Answer the question
In order to leave comments, you need to log in
How to implement the creation of users with a non-base role in an application with RBAC?
In all the materials that I found in the course of searching for an answer to the question, I met the same thing: it is shown how to create an express-middleware that acts as a role-guard, in general, everything is quite primitive and everywhere a user with a non-basic access set is created just like base user, they say there is route auth/register and auth/register-admin. Now, I have no understanding of how all the same it is really necessary to create admins, moderators, etc. I would be very grateful for giving me the necessary knowledge to understand, thanks!
Answer the question
In order to leave comments, you need to log in
users with a non-base role obviously cannot register themselves, and other users who have such a right must create them.
the auth/register call is available to everyone, a user with a normal role is created, the auth/register-admin call already has access rights, and only those who have the right can call this endpoint (and it’s more correct to call it not register-*, but create-*), it creates a user with the appropriate role instead of the base one.
there are essentially two options - either the user registers himself with a basic role, and then those who have the right to "raise" him, or those who have such a right create him in advance immediately with the necessary roles.
I'm also working with RBAC now, but only in Symfony
.
It all boils down to the fact that in certain methods a certain function is called that checks for the presence of an attribute allowing access.
Only Symfony has something called voting. (Voters)
Here's an example:
<?php
namespace App\Security\Administrator\Voter;
use App\Entity\User;
use App\Entity\UserGroup;
use Exception;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
/**
* Class UserVoter
* @package App\Security\Administrator\Voters
*/
class UserVoter extends Voter implements IVoter
{
public const CREATE_USERS = 'create_users';
public const EDIT_USERS = 'edit_users';
public const DELETE_USERS = 'delete_users';
public const VIEW_USERS = 'view_users';
public const VIEW_CONTACTS = 'view_contacts';
public const SET_PRIVILEGES_USERS = 'set_privileges_users';
/**
* @param string $attribute
* @param mixed $subject
* @return bool
*/
protected function supports($attribute, $subject)
{
if (!in_array($attribute, $this->getAttributes())) {
return false;
}
return true;
}
/**
* @param string $attribute
* @param mixed $subject
* @param TokenInterface $token
* @return bool
*/
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof User) {
return false;
}
$permissions = [];
try {
if (is_a($user->getGroup(), UserGroup::class)) {
$permissions = $user->getGroup()->getPermissions();
}
foreach ($permissions as $permission) {
if (in_array($permission, $this->getAttributes())) {
return true;
}
}
return false;
}catch (Exception $exception) {
return false;
}
}
/**
* @return string[]
*/
public function getAttributes()
{
return [
self::CREATE_USERS,
self::EDIT_USERS,
self::DELETE_USERS,
self::VIEW_USERS,
self::VIEW_CONTACTS,
self::SET_PRIVILEGES_USERS
];
}
}
...
$this->denyAccessUnlessGranted(UserVoter::CREATE_USERS, null, "Вам запрещено создавать пользователей.");
...
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question