| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
67326
|
Wed Aug 29 18:16:37 2012 |
 | Szu-Ching Peckner | speckner@nd.edu | Question | Linux | latest | Re: secure way to allow users create logbook |
| Stefan Ritt wrote: |
|
| Szu-Ching Peckner wrote: |
|
I don't think there is a good secure way so far, but would like to have your opinion.
If I want user to create logbook for themselves, what's the best way to do it? I guess Execute $attribute = <command> may work, have it write to cfg file, but obviously it impose security problem. Is there a good and secure way to allow user to create logbook themselves?
|
Actually there is no good secure way. What I usually do is to give users admin rights on individual logbooks, then they can change the config of that logbook. Many times adding some attribute is as good as creating new logbooks. Like if you need two logbooks "home" and "work", you can create an attribute "type" and let the type be "home" or "work". With conditional attributes you can make the logbook behave differently for the two values of "type" and get most functionality of two separate logbooks.
- Stefan
|
Is there a way to set user permission based on certain attribute? can Allow command = <user list> based on attribute?
for example, say type home, user1 can read, user2 can write, user3 can not access type home, but can access type work.
In short, is access control available when I use type to get functionality of separate logbooks? If so, how is this access control done?
|
|
67329
|
Thu Aug 30 10:00:07 2012 |
| Stefan Ritt | stefan.ritt@psi.ch | Question | Linux | latest | Re: secure way to allow users create logbook |
| Szu-Ching Peckner wrote: |
|
| Stefan Ritt wrote: |
|
| Szu-Ching Peckner wrote: |
|
I don't think there is a good secure way so far, but would like to have your opinion.
If I want user to create logbook for themselves, what's the best way to do it? I guess Execute $attribute = <command> may work, have it write to cfg file, but obviously it impose security problem. Is there a good and secure way to allow user to create logbook themselves?
|
Actually there is no good secure way. What I usually do is to give users admin rights on individual logbooks, then they can change the config of that logbook. Many times adding some attribute is as good as creating new logbooks. Like if you need two logbooks "home" and "work", you can create an attribute "type" and let the type be "home" or "work". With conditional attributes you can make the logbook behave differently for the two values of "type" and get most functionality of two separate logbooks.
- Stefan
|
Is there a way to set user permission based on certain attribute? can Allow command = <user list> based on attribute?
for example, say type home, user1 can read, user2 can write, user3 can not access type home, but can access type work.
In short, is access control available when I use type to get functionality of separate logbooks? If so, how is this access control done?
|
Actually I never tried that. Using conditional attributes, you could try that out, but no guarantee that it works. Like
Options type = home{1}, work{2}
{1}Login user = you, me
{2}Login user = me, other
You could play with "login user", "Allow command" and "Deny command".
/Stefan |
|
67330
|
Thu Aug 30 22:47:50 2012 |
| Szu-Ching Peckner | speckner@nd.edu | Question | Linux | latest | Re: secure way to allow users create logbook |
| Stefan Ritt wrote: |
|
| Szu-Ching Peckner wrote: |
|
| Stefan Ritt wrote: |
|
| Szu-Ching Peckner wrote: |
|
I don't think there is a good secure way so far, but would like to have your opinion.
If I want user to create logbook for themselves, what's the best way to do it? I guess Execute $attribute = <command> may work, have it write to cfg file, but obviously it impose security problem. Is there a good and secure way to allow user to create logbook themselves?
|
Actually there is no good secure way. What I usually do is to give users admin rights on individual logbooks, then they can change the config of that logbook. Many times adding some attribute is as good as creating new logbooks. Like if you need two logbooks "home" and "work", you can create an attribute "type" and let the type be "home" or "work". With conditional attributes you can make the logbook behave differently for the two values of "type" and get most functionality of two separate logbooks.
- Stefan
|
Is there a way to set user permission based on certain attribute? can Allow command = <user list> based on attribute?
for example, say type home, user1 can read, user2 can write, user3 can not access type home, but can access type work.
In short, is access control available when I use type to get functionality of separate logbooks? If so, how is this access control done?
|
Actually I never tried that. Using conditional attributes, you could try that out, but no guarantee that it works. Like
Options type = home{1}, work{2}
{1}Login user = you, me
{2}Login user = me, other
You could play with "login user", "Allow command" and "Deny command".
/Stefan
|
Thanks for reply Stefan.
I tried it, didnt work. I think its expected it didn't work though, or maybe I didn't try it right.
==============
[logbook1]
Login user = user1
Options Type = Home{1}, Work{2}
{1} Login user = user2
This will make user2 unable to login logbook1 at all
============
[logbook1]
Login user = user1, user2
Options Type = Home{1}, Work{2}
{1} Login user = user1
{2} Login user = user2
user1 can login, can search Work type entries, create new entry with Work type.
==============
[logbook1]
Login user = user1, user2
Options Type = Home{1}, Work{2}
{1} Deny New = user1
user1 can still create entries for Home type. I think it's because when user1 login, command New is available for user1, so when user1 click on New, doesn't matter what type user1 choose, submit button is available. If I have Deny New = user1 under logbook1, New is not available, that means user1 can't create entry for Work type either.
===============
seems to me under current code, access control has to be done based on logbook, not attribute. Do you agree?
if that's the case, we may have a lot of logbook because of access control we want to implement. So there is another question:
selection page show all logbooks. Is there a way to make selection page and tabs show logbooks based on user access?
