Authorization Bundle Help
70 views
Skip to first unread message
Paul Hinett
Aug 13, 2012, 10:01:09 AM8/13/12
to rav...@googlegroups.com
I have a project which would suit the use of the authorization bundle,
but i just have a couple of basic questions to get me off the ground.
I have setup several roles and operations, an example operation is
'Pages/AddNewPage', what is best practice to perform the validation
check when adding a new page?
Is it a case of littering my controllers actions with the following, or
is there a more elegant way?
var authUser = DocumentSession.Load<User>(currentUserId);
var isAllowed = DocumentSession.IsAllowed(authUser, "Pages/AddNewPage");
Also, i can't quite make heads or tales of the tagging option, i tried
to make sense of the example you have on the bundles page but not quite
understanding it, can you give another brief example of where using tags
would be useful?
How does the SecureFor(user, operation) function work, when would i use
SecureFor instead of IsAllowed?
Thanks,
Paul
but i just have a couple of basic questions to get me off the ground.
I have setup several roles and operations, an example operation is
'Pages/AddNewPage', what is best practice to perform the validation
check when adding a new page?
Is it a case of littering my controllers actions with the following, or
is there a more elegant way?
var authUser = DocumentSession.Load<User>(currentUserId);
var isAllowed = DocumentSession.IsAllowed(authUser, "Pages/AddNewPage");
Also, i can't quite make heads or tales of the tagging option, i tried
to make sense of the example you have on the bundles page but not quite
understanding it, can you give another brief example of where using tags
would be useful?
How does the SecureFor(user, operation) function work, when would i use
SecureFor instead of IsAllowed?
Thanks,
Paul
Paul Hinett
Aug 14, 2012, 9:35:29 AM8/14/12
to rav...@googlegroups.com
Has anybody got any advice on this, i'm more interested in how people
handle the littering of IsAllowed throughout their controller actions.
Thanks,
Paul
handle the littering of IsAllowed throughout their controller actions.
Thanks,
Paul
Chris Marisic
Aug 14, 2012, 10:57:25 AM8/14/12
to rav...@googlegroups.com
I feel putting authorization in your database is one of the largest mistakes you can ever make in application development.
Security should be application controlled, not database controlled.
Security should be application controlled, not database controlled.
Kijana Woodard
Aug 14, 2012, 11:15:19 AM8/14/12
to rav...@googlegroups.com
I lean towards Chris' point of view.
I had some interest in the Authorization bundle, but I realized that I would still have a problem displaying the correct UI. So I'm not sure how much it buys you.
I too would be interested in evaluating someone's real world usage.
Chris Marisic
Aug 14, 2012, 11:45:12 AM8/14/12
to rav...@googlegroups.com
The only justification for using db auth (IMO) is if you develop a JS/HTML app that directly connects to raven. (This is something i'd never do, I always will use an application tier to insulate my db from users)
Kijana Woodard
Aug 14, 2012, 11:47:27 AM8/14/12
to rav...@googlegroups.com
I had written something similar about js directly to raven, but erased it, since, as you allude to, you open yourself up to more security issues than you solve with the auth bundle.
Paul Hinett
Aug 14, 2012, 4:28:20 PM8/14/12
to rav...@googlegroups.com
Ok i will take the advice on board to not use the authorization bundle,
although it did seem to do exactly what i was looking for in some ways.
What is a recommended approach for managing security for different
types of users, say for example i had a forum with many types of users
such as:
Admin
Moderator
Mini-Moderator (can only perform specific operations)
Normal Member
+ Custom user defined roles
I know there is probably no catch-all way of doing things, but a
general idea of what i should be doing would be helpful.
Paul
> DocumentSession.Load<User>(__cur__rentUserId);
> > var isAllowed =
> DocumentSession.IsAllowed(__auth__User,
although it did seem to do exactly what i was looking for in some ways.
What is a recommended approach for managing security for different
types of users, say for example i had a forum with many types of users
such as:
Admin
Moderator
Mini-Moderator (can only perform specific operations)
Normal Member
+ Custom user defined roles
I know there is probably no catch-all way of doing things, but a
general idea of what i should be doing would be helpful.
Paul
> > var isAllowed =
> DocumentSession.IsAllowed(__auth__User,
Oren Eini (Ayende Rahien)
Aug 15, 2012, 7:52:18 AM8/15/12
to rav...@googlegroups.com
Paul,
IsAllowed if for an actual check.
SecureFor says that if you don't have this permission, it'll throw when you try to actually do it
I suggest having permissions matching your url structure, then set it up so that you can use a filter for that.
Oren Eini (Ayende Rahien)
Aug 15, 2012, 7:52:54 AM8/15/12
to rav...@googlegroups.com
Chris,
The Auth bundle is exactly NOT putting auth in the db.
Paul Hinett
Aug 15, 2012, 8:29:27 AM8/15/12
to rav...@googlegroups.com
I think i am going to use the auth bundle in the end, it does look
exactly like what i need and i can't find anything else that would
suit.
- I created a custom authorize filter which checks the DocSession.IsAllowed() function with a passed in operation string as a parameter, can you see any problems with this approach?
