How can I limit access to user profiles so that only users with a specific role can be viewed globally.
What I'm trying to do is make accessing users with "writer" role possible for all users, but leave normal members inaccessible to all but admin.
(Originally posted this as a comment but I guessed it helped so I'm posting it as an answer.)
You might want to see whether the Profile 2 module might be able to help you. The writer role would then have permission to create a profile for all to see while others do not. Also, you could modify the way users list other users' profiles. You could use the Views module use a filter so that it only shows users of a certain role
Related
I need to implement an authentication system where a super admin can create multiple different roles with different rights for users. That is, not a system with a set number of roles, but have the option to create as many roles with different combination of rights as the superadmin wants, and then assign them to new users. Also with the option of editing these roles, deleting them etc. I'm fairly new at Node Js. Is this something hard to implement? Are there any articles/videos I can read/watch, to start understanding the process? Where do I start? I'd really appreciate any help. Thank you in advance!
You're thinking about Role-Based Access Control (RBAC). I have actually implemented this in Node.js before, feel free to checkout how I implemented it here: https://github.com/JLCarveth/nodeblog.
It's relatively simple. You need a table for tracking roles. Each role has 0 or more permissions. These permissions can be comma-separated strings, or IDs referencing a permissions table. Each user is then assigned a role.
Each route is protected with a middleware that specifies the needed permissions. If a user accesses this route, check that they have the necessary permissions and continue, reject if not.
I am building a site on Liferay 7. By default, all the authenticated users inherit the Guest permissions (anonymous users).
There is even a label in the permissions section:
"Under the current configuration, all users automatically inherit permissions from the Guest role."
Why do I need this?
I would like to display X content only for anonymous users and when the user logs in, then I would like to display different content.
This is how my content permissions for anonymous users are configured:
Although I agree with people that say this is not the best path, yes you can do it - just to address the question at hands.
Set this to true if resources should assume that all users have the Guest role. Set this to false if resources will not assume that all users have the Guest role and, thus, do not automatically inherit permissions that belong to the Guest role.
Setting this property to false may require users to grant permissions to roles like Site Member and User.
Defaults:
permissions.check.guest.enabled=true
Why do I need this?
Permissions are not the catch-all for showing different content. If a guest is not allowed to see something, but needs to log in - that's fine. It's authenticated content, and you'll need to sign in.
If an authenticated user has no permission to see certain content, but just needs to log out in order to see it: What kind of permission is that? Let me answer that for you: It's not permission. It's rather targeted content and while it might be mimicked with permissions, this mimicry is nothing more than mimicry.
One way to implement such a requirement is through structured Web Content (you sound as if you want to show different Web Content articles). The template has access to the full API and can check if the current user is signed in or not - and show different content based on this fact.
If you want to achieve role permission using code level as like in xxxlocalserviceImpl class.You can use below code for allow permission for the guest user.
In case of document and media allow permission to guest and registerUser in Liferay 7 using rest webservice you can use this code for allow permission to upload and download the document using this code.
ResourcePermissionLocalServiceUtil.setResourcePermissions(companyId,
DLFileEntry.class.getName(), ResourceConstants.SCOPE_INDIVIDUAL,
String.valueOf(dlFileEntry.getFileEntryId()), guestRole.getRoleId(),
new String[] { ActionKeys.VIEW });
To answer your question - you can not configure that per specific asset! By default an authenticated user can not have less permissions than an unauthenticated one. You can change that behavior for all assets using permissions.check.guest.enabled=false as #Victor correctly pointed out!
I need to give permissions to edit/create/destroy pages in a node to a group of users.
I've created a group and added a test user to that group.
I can't seem to give permission to the Pages application so see if i can see the node.
I also added game this role permissions at the node level too.
Ideally this editor role would be able to create new sub pages, which also means being able to upload media.
Your new user must have editor privilege level (you can edit user in Users application). If you want to provide ability to see content in Pages app you have to grant the user with Browse tree and Read permission (content module). To satisfy your scenario you need to grand user with Modify and Create permissions, too (maybe Design?).
Just FYI: The approach provided by Brenden (cloning the role) is very handy but there a is chance you grant the user with permission you don`t want to provide (inappropriate permissions for original role).
I've found the most efficient method is review the out of the box roles provided by Kentico and clone the one which fits closest to your needs. Then modify your cloned role to add/remove abilities and permissions.
If you're unsure of what each role can and cannot do, create a new test user with one of the roles assigned to them and log in as them. Do the same for all the roles you want to test until you find the one closest to what you're looking for.
So I am very interested in using Cloudkit but the documentation on anything over the basic features is horrible. I am looking to establish two basic user types: standard user (someone that can read records only) and an Admin user (can create and modify records). I setup security roles to reflect this and changed the access modifiers on each of the record types to include these roles. However, I cannot find anywhere how to change a user from one role to the other. I have implemented an Admin login of sorts in the app. Once they enter in the appropriate credentials, I want to allow that user to start editing records.
Does anyone know how to do this?
Thanks
I think it's still not possible to assign a security role to a user using code. Then this answer is still valid: How do I access security role in cloudkit
I want to have user rights split into two. Some of the policies at the client's side mention that we should have a seperate user who has only the rights to add users and nothing else, and the Site Administrator should not be able to add users.
As of now, the Site Admin is used to Add users and to manage other configuration. Can we remove the User Addition role from Site Admin?
Is there a way to create a new User Role by writing some code?
I don't think it is possible to remove any permissions from the site administrator. You could do something wild like add security code to your master page, however. That could detect the current user and the current page, and throw an error if the site administrator were in the wrong place.
You can create a custom permission level, provided your permission sets summarise to one of the options offered by the SPBasePermissions enumeration. Unfortunately there is no specific 'add user' permission, only ManagePermissions. For reference anyway, here's a basic code sample.
I think the best approach is that given by strongopinions where a piece of code runs to check who the user is if they visit the Add User page.