User permissions on subfolders in a Craft multisite environment - subdirectory

I have a craft multisite environment with three sites:
site-one
site-two
site-three
and three usergroups to handle permissions for the sites
users site-one
users site-two
users site-three
users in user groups should only be able to access their site assets, for example:
users in group "site-one" can only access the assets of "site-one".
This question https://craftcms.stackexchange.com/questions/37249/how-do-you-insert-the-site-name-into-a-default-asset-path helped me to create a structure like this:
uploads/
➝ site-one
➝ site-two
➝ site-three
asset location with {site.handle}
And now the problem:
A user from site-one that is logged in can see all three subfolders of uploads. As far as I understand, there's no possibility to restrict user permissions on subfolders.
What I want to achieve is that users from site-one can only see uploads/site-one and so on.
Any ideas on this one?

Related

Should i allow user to use the admin panel to upload his blog?

I'm building an app for someone, one of its function is it allowers the owner to upload blogs to the website.
So i'm wondering if i should create a page for uploading blog or just give him staff permission so he can create and upload it through django's admin panel.
I want to know if this is safe or if it will be worth it to create a front-end template for just one person to use.
It all depends on a lot of things but I will say my opinion on some scenarios:
best practices: ya for sure you have to create a full template page with decorators that allow only staff account to access just like the admin, also don't ever depend on the admin panel even if you wanted a dashboard for an admin just create customized admin template, also some developer just remove the default admin panel on deploy, or may be make the end point of the admin panel instead of '/admin' they make something like that 'SAF#saf$%OIL>$/' to hide it for security
If it works leave it : if we are talking here on simple ecommerce app ya its fine just make a staff account for the owner so he could access the admin panel its fine
if you want to add permissions to the owner account use groups and add the account you created for the admin to this group then go to groups table and add what table should users of this group have access to it's totally fine
only make a customized admin panel when you need more functionality and visualization

How can I override Sitecore’s Media Handler to force user to redirect to login page if user is not authenticated

I need a way to prevent access to files in media items if a user is not authenticated.
If a user is not authenticated he/she should be forced to redirect to the login page. If a user is authenticated then we should let the user to access the media item file, like we should handover the request to Sitecore.
Also help me on changing the configuration settings to override the existing MediaRequestHandler.
I would suggest using the OOTB Sitecore Security feature to grant or deny access to any item including media files.
This way you can restrict access to the specific assets only, not to ALL media files as in case with a bespoke media handler overriding the standard one, and you will not create any technical dependency on your custom code going forward. The latter is seen to be critical from the future website maintenance and Sitecore upgrade perspective.
To begin with, create a secure folder in the Media Library where you will be uploading the protected files and remove the READ permission from the anonymous user (typically it is extranet\anonymous). The full list of access rights can be found here. Expect all child assets to inherit the access permission from the parent folder. Now if you upload an asset into the restricted folder and try to request it in the frontend, you will get the "Access denied" message which is correct.
Next step is to create a new user role that will be allowed to view the restricted media files or use your existing one for the logged in users, assign the READ rights to this role, then assign this role
to the media folder and items you want to be accessible behind the login only.
Depending on your user experience on the website you can check whether the current context user can read a certain media item or not by calling item.Access.CanRead() method and then show or not a download/preview link for it or redirect to the login form.

django admin like behaviour for app users

We have merchants with campaigns in our project. Currently, we - as superuser - manage all merchants' campaigns. However, some merchants require access to campaign management so that they can control the process and set new campaigns themselves.
There is a possibility to create the second admin site and set permissions so that only merchants can log in. However, what we need is - to filter only the campaigns owned by logged in merchant and also, when creating a new one the merchant_id should be prefilled and readonly.
Is it possible to do it using the second django admin site or should I create a special frontend interface for this purpose? Is it possible to set permissions per user-object pair (in django admin)?
Edit: I found django-guardian https://github.com/django-guardian/django-guardian/blob/devel/README.rst that should be able to do what I need.

Rolling out own permission app or modifying django permission

I am working on a project which needs a separate admin interface. The django admin interface is for the super super user, there will be companies who will sign up for our app and then they will have their own admin interface. Everything is set and done despite the permission. We want model level permission that's what Django provides.
What I did is:
class CompanyGroup(models.Model):
name = models.CharField(max_length=254)
permissions = models.ManyToManyField(Permissions)
Now this list all the permissions of the site itself. So, Should I start working on my own permission app or I can modify django Permissions to provide object level permissions for only some models.
Thanks
Try one of the several existing 'row level' / 'per object' permissions apps for Django:
http://django-guardian.readthedocs.org/en/v1.2/
http://django-object-permissions.readthedocs.org/en/latest/
...there are probably others, those are just the first two in Google
We are using django-guardian in current project at work, seems fine.
I am assuming that you need to control access to sub-sets of each model's objects, depending on which company the current user belongs to (i.e. you don't want people from Company A to see items from Company B). For this reason you need row level permissions.
You probably also need to limit the permissions of all 'company users' to only certain actions:
You do not need to create a CompanyGroup class.
Instead just enable the admin site, log in as super user and create a django.contrib.auth.models.Group which contains the global permissions applicable to company users.
then ensure when you create any new company user logins that they are added to that Group

I'm having difficulty working out how to do permissions for my Django models? (not admin)

I have a range of models for my Django project. Everyone with a login has a Profile. A Profile will have certain permission access to the different parts of the website... Be able to view or edit certain accounts in the Account model. Be able to view or edit certain accounts in the Module model. Be able to delete or be blocked from accessing other Profiles. etc. People with Profiles do not access the normal Django built-in admin, it's all a custom website-side area where all of this stuff will take place.
Django's built in permissions stuff didn't seem to cover this sort of module/row level permissions. I was thinking of having a simple Permissions model with Profile and Permission Type foreign keys in them. Then all the things I want to be accessable only by Profiles with permissions will have a many to many to this Permissions model. But I'm not sure that's how to go about it?
What is an ideal way of doing permissions for the profiles to restrict access to rows of other models?
Check out Florian Apolloner's Django Advent post on Object Permissions. I found it to be a decent way of doing object-level permissions.