Authorization is the module of an application that is responsible to manage user access to the application resources.
0
votes
0answers
36 views
Lazily load permissions from database in multithreading environment
I would like to get the feedback about this code:
...
6
votes
1answer
354 views
Multiple permission checks in web app automated tests
I am writing automated tests for a web app and at one point I need to make sure that a user can only engage in activities allowed by a set permission. I have written all the standalone methods that ...
0
votes
0answers
67 views
Check if a user is authorised to visit a page
I'm creating a user portal for our customers but I'm yet to find the best way to check if a user is logged in or not. I used to check it by setting some session variables with my ...
2
votes
2answers
79 views
3
votes
0answers
39 views
Multitenant app authorization
Role based security does not work for me well in a multitenant app, as I need to query DB to decide on permission allowance. Here is the solution I came to.
All implementations of this interface will ...
3
votes
1answer
107 views
Using a Boolean method that never returns “false” to check user permissions
I need to check that a user is allowed to save/retrieve contacts to/from the database by calling a web service, and return an HTTP403 with an explanation if it is not the case.
So for the sake of ...
1
vote
0answers
84 views
Claims authorization service usage
I'm doing an AuthorizationService. I'm not sure how to do the usage interface of this service, so that it's practical and handy. It doesn't necessarily has to be an ...
2
votes
1answer
106 views
Fluent API of a RBAC implementation - follow-up
In the past I posted a question that tried to implement a nice API to support RBAC authorization to resources. And due to the epoch and probably to the bount it was moderatly well received by the ...
6
votes
1answer
115 views
Simple authorization module with Rails
I created a simple Authorization module with Rails. I found that there are other authorization systems, such as CanCanCan, but they grant permissions at Model level and, for this particular website I ...
1
vote
1answer
173 views
Another PHP login handler
I wrote this class to handle login sessions for a framework I'm writing for educational purposes.
My major areas of concern:
Style
I know my style is a little contrary to most coding conventions. ...
5
votes
1answer
1k views
MVC app to associate users with roles
I'm a beginner to web programming and just started a MVC project from scratch. Because this will become a large project eventually, I would like to make sure that I'm doing things kind of right from ...
1
vote
1answer
44 views
Checking whether users have a role that allows them to index sheets
Is there any DRYer way to write this method ? or is it better to keep it this way for better reader understanding ...
Each role has a list of authorised activities for a specific resource ( in this ...
6
votes
1answer
127 views
MVC4 approach to checking authorization after POST
I have a very simple form that is designed to update account expiration dates. I'm currently creating a View Model and sending that to the form, however, I still have to pass along a GUID so I know ...
2
votes
2answers
484 views
Checking for user permissions
The idea here is we have Roles, Permissions, and a table called PermissionRoles that connect the two. So a Permissions can be in many Roles, and many Permissions can have the same Role. So what the ...
3
votes
2answers
277 views
Single MySQLI query to check for admin privileges
I have this script on top of all pages to check if user is admin otherwise we kick him. The problem is that I don't know if I am using double resources with a double query and results. Can I make this ...
2
votes
1answer
432 views
Approach to MVC 4 windows group security to enable/disable controls in view
There are 3 window groups to add users and the application uses MVC 4. Here's my approach to add security attributes to my controllers and pass user's role to the view in order to enable/disable ...
4
votes
2answers
77 views
3
votes
1answer
52 views
Returning preferences
I have a function that returns some preferences, but first I have to do some checks to see whether the user is authorised to read them. I'm still not happy with the result (the match is a bit ugly).
...
5
votes
1answer
605 views
PHP login script security check
I made an admin login script for my own CMS website that I'm making in Code Igniter 2.2.1 and I'd like to know what are the potential threats or some holes that I might have left open.
This is how it ...
4
votes
2answers
174 views
Allow certain IP addresses to run a C++ program
I coded an executable program (.exe) that I only want run either from my home computer, our main server, or people in our development team.
I have coded logic that will only allow the program to be ...
5
votes
2answers
67 views
Activity-based permission checking
I threw together this Python function to check if a User has a certain Permission.
First of all, Permissions have this kind of format: category1.category2.some.task...
10
votes
2answers
282 views
14
votes
8answers
399 views
Create a new Member
I was tasked with member creation on a site that was already developed for Active Directory, so the log in functionality was there and most of the site was all ready to go (after minor major tweaks).
...
3
votes
1answer
295 views
Is there currently anything wrong with my custom authentication and authorization?
I have my reasons not to use the ASP.NET membership. Though this causes me some issues. I read about a thousand articles on ASP.NET MVC custom authentication and I've found that almost all of them are ...
3
votes
2answers
96 views
Iteration of password hashing in PHP - follow-up
This is a follow-up question to Iteration of password hashing in PHP
I've gone trough a lot of documentations and stuff to get a feel for this hashing jungle, and done some adjustments to my code ...
1
vote
0answers
399 views
Rails Controller vs Service Object for Application Logic
I have a #change_account action in the accounts controller that verifies if the user has access to the requested account prior to changing the current_account which happens via setting the session[:...
4
votes
1answer
225 views
Shopping cart logic for authenticated users and guests
I am tasked with cleaning up someone else Objective-C code, and will admit, it is not my language of choice. I am not sure if this is a valid question but was hoping someone could double check my ...
6
votes
2answers
767 views
Attempting to utilize OOP with a user-management class
Originally, this isn't how I would have done this at all. I was told by someone I know who is a programmer that I needed to include several functions: one for removing and adding users, one for ...
2
votes
1answer
47 views
Admin page select
This is a follow up question to: Admin page select function
Here, index.php does the following:
Checks for a login status using sessions and a cookie
If logged ...
9
votes
2answers
2k views
Feature-based authorization
Feature-based authorization
It seems to me that if you rely on roles to authorize a web application it makes it very difficult to render UI or code based on a set of features. This means that each ...
10
votes
1answer
2k views
Fluent API of a Role based access control implementation
I am trying to provide a fluent API for authorization based on roles.
As you will see I separated my implementation in two related Interfaces the Session and the Query. The session provides all roles, ...
3
votes
4answers
399 views
Building an ACL based on permission level
I'm building a symfony project and at some point I've come up with a switch case to manage the acl rights. I would prefer using a dynamic access to the constant but havn't find a good solution. I've ...
6
votes
1answer
220 views
PBKDF2 authorization
I've discovered that using hashed passwords with salts is a much better idea than MD5/SHA256, so I'm not hashing them with PBKDF2. However, I'm wondering if this is a correct approach to authorizing ...
7
votes
2answers
2k views
Custom Authentication Attribute
I was trying to find a way to redirect to different pages on authorization and authentication failure. I found this to be a possible solution.
However, I ended with a different solution by myself. It ...
1
vote
2answers
3k views
Checking authorization by role
Just wondering if my
else {return false;}
statements are superfluous... do I just need one return true; here?
...
10
votes
1answer
39k views
Custom Authentication, Authorization, and Roles implementation
I've got an MVC site, using FormsAuthentication and custom service classes for Authentication, ...
18
votes
3answers
5k views
Administration Elevation
I'm looking into Administration Elevation and I've come up with a solution that seems like it's perfectly sane, but I'm still in the dark about the professional methods to accomplish this.
Is there a ...