For example, we have 20 logbooks, user1 has acces to 3, when user1 login, selection page only shows that 3 logbooks for user1, and only 3 tabs for user1.
I thought about using group to get logbooks more organized, however I will still face the situation that one group may have 20 logbooks.
Or what would you do to handle this situation? (I asked selection page question earlier in another entry). Maybe we should discuss on that entry? Message ID: 67319
Thanks again.
|
|
1118
|
Mon May 2 13:28:09 2005 |
| Stefan Ritt | stefan.ritt@psi.ch | Request | All | | Re: search and filters in a cookie !? | > Is it possible to have last runtime filtering and viewing method to be
> stored in a cookie in order to make them permanent across navigation ?
Sounds like a good idea. Will put it on the wishlist. |
|
66396
|
Mon Jun 15 12:56:32 2009 |
| Stefan Ritt | stefan.ritt@psi.ch | Question | Windows | V2.7.6-219 | Re: search and datetime |
| Arno Teunisse wrote: |
|
Hello
I have the following in elog.cfg :
Attributes = Author, Author Email, Category, Customer, server, Subject , Change Window Begin , Change Window End
List display = ID,Author, Author Email, Category, Customer, server, Subject , Change Window Begin , Change Window End
Type Change Window Begin = datetime
Type Change Window End = datetime
So I want to be able to give a start and end date to the user. However : If I open a find/Search I see this :
There are for each Change Window <item> we get Start: and End: time entries. Was expecting only one date entrie .
Why is this ? Seems to be a feature of datetime or am i missing something.
|
Right, that's a feature. Many people want to specify a range when doing a query on a date. Like Change Window Begin after Jan 1st, 2009 and before Jan 5th, 2009. If you just want a single date, set both Start: and End: to the same date, or actually the End: to Start+1 Day to cover all 24 hours of the Start: date. Otherwise when you have data + time, you would have to match the exact second to retrieve a certain entry. So having a range there is more powerful. |
|
65847
|
Wed Apr 23 07:46:56 2008 |
| Stefan Ritt | stefan.ritt@psi.ch | Question | All | 2.7.3 | Re: scrollable text section only when viewing a log entry |
| Bill Pier wrote: |
|
Is there a way, option, feature to setup the text section only to be scrollable when viewing a log entry, such that the header (meta info) section stays fixed?
|
Unfortunately no. |
|
65853
|
Thu Apr 24 23:52:45 2008 |
 | Bill Pier | bpier@clove.org | Question | All | 2.7.3 | Re: scrollable text section only when viewing a log entry |
| Stefan Ritt wrote: |
|
| Bill Pier wrote: |
|
Is there a way, option, feature to setup the text section only to be scrollable when viewing a log entry, such that the header (meta info) section stays fixed?
|
Unfortunately no.
|
Well, I tinkered a bit with a journal entry display page and found that without having to suggest the flavor-of-the-month web design mantra of "replace table layout with CSS only", just a few CSS tweaks can enable exactly what I am desiring.
For your consideration, here are the tweaks I made to get a fixed header and footer section with a scrollable journal entry section in the middle:
- moved the journal entry content and footer line (elog version info) out of the layout table structure, into their own div sections;
- in the style sheet, added attribute "position:fixed" to the "frame table" section;
- in the style sheet, added attribute sections for journal entry content and footer div sections:
- #content: overflow:auto;position:fixed;top:230px;bottom:30px;width:100%;
- #footer: text-align:center;bottom:0;position:fixed;width:100%;
Now as I'm not a web designer by trade and not intimately familiar with CSS nuances, I used the time honored method of documentation lookup with trial and error.
In any case, it worked and displays exactly the way I wanted; please do consider this for a future elog release.
Bill |
|
65861
|
Mon Apr 28 08:00:18 2008 |
| Stefan Ritt | stefan.ritt@psi.ch | Question | All | 2.7.3 | Re: scrollable text section only when viewing a log entry |
| Bill Pier wrote: |
|
| Stefan Ritt wrote: |
|
| Bill Pier wrote: |
|
Is there a way, option, feature to setup the text section only to be scrollable when viewing a log entry, such that the header (meta info) section stays fixed?
|
Unfortunately no.
|
Well, I tinkered a bit with a journal entry display page and found that without having to suggest the flavor-of-the-month web design mantra of "replace table layout with CSS only", just a few CSS tweaks can enable exactly what I am desiring.
For your consideration, here are the tweaks I made to get a fixed header and footer section with a scrollable journal entry section in the middle:
- moved the journal entry content and footer line (elog version info) out of the layout table structure, into their own div sections;
- in the style sheet, added attribute "position:fixed" to the "frame table" section;
- in the style sheet, added attribute sections for journal entry content and footer div sections:
- #content: overflow:auto;position:fixed;top:230px;bottom:30px;width:100%;
- #footer: text-align:center;bottom:0;position:fixed;width:100%;
Now as I'm not a web designer by trade and not intimately familiar with CSS nuances, I used the time honored method of documentation lookup with trial and error.
In any case, it worked and displays exactly the way I wanted; please do consider this for a future elog release.
|
Apparently you downloaded an ELOG page and modified it manually. Can you send me the modified page, it then would be easier for me to implement it (I can shorten "my" trial and error phase..) |
|