I've been reading about and playing with ASP.NET MVC lately, to figure out if it will be the new framework for an exisiting product.
The product consists of a multi-user website where the customers are created by me and added to their respective companies. Each user then has access to do some stuff, add data etc. in the scope of his own company.
How would I go about creating a structure like that in MVC?
I basically want to be the "super-admin" that can create new users, add them to companies and control their rights.
The regular users will also have different user roles (admin, user, guest) within their company.
I've got pretty much everything else set up (MVC and the Entity framework is awesome), but I just need this last layer of separation.
Any help is much appreciated.
There's really two pieces to this. The first is roles. Simply create a clear designation between roles for a company versus roles for the entire application, for example: "Admin", "CompanyAdmin", "CompanyUser", and "CompanyGuest". There, I literally mean "Company", not a placeholder for a specific company name. You should only have one set of roles applicable to all company users.
The second piece is a form of ownership authorization. Each user is assigned to a company, surely through a foreign key on your user entity. Your routes will contain some component that identifies the company being utilized, whether that be via a subdomain, or just part of the path, i.e. /FooInc/Bar/Baz. In your actions, you'll use this component to look up the company from your pesistence store and then compare that with the company the user is assigned to. If the two do not match, then you return a 403. Otherwise, you let the user proceed.
There's many ways that can be done. You could use an action filter, base controller, etc. That's largely up to you and the needs of your application. Regardless, ASP.NET MVC is very capable to handle such a thing.
Related
I have a web-application secured with Keycloak. To keep the description of the service short, we have Users and Documents as entities in the service. The users may have access to none or more documents and may edit or read the document.
Currently we have roles such as Admin, EndUser, Developer etc. We then keep a database table outside of Keycloak that maps the documents to users and what user has what access level to what document. All our end-users have the EndUser role in Keycloak. Every single time an EndUser tries to read/edit a Document, we have to make a lookup in the database table for authorization.
We would like to migrate that table to Keycloak. As I understand it I basically have two options:
Create a lot of roles, two for each document with names such as doc_read_[DOCUMENT-ID] and doc_edit_[DOCUMENT-ID] and so on. Then assign the correct role to the correct user. The downside here is that the number of roles will grow A LOT. Also, the number of roles attached to a user will be very large.
Create a group for each document, with the name of the document id. Have different sub-groups for read/write and then add the users in the correct groups. The downside is that the number of groups will be very large. Also, I will rely Authorization on group names, so the list of group names has to be mapped to the token.
I do not want to add a user-attribute with the document-ids to each user. With this approach I can not get an overview of a document and see what users have access to a given Document.
What is the best practice here? Are there any other solutions to solve this issue? This must be a very common setup.
This is just my opinion.
From what I understand both solutions are suboptimal, adding a role per document is unnatural and too finer grain. And as you already mention this would lead to too many roles that probably you will have to add them into the token.
I would personally use Keycloak just for the authentication part and do the authorization part in the backend. I would also try to group the documents in a way that reflect which user roles are allowed to manipulate them.
Alternatively you might try to use Keycloak's Authorization features to handle that use-case, however I have never used it, so there is not much that I can say about this option.
In my opinion what you want to achieve is something that is very tied to your business logic, I wouldn't recomend depending on keycloak to do it. Your token would constantly grow and management would be a nightmare really.
I see no problem in having a service with good cache to lookup permissions, the bulk of the data won't change much over time.
We are implementing a Liferay 6. 2 solution, everything was set but then we had a problem. Thing is, we are importing all the users from AD using LDAP with their group information. So, in liferay, we will have users and users' group. We planned to follow organization->sub-organization structure but the customer does not want to assign all the users(no option to assign user groups to organization which i know why and it totally make sense ) to the organization manually which, kind of, makes sense. So, then we had to change our design, now what we are doing is actually creating a department-wise site then assigning user groups to the site and then linking site to organization. So two questions.
Does it make any sense to have organization? if so then what advantages will I have in this particular case.
Do you see any drawbacks in our approach or should we follow a better approach which we are not aware of.
I have an application where a user can be linked to several companies.
The manyToMany relationship with the company is a distinguished entity called Associate.
I'd like to give to this Associate entity the exact same role functionnality as my FOSUserBundle User entity has. Important : if a user has a role_manager for one company, it should not be given the rights to access specific features of another company he belongs to too.
Is there a clean way to do this?
I'd like to check for instance if $this->getUser->getAssociate->hasRole('ROLE_MANAGER') is true.
What if I give a role array to my entity Associate? I've read it's not secure enough? Why? What could someone do to break that security if anyway my users have to pass through FOS security login checks?
I've found an article where using a voter is suggested. But I don't want to filter routes, I really want to check the condition against the link between a user and a company, so if a voter is the solution, how would I use it?
EDIT: if a better solution not involving roles or with different logic exists, I am interested in learning about it!!
So in my case, I actually one user can actually be only linked to a maximum of 4 companies, each of a different kind defined by its category.
The official doc would suggest using ACL, defining a role for every company or store the data in the entity. cf first paragraphs of :
http://symfony.com/doc/current/cookbook/security/acl.html
I used a combination of roles and business logic. I've created roles for every type of company and since one user can only have one company per type, I just had to check for the type and the role-manager associated to the type.
See my voter here:
symfony2 call is_granted in voter : how to avoid an infinite loop?
I would like to find out all of the user which are associated in some roles. I have seen the UserLocalService that provides the method to find the users in a particular role. But I want a method to which I can pass an array of roleIds and it shall return me the list of users in those roles.
One way is to write custom SQL, but I would like to get it done by using the API only.
Is that possible with Liferay API??
Call the API multiple times? Create a new service that does this for you so that you only have a single call to (your) API?
I know, this is probably not the answer that you expected. Note that roles in Liferay can be scoped globally (to the whole portal, called 'regular') or to an individual site or organization. Thus just giving a roleId would limit you to the global roles (as the others would require the site's or organization's groupId).
Stepping back and looking at what you want to achieve, my first guess is that you have some semantics in being associated with a specific role - kind of like... a usergroup? A role is designed to give permissions to users, while a usergroup is designed to group users. UserLocalService also has getUserGroupUsers - this also only takes a single usergroup id, but at least it's a single (global) scope by definition and not ambiguous like roles.
I'm triying to develop an application which will contain different kinds of companies, and each company will have different roles.
This way, when a superadmin create a company, will define which roles can be attached to this kind of company.
For example, the superadmin could create a shopping center which could have a shop assistant and a director (each of them with different permissions); and another kind of companny which could be a coffee shop, which could have a waiter and a chef.
Then, when an user loggin inside the application, and will want to create a new user, will only have the possibility of select the roles of his kind of company.
But I can't see the way to develop, using the security.yml file and the FOSUserBUndle.
Thanks in advance!
For this kind of purpose, I think you need to implement your security logic inside controllers ; with security.yml you can restrict some entire areas, but I don't think it will help in your case. Maybe you can first define some routes that would be accessible only to some roles (for example, "/waiter/*" for waiters)
Then you can implement like a new kind of roles ; each company can have a field "possible_roles" that will be an array of roles. For example, if a superadmin creates a coffee shop, then you will have possible_roles = { "ROLE_WAITER", "ROLE_CHEF" }
After that you just have to check if the user's role is in the company role's array, and if he has access to the page.
Is it clear ?