Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

Security Guidance

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Guidance

    I am a noobie at web aps and am starting one from scratch. I have read as much as I can find on the web security framework and have some questions. First, my web app would be given to someone to self manage, in that light...

    Is there a way to create a user admin page where users can viewed and then be deleted/edited and his/her associated groups can be changed as well?

    In the above case is there a method to create a "Super-Admin" so that certain users such as myself could not be deleted?

    Is there a way from a web page for an admin of sorts to export all user data (login/password/groups) from an employee file to the web framework, and how secure is this?
    (I would like to give an easy way to manage group info as I need group info for other functions and was trying not to duplicate work)

    Can a page be restricted based on a security group and a field in the record. (i.e.) if a record is marked public with a logical field then everyone can view or only admin folks otherwise?
    Last edited by johngtatp; 05-16-2009, 01:06 AM.

  • #2
    Re: Security Guidance

    John,

    To most all of your questions, yes, but it requires use of filters and Xbasic. "Out of the box" doesn't give all those capabilities.

    For example, I have an app with the following groups:

    Administrator - me and my partner - we are the "super administrators".

    ClientAdmin - we have multiple clients and this is the administrator for each of them. These adminitrators can only work within their own client population.

    Manager - Within the client, there are numerous stores. The managers can set up and edit employees in their stores only. Optionally, they can create additional managers for their store.

    Employees - They can access pages, but not security

    And then, of course, the general public that can access the public pages.

    Pages can be restricted by group and fields can be restricted by group, but a field on a restricted page cannot be made public.

    The import of users from another table is also a feature of the security framework, but I've never tried allowing this at anything below the Administrator level. I just haven't worked through this, but it might create some problems with creative hackers.

    It sounded a bit like you were thinking of making each client a group. I would recommend against that...too much maintenance when you add or remove clients.

    Pat
    Pat Bremkamp
    MindKicks Consulting

    Comment


    • #3
      Re: Security Guidance

      Thank you for your response. I only want one organization to have access to their program on separate servers so they would not be each a group.
      I saw a web page sample where someone can add a person, can you have a web page where the client can manage their own users, such as see a list and add, delete, or edit users? If they can, can you restrict them not deleting you the “Admin” or “Super Admin” as it were?
      Can I restrict a record based on a field, for example, I have an accident database and a logical which states if it has been “released”. Can I not allow a generic user to see this record if this has not been checked?
      Thanks…

      Comment


      • #4
        Re: Security Guidance

        can you have a web page where the client can manage their own users, such as see a list and add, delete, or edit users? If they can, can you restrict them not deleting you the “Admin” or “Super Admin” as it were?
        I just did somethimg very similar, So I would say yes. It is just a matter of permissions and filters. Note : I would just Hide, the Super Admin and ADmin from the "power user".


        Can I restrict a record based on a field, for example, I have an accident database and a logical which states if it has been “released”. Can I not allow a generic user to see this record if this has not been checked?
        Thanks…
        I think the Lowdown is : 1) If you build a dialog or Grid component, with all the necessary fields available in it . 2) Then restrict some controls||fields to certain groups. 3.) When a loged in user asks the webserver for a page, the webserver determines whether the user has permission to see that field.
        4.) the server excretes the appropriate html.

        So I guess a slightly easier approach may be to have two fields|| controls in a component
        1a.) For approved users to see unchecked data
        2b.) The other for unaproved users to see.
        Thus the data when checked hets posted to the uaproved users.
        --
        There is probably a better way, "I'm just thinking off the top of my head"

        Comment


        • #5
          Re: Security Guidance

          The appropriate way to not allow someone else to delete your account, it to not allow your record to appear in a list that allows delete. So you could filter it out, or more appropriately, include a logical field in your users table and filter out any that are True (prohibit view/delete).

          For an app, I created a user list that was shared by multiple companies. When a person logs in, I grab their CompanyID from the users table. I also determine if they are allowed to view the company list, or just their own record. Then when they view the "user list" it either shows just their record, or if they are allowed, it only shows records for that particular company.

          You can also check my website for some articles on filtering records.
          Steve Wood
          Join the ALPHA DEVELOPERS NETWORK
          There is no Cloud. It's just someone else's computer.
          Web - Mobile - Hosting - Products - Frameworks - Developer Resources
          AlphaToGo | IADN (100% Alpha Anywhere Websites)

          Comment


          • #6
            Re: Security Guidance

            Thanks guys... I ordered the available books and I am feeling quite new to this. I did not see anything in the documentation so far about the network security framework about setting up anything custom. I only noticed a way to bring up a control panel. Can you access the framework database to add a field like a hide logical field or such?

            Comment


            • #7
              Re: Security Guidance

              John, in attachment is what I was mentioning,
              This is in a grid, you can do the same in a dialog,
              But better still you can use this in MENUs,
              thus a whole page or menu item can be withheld from some users,
              Also you can organize redirects by group assignments,
              So all up, you have quite a few tools to impliment different security arrangements.

