Access Level for 2 Permissions

Wappler Version : 2.3.1
Operating System : macOS Catalina

Expected behavior

Access to server action for 2 permissions. Please see my following post:

Actual behavior

Access Forbidden

How to reproduce





image

Not just integers, same for char permissions if multiple roles specified in Restrict, generates unauthorised response

Have just set-up Security Restrict for a new Project and have had no issues.

Have you checked that you are salting your password input using the same algorithm and salt as you have used for creating the user access credentials? :wink:

2019-10-27_11-50-58

Hi @Dave ,
I have no issues with Login.
Did you setup different access permissions and tried to secure a server action with more than one permission?

Yes, everything working just fine, see below:

Did you try to secure a server action like the following example with more than one permission?

Yes @MH2ag, it is that stage which fails for me, ok for one user in security restrict but if I add two, always unauthorised returned

1 Like

I stopped trying to get this to work because I put it down to not understanding how to correctly implement it.

Now I see I was doing it the same way as @MH2ag and I was getting the same result.

Ray.

No, have just tried and same result as your good self Marcel… :frowning:

Hello all,

This is not a bug actually, it’s exactly how the security provider permissions are supposed to work.
I believe there’s some kind of confusion here, between permissions and user roles.

The security provider uses Permissions and Permissions based access control. You can even see the word Permission used everywhere in the UI.
With permission based access control you ask which permissions are required, it is an AND operation, so the user needs all the permissions for the action. That is why it is called Permission and not User Role.

So you will need to better setup your permissions and assign users to them. One user may be assigned to different permissions as well - it’s just your logic here, which is wrong @MH2ag.

Hi @Teodor ,
thank you for clarifying this. Does this mean you have to use a 2 table setup for users and permissions? How could I use user roles with one table?

You can assign multiple users/roles to a single permissions like:

2 Likes

Does beg the question, how often would you need a user to be in two different roles before allowing access?

In my case, it could be quite often because a user could have multiple roles within the company.

Yes but from what is said above the roles are additive

If you have 3 roles, Accounts (A) Sales(S) and Logistics (L)

So a user may be in any or more of those roles, that’s fine
But how often would you say this can only be accessed by someone who is in both S & A for example but not if only in S or A

Good point, as you mentioned the roles are typically not cumulative, but singular, so I would agree that it is either or, but not both.

For example, I have local, state, regional, and national promoters. A user could be in one or all of the roles, but access would be for that specific role, not roles combined.

There is a difference between Roles and Permissions. Let’s compare it with the OS when you want to move a file, it will require permission to read, write and delete a file. It checks the user if it has these 3 permissions. If the user doesn’t have the permission it will check the Roles (groups) the user is in and if one of these has the permissions required.

In most CMS systems it is the same, you assign users to a role or group and that role has certain permissions. Often you can create new roles in the admin panel, the code only checks the permissions required, not the groups the user is in.

OK, i follow that but if we are using the security provider to define the roles i.e. IN x,y,z then i done see many ever needing to use multiple Permissions i.e. must be in two different roles, seems to me that being able to enable multiple roles would be a more useful feature and certainly seems to be how most users interpret this feature

Imagine you have a server action where the required user permission is EditBlogContent and it includes some of the users. Let’s say it includes userID IN 1,2,3

In some other server action you need the DeleteFiles permission, but only for the EditBlogContent users. DeleteFiles permission includes userID IN 2,99,100

Selecting both permissions like EditBlogContent, DeleteFiles will allow only the user with ID 2 to do this. So you don’t have to create a separate permission just for this ID.

So this way many users have the delete permission, but combined with other permissions in different server actions, you can only allow certain users to do certain tasks, without creating a new permission for every case.

1 Like

So, hypothetical situation.
We have 3 departments, Sales, Logistics and Finance each with an assigned role role = S, L or F

Each department generally can only access their own areas.

HOWEVER a few areas must be accessed by BOTH Sales and Logistics so Sales can feedback on deliveries for customers

I think most thought that by adding both sales and finance to the security restrict then both sales and finance could access those areas but we now see that only those in BOTH groups can get access.

So how could we use security restrict to allow this case (other than adding a forth role , say E (Enquiries) and then adding that as a second role to both Admin and Logistics members

I am uncomfortable with using userid’s in security restrict like above as this would have to be manually amended if new staff are added (or removed) rather than doing it programmatically.

P.S. I still use two table approach as i find it more flexible

2 Likes