class ControllerCommonHeader # function index
in the template file, change the part that checks whether the user is logged in or not, and add the passed customer name or the old header My Account depending on the branch
I have deleted users from Liferay UI. Some time its asking to deactivate and then delete. some time only deactivate. And users are not going from db always. So, recreation of same user is not possible as it is throwing errors like "email address already exist or username alreasdy exist".
Why user is not getting deleted from DB after deletion from UI?
I am using liferay-portal-6.1.1-ce-ga2.
How to solve this issue?
Deactivate and Delete are two different functionalities.
When you Deactivate the user remains in the database and only the status is changed to deactivate. This is known as a soft-delete or logical-delete, i.e. the User deactivated will not be able to login, nor will he appear in any of the searches etc. But the advantage is that you can bring the User back to life by just Activate-ing the User. So this does not require you to re-create the User and also helps in keeping history or actions on the User.
If you want to delete the User from database, go to Control Panel → Users & Organizations → click on Search All Users → Search for the user either by Advanced or Basic Search → select the User(s) → Click Deactivate.
After this, do an Advanced Search → Select the status as Inactive → You will find all the de-activated users → select them and click Delete.
Hope this helps.
Edit
(thanks to #hudolejev for pointing this out in the comments below)
Please also note that the following property is set to true to delete users in portal-ext.properties, by default it is true:
#
# Set this to false if users cannot be deleted.
#
users.delete=true
Manual delete:
If you want to delete from the DB directly make sure you remove all records related to the user on the next tables:
DELETE FROM Users_UserGroups WHERE userId = 'userid';
DELETE FROM Users_Roles WHERE userId = 'userid';
DELETE FROM Users_Orgs WHERE userId = 'userid';
DELETE FROM Contact_ WHERE userId = 'userid';
DELETE FROM Group_ WHERE classPK = 'userid';
DELETE FROM User_ WHERE userId = 'userid';
When you just dectivate the User it still exists in the Liferay DB,So after each deactivation go and try to find the deactivated user and then delete it.
If you dont find user after deactivation, try to go to the Server administration and Reindex all search indexes. and then try again.
Regards
Manish
I have created a custom User profile template and object in the core database in Sitecore (as per the Security API Cookbook).
I can select this programmatically (as per the Security API Cookbook) so that my extranet users have an extended profile, that covers all the usual suspects (Address, phone, email format etc.)
However, where is this data stored? And how do I access it if I want to query the database to return a subset of users based on this profile data.
A typical requirement for an extranet member system is to extract a list of users to contact either in an email or a phone type campaign. Can this be done with the Sitecore membership system?
UPDATE>
I'm going to take a guess and say the profile data is stored in aspnet_Profile.PropertyValuesBinary .. which would make it nigh on impossible to query and not suited to my purpose. That is unfortunate. So to extend my question, if that is the case, is it possible to get Sitecore to store those values in the text field so they are searchable?
The standard Microsoft implementation of the SqlProfileProvider (which is used in Sitecore by default) stores the user profile information in the aspnet_Profile table. All the properties are serialized into the PropertyNames / PropertyValuesString columns. The PropertyValuesBinary is used to store the binary data (images). You can find more details if you look at the code of System.Web.Profile.SqlProfileProvider, SetPropertyValues method.
Next, all the custom properties you define in the user profile, are serialized to the SerializedData property of the Profile class, and it is again serialized to the PropertyNames / PropertyValuesString columns like any other property.
Also, couple of properties are stored in aspnet_Membership table (for some reason) - Email and Comment.
So, if you are going to query the users by Email, you can use FindUsersByEmail method of MembershipProvider. Otherwise, if you plan to filter by another property value, I suppose, you'll have to get all users and filter the obtained collection.
Hope this helps.
I faced this exact problem last week, didn't come up with a permanent solution, but to solve my particular issue, I wrote a little helper page and added it as a Sitecore application to be accessed from the CMS interface. All it did was query all users, and determine if they had any of like 5-6 profile properties assigned.
var userList = Sitecore.Security.Accounts.UserManager.GetUsers();
That is the relevant line to grab the users, it returns Sitecore.Common.IFilterable
So if you need to do something where you're grabbing profile info from all users, you cn do something like this:
foreach (Sitecore.Security.Accounts.User user in userList)
{
Sitecore.Security.UserProfile profile = user.Profile;
string whatever = profile["Whatever"];
//add whatever to a list or something
}
This worked out very well for my purposes, but I don't know how feasible it will be in your situation.