- I am also adding in some additional properties to my view models to help with permissions on my views, such as 'CanUserModeratePost', and simply set these values from within my controller, can you see any problems with this?
- What about unit testing, is it just a case of creating the correct roles + users docs in my tests to simulate correct / invalid permissions?
I'm not sure how i can have permissions matching my url structure? say i have a Moderator user viewing a post, what url structure would i use here (currently it's /topics/viewtopic/{id}/), then also i have an Admin user that can perform additional actions on this topic post.
- I created a custom authorize filter which checks the DocSession.IsAllowed() function with a passed in operation string as a parameter, can you see any problems with this approach?
- I am also adding in some additional properties to my view models to help with permissions on my views, such as 'CanUserModeratePost', and simply set these values from within my controller, can you see any problems with this?
- What about unit testing, is it just a case of creating the correct roles + users docs in my tests to simulate correct / invalid permissions?
I'm not sure how i can have permissions matching my url structure? say i have a Moderator user viewing a post, what url structure would i use here (currently it's /topics/viewtopic/{id}/), then also i have an Admin user that can perform additional actions on this topic post.
Oren Eini (Ayende Rahien)
Aug 15, 2012, 8:39:05 AM8/15/12
to rav...@googlegroups.com
inline
On Wed, Aug 15, 2012 at 3:29 PM, Paul Hinett <pa...@ukcreativedesigns.com> wrote:
I think i am going to use the auth bundle in the end, it does look exactly like what i need and i can't find anything else that would suit.
- I created a custom authorize filter which checks the DocSession.IsAllowed() function with a passed in operation string as a parameter, can you see any problems with this approach?
That is what I would od as well
- I am also adding in some additional properties to my view models to help with permissions on my views, such as 'CanUserModeratePost', and simply set these values from within my controller, can you see any problems with this?
IsAllowed is a network call, most of the time. Be sure to watch for those.
Or do this once when you are logging in the user
- What about unit testing, is it just a case of creating the correct roles + users docs in my tests to simulate correct / invalid permissions?
Yes
I'm not sure how i can have permissions matching my url structure? say i have a Moderator user viewing a post, what url structure would i use here (currently it's /topics/viewtopic/{id}/), then also i have an Admin user that can perform additional actions on this topic post.
/topics/View
One permssion.
Then you have:
/topics/Edit
/topic/MarkSpam
Kijana Woodard
Aug 15, 2012, 10:23:35 AM8/15/12
to rav...@googlegroups.com
If you can share some code when you've made progress, please do.
I was attracted to the url authorization scheme over using traditional groups/roles. I can see some power there. I just wasn't sure how to make it work with the UI (don't show this button to non-admins, etc). I haven't had this particular need lately, so I never go to PoC the auth bundle.
My recent approach to these sorts of problems has been separate UIs for admins and just skip the "are you auth'd for" issues. But that only works because the domains are simple and easily split into admin vs user without much gradation.
Paul Hinett
Aug 15, 2012, 10:37:48 AM8/15/12
to rav...@googlegroups.com
Sure yes.
Well i think adding different views for different
permissions/operations could get out of hand very fast. I think it will
be just a case of some if/else logic within the view to show/hide
certain elements, there will only be at most 3/4 per view so it's
manageable. My view models would contain properties such as:
CanUpdatePageTitle
CanDeletePage
CanUseModerationTools
Oren:
when you say load the permissions once at login time, what should i
get? Permissions could come from specific documents, different roles
the user is associated with and from the AuthorizedUser/{user} document
too. Do i need to get all this (how?) and store into
memory/cookie/cache for the current user?
>> On Mon, Aug 13, 2012 <tel:2012> at 5:01 PM, Paul Hinett
>> <pa...@ukcreativedesigns.com <mailto:pa...@ukcreativedesigns.com>>
Well i think adding different views for different
permissions/operations could get out of hand very fast. I think it will
be just a case of some if/else logic within the view to show/hide
certain elements, there will only be at most 3/4 per view so it's
manageable. My view models would contain properties such as:
CanUpdatePageTitle
CanDeletePage
CanUseModerationTools
Oren:
when you say load the permissions once at login time, what should i
get? Permissions could come from specific documents, different roles
the user is associated with and from the AuthorizedUser/{user} document
too. Do i need to get all this (how?) and store into
memory/cookie/cache for the current user?
>> <pa...@ukcreativedesigns.com <mailto:pa...@ukcreativedesigns.com>>
Oren Eini (Ayende Rahien)
Aug 15, 2012, 10:44:13 AM8/15/12
to rav...@googlegroups.com
IsAllowed is usually on the global level, and that you can call once:
var isAllowed = DocumentSession.IsAllowed(authUser, "Pages/AddNewPage");
If it is on a specific document, you have to call it on that.
Paul Hinett
Aug 15, 2012, 10:47:15 AM8/15/12
to rav...@googlegroups.com
Ok so on login, i should get a collection of all possible operations
from all roles, and call IsAllowed on them? What if there are hundreds,
is this still ok?
