RichFilemanager
RichFilemanager copied to clipboard
psolom
multiple users access control to FM nodejs
In raising this issue, I confirm the following (please check boxes):
- [x ] I have read and understood the Wiki. Especially deploy and configuration articles.
- [ ] I have checked that the bug I am reporting can be replicated, or that the feature I am suggesting isn't already present.
- [ ] I have checked the pull requests tab for existing solutions/implementations to my issue/suggestion.
- [ ] I realise that server-side connectors are provided by various contributors. The implementations are vary due to programming language features/limitations or other factors. Thus a particular connector may not implement, or partially implement, the API features.
- [ ] I realise that any changes in configuration options and/or plugin parameters affect the plugin behavior. I specified all the differences from defaults in details.
I use the following server-side connector (check one):
- [ ] PHP connector by servocoder
- [ ] Java connector by fabriceci
- [ ] Python3 Flask connector by jsooter
- [ ] Python3 Flask connector by stevelittlefish
- [x ] NodeJs connector by jlaustill and forestlake
- [ ] ASP.NET Core connector by sinanbozkus
- [ ] ASHX connector by richeflits
- [ ] Other (specified below)
My familiarity with the project is as follows (check one):
- [ ] I have never used the project.
- [ ] I have used the project briefly.
- [ x] I have used the project extensively, but have not contributed previously.
- [ ] I am an active contributor to the project.
If your app has x group of users and you want to give different rights, for example :
User : can access to the FM, select or download a file. Admin : all above + upload/delete files + zip Super admin : all above + unzip files (by default, the actual case, user has all roles ) is it possible to do something like that with filemanage.js node connectors?
NOTE: my answer and all links are refer to PHP connector implementation. I doubt a similar features are implemented in the NodeJS connector. You can utilize linked resources as a reference to implement a similar features for NodeJS connector. If you'll succeed don't forget to make a PR, please.
-
You can use
readOnlyserver-side configuration option for general restriction -
In addition you can perform read/write access control as it's described is the Security wiki article
-
For more subtle configuration, take a look this commit. It allows you to override the
capabilitiesclient-side settings. All you need is to include a list of capabilities in the response ofinitiateAPI method. Response example:
{
"data": {
"id": "/",
"type": "initiate",
"attributes": {
"readOnly": false,
"capabilities": ["select", "upload", "download", "rename", "copy", "move", "replace", "delete", "extract"]
// other server-side config options
}
}
}
Now all you have to do is to alter the list of allowed capabilities based on your user role.
IMPORTANT: keep in mind, that the last approach is more to manage UI actions (capabilities list in context menu, etc.). For instance, removing the "upload" capability from list will hide the Upload button from UI, but won't prevent user to perform a direct request to "upload" API method. To make your application really secure you should combine it with one or both server-side approaches described above.
Good luck!
@servocoder thanks for replying.i have thinking about your suggestion and i i found it a quite difficult for me to implemented it, besides, it doesn't respond to my needs. So, i have decided to add a database using Kinex. i have prepared my api router and still can't figure out a solution on how to launch a login modal when the application starts. any guidelines will be appreciated .