I'm trying to understand something about Symfony and the "super admin".
When I use FOSUser to create a user with super admin privileges
php app/console fos:user:create adminuser --super-admin
I'd firstly like to know what means (from the doc)
[...]Specifying the --super-admin option will flag the user as a super admin[...]
I imagine it means granting ROLE_SUPER_ADMIN to the user because I don't see any super-admin field in the user table.
Secondly, while (still from the doc)
A super admin has access to any part of your application
security:
role_hierarchy:
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH, ...]
Why do we still need to configure the access hierarchy for it ?
Looking at FOSUserBundle's code you will find that the CreateUserCommand if invoked with the --super-admin flag will call the UserManipulator with a boolean argument $superadmin=true.
Now the UserManipulator calls the UserManager who will create a User Object, call it's setSuperAdmin() method and persist the new user afterwards.
The method looks as follows:
public function setSuperAdmin($boolean)
{
if (true === $boolean) {
$this->addRole(static::ROLE_SUPER_ADMIN);
} else {
$this->removeRole(static::ROLE_SUPER_ADMIN);
}
return $this;
}
So answering your first question:
Yes, the --super-admin flag causes FOSUserBundle to create a new user with the ROLE_SUPER_ADMIN role.
You still have to include the role hierarchy in your security configuration because the ROLE_SUPER_ADMIN role basically doesn't differ from any other role.
It's just a convention provided by the Symfony standard edition that users with role ROLE_SUPER_ADMIN should not have any access restrictions.
If you want the ROLE_SUPER_ADMIN to bypass all security voters by default - have a look at JMSSecurityExtraBundle's IddqdVoter which implements this for the special role ROLE_IDDQD. But this has already been suggested in your other question here.
By defining the hierarchy, you explicitly grant it the ROLE_ADMIN and ROLE_ALLOWED_TO_SWITCH roles (or other custom roles you could have)
If you comment this line, and you try to access with your ROLE_SUPER_ADMIN user to an action with a ROLE_ADMIN check, you will get a not allowed error.
The ROLE_SUPER_ADMIN is just a convention for the name the super administrator role should have, but it does not have privileges by it's own, you have to explicitly grant them to it.
Related
I have a requirement where I have to allow all of my regular users to impersonate a user of their choice.
I haven't been able to make this work. This is what I've done so far:
Added the following properties to portal-ext.properties:
portal.jaas.enable=false
portal.impersonation.enable=true
Created a role for the purposes of impersonation
Defined permissions for this new role: Portal > Users and organizations > View & Impersonate
Assigned this role to a non-administrator user (user A)
I don't need my users to see the list of users they can impersonate, I just want liferay to impersonate a user if ?doAsUserId=x is present in the url (which does work if you are an administrator).
When I try to impersonate user B using user A, nothing happens. I get this error in the tomcat log:
1ERROR [http-bio-8180-exec-85][PortalImpl:5990] User 80413 does not have the permission to impersonate 25105
(User 80413 is my User A, the one attempting to impersonate user B [25105])
Am I missing something else?
There is a condition in Lifeary, which checks the permission on the list of organizations for the impersonation. So, the user who is impersoneting the other user, must have a permission for "impersonation" in all the organisation of which, these users are part of.
if (doAsUser.isDefaultUser() ||
UserPermissionUtil.contains(
permissionChecker, doAsUserId, organizationIds,
ActionKeys.IMPERSONATE)) {
request.setAttribute(WebKeys.USER_ID, new Long(doAsUserId));
return doAsUserId;
}
So, those 2 users must be part of same organization and must be having impersonation permission for that organization.
I do log in the user very well. It is working fine in symfony2. During registration in the DB the role and a state_id are going to be saved.
role: ROLE_USER
state_id: 4 //e.g. has only permissions to do some extra actions
Is there a way in symfony2 in the security.yml that I give permissions to targets with role and state_id?
Better use different roles for this, not a state id. For example: ROLE_USER, ROLE_USER_4, etc.
I need to find a way to set access to url by function.
For example, Can I set 'access control' in security.yml this way:
access_control:
- { path: ^/admin$, function: checkadmin() }
In the other words, symfony run 'checkadmin()' function, and that function return a boolean value , so check access the path.
Or exist other ways?
You have to provide a role when configuring an access control rule. That part of the security bundle (authorization) only cares about matching requests with required roles.
With that concrete rule, define a custom role like so:
access_control:
- { path: ^/admin$, role: CHECK_ADMIN }
Then the question becomes, how can I dynamically add a role to a user?
The answer is a Security Voter:
http://kriswallsmith.net/post/15994931191/symfony2-security-voters (best explination)
Dynamically adding roles to a user
http://symfony.com/doc/current/cookbook/security/voters.html
In Sitecore 6 is it possible to change roles for virtual user when already logged in?
I would like to change roles for virtual users that are already logged in to system, but it looks like Sitecore ignores it. I can clear roles and add a new one but all the old roles are still attached to the user.
I think I should to re-login the user but it is not the case for me.
virtualUser.RuntimeSettings.AddedRoles.Clear();
virtualUser.Roles.RemoveAll();
if (permissions != null && permissions.Any())
{
foreach (var role in permissions.Where(d=>!string.IsNullOrEmpty(d.Type)))
{
string domainRole = string.Format("{0}\\{1}", "extranet", role.Type);
if (SC.Security.Accounts.Role.Exists(domainRole))
{
virtualUser.RuntimeSettings.AddedRoles.Add(domainRole);
}
}
}
You can try to use
Sitecore.Caching.CacheManager.ClearSecurityCache(userName);
This method calls another methods:
CacheManager.ClearUserProfileCache(userName);
CacheManager.ClearIsInRoleCache(userName);
CacheManager.ClearAccessResultCache(userName);
So in theory it should do what you need but I haven't confirmed it in practice.
It seems to be that login-out and re-login will set the correct roles because during login the AuthenticationManager will clear the SecurityCache which holds the UserProfile and the Roles.
I don't see a method to add new Roles to the current authenticated user.
I am using a solution similar to http://blog.jmoz.co.uk/symfony2-fosuserbundle-role-entities
So I have a Role entity that implements RoleInterface and I have a modified User entity that is set up to have a ManyToMany relationship with the Roles.
This allows me to use code like this
$user = $this->get('security.context')->getToken()->getUser();
$role = new Role('ROLE_TEST');
$user->addRole($role);
$em = $this->getDoctrine()->getEntityManager();
$em->persist($role);
$em->persist($user);
$em->flush();
I can then check if a user has a role with
$user = $this->get('security.context')->getToken()->getUser();
if($user->hasRole('ROLE_TEST')){
//do stuff...
}
This solution is ok, but I need to have access to the security context and use code like this:
if($this->get('security.context')->isGranted('ROLE_TEST')){
//do stuff...
}
And in the security.yml cofig file I would like to use the access_control code like this:
access_control:
- { path: ^/test$, role: ROLE_TEST }
Do I need a custom user manager for this? The roles that are assigned to a user in the database are not being carried over to the built in Symfony security system.
In other words when I view the security section of the profiler it shows that the user is assigned to Roles [ROLE_USER], but I am hoping to get it so the system will also recognize the roles that I have set in the database for the logged in user such as ROLE_TEST.
The reason that this was not working is because I was still logged in with the same session. Logging out and then back in again to refresh the session with the new roles does the trick. DOH!