What is best practice to give a user administrator rights for one application (to manage users)

[Tim Richardson]

I want to give a user the ability to add users for one application.

I have created a group called admin, made her a member, and decorated the index function in controller appadmin

@auth.requires_membership('admin')

Then I have added a link to the index function of the appadmin controller.

I am nervous about this.

[Massimo Di Pierro]

The "admin" group of your application will not give members access to the "admin" interface or the "appadmin" interface.

The "admin" in web2py is somebody who have complete and un-restricted access to the application source and the database.

The groups you create, however you call them, will never give the members the permission to become "admin".

If this is what you want to do you can but you need to change the authorization code inside the appadmin.py controller and replace

if (request.application == 'admin' and not session.authorized) or \

        (request.application != 'admin' and not gluon.fileutils.check_credentials(request)):

    redirect(URL('admin', 'default', 'index',

                 vars=dict(send=URL(args=request.args, vars=request.vars))))

with something like:

if not auth.has_membership(role="admin"): redirect(.....)

[Tim Richardson]

The web2py admin actually has access to the applications (plural) in my understanding. I thought that giving specific people access to managing users and groups per-application would not be unusual.

Your suggestion looks good, because I assume that this authorisation would only be in the scope of the particular application database(s).

Note for anyone reading this thread: The decoration I mentioned in my first post didn't work because admin access was still needed, it just added another layer of authorisation. 

--
 
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/-jDv4zIBtzw/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
Tim Richardson

[Anthony]

On Thursday, May 30, 2013 3:44:51 AM UTC-4, Tim Richardson wrote:

The web2py admin actually has access to the applications (plural) in my understanding. I thought that giving specific people access to managing users and groups per-application would not be unusual. 

That's not unusual, but in web2py, you don't typically do it by exposing appadmin, which provides complete access to the entire database. If you just want to let an admin manage users and groups, you should write a simple function that exposes only the users, groups, and membership tables -- SQLFORM.smartgrid might be a good option. Perhaps we should add such a function to the "welcome" app to make it easier to manage Auth memberships and permissions.

Anthony

[Massimo Di Pierro]

The caveat here is that appadmin is unsafe that is why it is restricted to administrators. This because the query in appadmin are Python code therefore they can be exploited to gain login access to the system. This is not a problem for admin because he/she already has login access. 

Instead of hacking appadmin access I suggest just create an action like:

@auth.require_membership(role='admin')

def manage():

      tablename = request.args(0)

      if tablename: grid = SQLFORM.smartgrid(db[tablename])

      else: grid = UL(*[LI(A(t,_href=URL(args=t)) for t in db.tables])

      return locals()

and it will work even better.

[Tim Richardson]

On Friday, 31 May 2013 02:50:38 UTC+10, Massimo Di Pierro wrote:

The caveat here is that appadmin is unsafe that is why it is restricted to administrators. This because the query in appadmin are Python code therefore they can be exploited to gain login access to the system. This is not a problem for admin because he/she already has login access. 

Instead of hacking appadmin access I suggest just create an action like:

Thanks. Some cleanup:

@auth.requires_membership(role='admin')
def manage():
    """ Manage users and groups, code snipped from Massimo """

    tablename = request.args(0)
    if tablename: grid = SQLFORM.smartgrid(db[tablename])
    else:

        grid = UL(*[LI(A(t,_href=URL(args=t))) for t in db.tables])
    return locals()

[Anthony]

See my patch if you want something specifically for managing Auth.

Anthony

[Richard Vézina]

Hello,

Maybe it could be easy to remove this issue and let the appadmin be used by admin user or any user authorized. The search feature of .grid() and .smartgrid() could be used to search in appadmin??

Richard

--
 
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.

[Massimo Di Pierro]

We could but we do not want to?