              Comment


              • #8
                Re: Security Guidance

                John,

                Here is a code snippit I use to filter the group lists. This is in the initialize event of a dialog. The idea it to filter the avaiable groups the person is allowed to see on the group checklist (grouplist) according to the group they are a member of (vGrouplist):

                Code:
                 
                '==== get a list of the groups the logged in person is in
                a5ws_logged_in_user_values(pUser,request,session)
                if eval_valid("pUser.userid")
                vGrouplist=a5ws_get_user_assignments(pUser.userid,request)
                '==== get a list of the groups the logged in user can assign to
                select
                    case is_one_of("Administrators",vGrouplist) 
                  grouplist = a5ws_get_groups(request,.t.)
                    case is_one_of("Clients", vGrouplist)
                     grouplist = "Clients"+crlf()+"Locations"+crlf()+"Employees"
                 case is_one_of("Locations", vGrouplist)
                  grouplist = "Locations"+crlf()+"Employees"
                end select
                end if
                Pat
                Pat Bremkamp
                MindKicks Consulting

                Comment


                • #9
                  Re: Security Guidance

                  Hi All,

                  I too need to filter the groups which appear when adding groups by a Power User and not Administrator. In my case, if an Administrator wants to add a user, he see all the groups. However, if the Power User wants to add a user, he see all the groups except the Adminsitrators group.

                  Using Pats code, i got this to work just fine when adding a user. However, my problem is with viewing an existing record. I am using the Alpha Add Users Via The Web example. When i view a user, how can i view the groups they are assigned to but still maintain a filtered groups list i.e. prevent the Administrators group from appearing.

                  In order to see all the information, I used the code in the Alpha example within the Activate Event.

                  Code:
                  pagelist = ""+crlf()+a5ws_get_page_list(request)
                  grouplist = a5ws_get_groups(request,.T.)
                  I have tried to add Pats code to this page, and it displays the username and password, it also filters the group checkboxes as required, but unfortunately the group checkboxs do not contain the values previously entered for this user. I now need to have the previous values displayed.

                  Code:
                  ''==== get a list of the groups the logged in person is in
                  dim pUser as P
                  a5ws_logged_in_user_values(pUser,request,session)
                  if eval_valid("pUser.userid")
                  vGrouplist=a5ws_get_user_assignments(pUser.userid,request)
                  ''==== get a list of the groups the logged in user can assign to
                  select
                      case is_one_of("Administrators",vGrouplist) 
                    grouplist = a5ws_get_groups(request,.t.)
                      case is_one_of("Power User", vGrouplist)
                    grouplist = "Power User"+crlf()+"Group1"+crlf()+"Group2"+crlf()+"Group3"+crlf()+"Group4"+crlf()+"Group5"
                  end select
                  end if
                  Does anyone know how i should modify the above code so that the groups are populated with the users values and maintain the filtered list?

                  Thanks,

                  Denis
                  Last edited by den1s; 08-27-2009, 06:34 AM.

                  Comment


                  • #10
                    Re: Security Guidance

                    BUMP!

                    Comment


                    • #11
                      Re: Security Guidance

                      Hi,

                      I think the answer is to combine this

                      Code:
                      grouplist = a5ws_get_groups(request,.T.)
                      with

                      Code:
                      grouplist = "Power User"+crlf()+"Group1"+crlf()+"Group2"+crlf()+"Group3"+crlf()+"Group4"+crlf()+"Group5"
                      Anyone know how this would be done?

                      Denis

                      Comment


                      • #12
                        Re: Security Guidance

                        Replace:

                        grouplist = "Power User"+crlf()+"Group1"+crlf()+"Group2"+crlf()+"Group3"+crlf()+"Group4"+crlf()+"Group5"


                        with a function that strips Administrator out of the list, like:

                        removelist = "Administrator"

                        WORD_SUBTRACT(vgrouplist,removelist)
                        Steve Wood
                        Join the ALPHA DEVELOPERS NETWORK
                        There is no Cloud. It's just someone else's computer.
                        Web - Mobile - Hosting - Products - Frameworks - Developer Resources
                        AlphaToGo | IADN (100% Alpha Anywhere Websites)

                        Comment


                        • #13
                          Re: Security Guidance

                          Steve,

                          My Activate Event in my dialog is now changed to....

                          Code:
                          pagelist = ""+crlf()+a5ws_get_page_list(request)
                          grouplist = a5ws_get_groups(request,.T.)
                          removelist = "Administrator"
                          WORD_SUBTRACT(grouplist,removelist)
                          ....but Administrator is still visible.

                          Any ideas why?

                          Denis

                          Comment


                          • #14
                            Re: Security Guidance

                            I then tried this in the initialize event... Administrator still shows up when i log in as a 'Power User'.

                            '==== get a list of the groups the logged in person is in
                            dim pUser as P
                            a5ws_logged_in_user_values(pUser,request,session)
                            if eval_valid("pUser.userid")
                            vGrouplist=a5ws_get_user_assignments(pUser.userid,request)
                            '==== get a list of the groups the logged in user can assign to
                            select
                            case is_one_of("Administrators",vGrouplist)
                            grouplist = a5ws_get_groups(request,.t.)
                            case is_one_of("Power User", vGrouplist)
                            removelist = "Administrator"
                            WORD_SUBTRACT(vGrouplist,removelist)

                            ' grouplist = "Power User"+crlf()+"Issues"+crlf()+"Assumptions"+crlf()+"Change"+crlf()+"Baselines"+crlf()+"Maintainers"
                            end select
                            end if

                            Comment


                            • #15
                              Re: Security Guidance

                              BUMP!

                              Comment

                              Working...
                              X