How to Grant Discoveruserinfowithuserrecordid Permission

How to grant discoverUserInfoWithUserRecordID permission?

var defaultContainer = CKContainer.defaultContainer()
var publicDatabase = defaultContainer.publicCloudDatabase
defaultContainer.requestApplicationPermission(.PermissionUserDiscoverability, {status, error in 

})

Requests the specified permission from the user asynchronously.

The first time you request a permission on any of the user’s devices, the user is prompted to grant or deny the request. Once the user grants or denies a permission, subsequent requests for the same permission (on the same or separate devices) do not prompt the user again.
This method runs asynchronously and delivers the results to the block you provide.

How to fetch AppleID via CKRecordID?

For firstName, lastName you can use this way, e-mail / appleID I still do not know:

var defaultContainer = CKContainer.defaultContainer()
var publicDatabase = defaultContainer.publicCloudDatabase

defaultContainer.discoverUserInfoWithUserRecordID(recordID, {userInfo, error in

    println("firstName: \(userInfo.firstName?) lastName: \(userInfo.lastName?)")

    })

How to authorize a user to only see his own records with asp.net Identity 2.0

It's pretty simple really. To illustrate with the example Company you provided. Note that you should use UserId to join rather than UserName since UserName can change, but UserId will always be unique.)

Instead of having UserName in your Company table, you need to change that to UserId. Then you join the AspNetUsers table with your Company table on UserId.

For example (I prefer to use the query syntax rather than the fluent syntax):

var companies = from c in db.Companies join u in db.AspNetUsers
                on c.UserId equals u.UserId
                orderby c.CompanyName
                where u.UserName = User.Identity.Name 
                select c;

If you need the username as well, then include that in your select

select new { Company = c, User = u.UserName };

However, this model does not work if you want to have multiple users per company. You either need to add CompanyId to the users table (assuming a user can't be a member of more than one company) or create a many-to-many join if a user can be a member of multiple companies.

So rather than linking the user to the company, you link the company to the user. Your current model only allows one user per company.

Another thing I see wrong here is the use of DisplayName in your entity object. That seems to indicate you are using the entity in your MVC view, which you shouldn't do. You should create a separate ViewModel.

Here is how it should look like for multiple users per company:

public class Company
{
    public int CompanyID { get; set; }

    // Link naar de Userid in Identity: AspNetUsers.Id
    // [Display(Name = "Username")] <-- Get rid of these
    // public string UserName { get; set; } <-- get rid of these
...
}

public class ApplicationUser : IdentityUser
{
    public int CompanyId { get; set; }
}

Then change your query to:

var companies = from c in db.Companies join u in db.AspNetUsers
            on c.CompanyId equals u.CompanyId // <-- Change to this
            orderby c.CompanyName
            where u.UserName = User.Identity.Name 
            select c;

Allow users to view specific records based on custom security requirements

Well, I secure pages with information "limited" to logged on users. So if they have membership in a particale role, then only those users can jump/see such pages.

However, in your case, and often?

Well, it not so much the web page the user can use, or be restricted from.

However, when a web page can be restriced based on IIS security and not your code, then that option should be used.

However, often in code, for example, we have indivdul users from a given company, and ONLY some can and are allowed to see all projects. (so some only can see their own projects, but from that company, some have rights to see + use all projects.

So, we often have code say like this:

    Dim cmdSQL As New SqlCommand("dbo.GetProjects", GetCon)
    cmdSQL.CommandType = CommandType.StoredProcedure

    cmdSQL.Parameters.Add("@LogonID", SqlDbType.Int).Value = Membership.GetUser.ProviderUserKey
    cmdSQL.Parameters.Add("Email", SqlDbType.NVarChar).Value = Membership.GetUser.Email
    cmdSQL.Parameters.Add("@PortalMaster", SqlDbType.Bit).Value = IIf(Roles.IsUserInRole("PortalMaster"), 1, 0)

so, if the user is a PortalMaster, then they can get and see all projects belonging to that company. (each company that logs into teh site can have 1 or 20 employees that belong to the given company).

So, in above, the query going to pull projects by EmployeeID (their logon), and thus they can only ever see their own projects.

If you are a member of the PortalMaster group, then we pull projects based on ComapnyID.

So, while you might not be using the older secuirty provider like above? Your queries that pull projects simple have to restrict rows returned based on above.

Once those projects are returned (in a nice grid - searching options included), then they can select (click on) a project. that next page does not really care anymore, since you can't get to the project details page until you selected a project.

So, obvious you must have for a given Project who created it. And thus your ability to display their current projects will be restriced based on their logon ID or whtever you using now.

But, for state level users? Then your critera is by their logon id and their state they belong to based on that logon.

And then there is the "admin" role or group - they can search and pull on all projects.

So, while we do restrict web pages by "role" security (based on IIS), that just means that all users can, or cannot hit some web pages based on their role memember ship (and such security does not require code on my part - the IIS secuirty assinged to those web pages can do all that dirty work for you.

However, if you are a legal logon, then you can only ever work on projects that belong to your company. But then it is a question if that user also has the role of "PortalMaster", and if they do, then we pull all projects for display to select from for that given user.

And of course we never use say URL "query parameters", and such internal database company ID, or ContactID (user id) are never exposed, nor possible allow display of information or data that don't belong to the given user.

So, you need to build some sql or some store procedures, and having a few "parameters" for those stored procedures that returns rows of data based on their role membership is quite much how you would approach this. So in above, if the user is a portal master, then the stored procedure simple queries the data based on company they belong to as opposed to their contact id.

Now, this of course asseumes the database schema is setup, and for example, we hvae a company table, a employee table (that has their logon information), and then of course each project created has both a created by, and the company the project belongs to. So, that simple information is enough to provide the 2 levels of security.

We actually don't have a "super user" that can look at and see all projects in the system, but it actually not all that bad of a idea, since for testing, or checking a project that has some problem is a "pain" right now, since we in theory have to create a logon for that company, or get a password.

So, all logons we create belong to a given company. And thus when a user creates a new project, it can only be created under that one company, and of course a project also requires the user that created the project.

So, you simple have to restrict records returned in the page in which they can select a project to work on. IIS security, or in fact SQL server security as a general rule can't do this type of security for you - you the developer have to.

How to allow a User only access their own data in Spring Boot / Spring Security?

In any @Controller, @RestController annotated bean you can use Principal directly as a method argument.

    @RequestMapping("/users/{user_id}")
    public String getUserInfo(@PathVariable("user_id") Long userId, Principal principal){
        // test if userId is current principal or principal is an ADMIN
        ....
    }

If you don't want the security checks in your Controllers you could use Spring EL expressions.
You probably already use some build-in expressions like hasRole([role]).

And you can write your own expressions.

1. Create a bean

    @Component("userSecurity")
    public class UserSecurity {
         public boolean hasUserId(Authentication authentication, Long userId) {
            // do your check(s) here
        }
    }

2. Use your expression

    http
     .authorizeRequests()
     .antMatchers("/user/{userId}/**")
          .access("@userSecurity.hasUserId(authentication,#userId)")
        ...

The nice thing is that you can also combine expressions like:

    hasRole('admin') or @userSecurity.hasUserId(authentication,#userId)

---

Related Topics