Can they be all wrapped up into a single request (lazily), or will it
be a separate request for each?
On 15 August 2012 15:44:13, Oren Eini (Ayende Rahien) wrote:
> IsAllowed is usually on the global level, and that you can call once:
> var isAllowed = DocumentSession.IsAllowed(__authUser, "Pages/AddNewPage");
> wrote:
>
> inline
>
> On Wed, Aug 15, 2012 <tel:2012> at 3:29 PM, Paul Hinett
> <pa...@ukcreativedesigns.com
> <mailto:pa...@ukcreativedesigns.com>
> <mailto:paul@__ukcreativedesigns.com
> On Mon, Aug 13, 2012 <tel:2012> <tel:2012 <tel:2012>>
> <mailto:pa...@ukcreativedesigns.com>
> <mailto:paul@__ukcreativedesigns.com
> <mailto:pa...@ukcreativedesigns.com>>>
> var isAllowed = DocumentSession.IsAllowed(__authUser,
from all roles, and call IsAllowed on them? What if there are hundreds,
is this still ok?
Can they be all wrapped up into a single request (lazily), or will it
be a separate request for each?
On 15 August 2012 15:44:13, Oren Eini (Ayende Rahien) wrote:
> IsAllowed is usually on the global level, and that you can call once:
>
>
> If it is on a specific document, you have to call it on that.
>
> On Wed, Aug 15, 2012 at 5:37 PM, Paul Hinett
> <pa...@ukcreativedesigns.com <mailto:pa...@ukcreativedesigns.com>> wrote:
>
> Sure yes.
>
> Well i think adding different views for different
> permissions/operations could get out of hand very fast. I think it
> will be just a case of some if/else logic within the view to
> show/hide certain elements, there will only be at most 3/4 per
> view so it's manageable. My view models would contain properties
> such as:
>
> CanUpdatePageTitle
> CanDeletePage
> CanUseModerationTools
>
> Oren:
> when you say load the permissions once at login time, what should
> i get? Permissions could come from specific documents, different
> roles the user is associated with and from the
> AuthorizedUser/{user} document too. Do i need to get all this
> (how?) and store into memory/cookie/cache for the current user?
>
>
>
> On 15 August 2012 <tel:2012> 13:39:05, Oren Eini (Ayende Rahien)
>
> If it is on a specific document, you have to call it on that.
>
> On Wed, Aug 15, 2012 at 5:37 PM, Paul Hinett
> <pa...@ukcreativedesigns.com <mailto:pa...@ukcreativedesigns.com>> wrote:
>
> Sure yes.
>
> Well i think adding different views for different
> permissions/operations could get out of hand very fast. I think it
> will be just a case of some if/else logic within the view to
> show/hide certain elements, there will only be at most 3/4 per
> view so it's manageable. My view models would contain properties
> such as:
>
> CanUpdatePageTitle
> CanDeletePage
> CanUseModerationTools
>
> Oren:
> when you say load the permissions once at login time, what should
> i get? Permissions could come from specific documents, different
> roles the user is associated with and from the
> AuthorizedUser/{user} document too. Do i need to get all this
> (how?) and store into memory/cookie/cache for the current user?
>
>
>
> wrote:
>
> inline
>
> On Wed, Aug 15, 2012 <tel:2012> at 3:29 PM, Paul Hinett
> <pa...@ukcreativedesigns.com
> <mailto:pa...@ukcreativedesigns.com>
> <mailto:paul@__ukcreativedesigns.com
> <mailto:pa...@ukcreativedesigns.com>
> <mailto:paul@__ukcreativedesigns.com
> <mailto:pa...@ukcreativedesigns.com>>>
>
> wrote:
>
> I have a project which would suit the use of the
> authorization bundle, but i just have a couple of
> basic
> questions to get me off the ground.
>
> I have setup several roles and operations, an example
> operation is 'Pages/AddNewPage', what is best
> practice to
> perform the validation check when adding a new page?
>
> Is it a case of littering my controllers actions
> with the
> following, or is there a more elegant way?
>
> var authUser =
> DocumentSession.Load<User>(__currentUserId);
> wrote:
>
> I have a project which would suit the use of the
> authorization bundle, but i just have a couple of
> basic
> questions to get me off the ground.
>
> I have setup several roles and operations, an example
> operation is 'Pages/AddNewPage', what is best
> practice to
> perform the validation check when adding a new page?
>
> Is it a case of littering my controllers actions
> with the
> following, or is there a more elegant way?
>
> var authUser =
> var isAllowed = DocumentSession.IsAllowed(__authUser,
Oren Eini (Ayende Rahien)
Aug 15, 2012, 11:08:40 AM8/15/12
to rav...@googlegroups.com
You can do that lazily, but not easily. And if there are hundreds, then you probably don't want to do that.
<mailto:paul@ukcreativedesigns.com>
<mailto:paul@__ukcreativedesigns.com
<mailto:paul@ukcreativedesigns.com><mailto:paul@__ukcreativedesigns.com
<mailto:paul@ukcreativedesigns.com>>>
Reply all
Reply to author
Forward
0 new messages