Permission Manager doesn't work as expected

Post here your questions about the Java client / Android API for SFS2X

Moderators: Lapo, Bax

hoanghuybao
Posts: 35
Joined: 22 Aug 2015, 16:20

Permission Manager doesn't work as expected

Postby hoanghuybao » 03 Sep 2015, 06:18

Hi all,

I read document about http://docs2x.smartfoxserver.com/AdvancedTopics/privilege-manager. I register an account "demo" with profile GUEST which is set dined request "JoinRoom". When I login with the account and set: session.setProperty("$permission", DefaultPermissionProfile.GUEST);, "demo" account cannot
join room (as I expected) but the server don't throw any event for that.
How to receive the event in this case? For example: the account "demo" don't have permission to join any room.
Anyone help me?

Thanks,
Thong
User avatar
Lapo
Site Admin
Posts: 20110
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Permission Manager doesn't work as expected

Postby Lapo » 03 Sep 2015, 07:07

Hi,
I am not sure if you're talking about a server or client event. Which one is it?
Server side events are generated only when a certain action can be completed. On the client side there is no event generated because it doesn't make sense to reply (and use bandwidth) for an action that is not allowed.

If you have planned that guest Users cannot join Rooms you should recognize Guest users from client side (the User object tells you the permission profile) and inhibit the interface buttons that cannot be used by that class of users.

Makes sense?
Lapo
--
gotoAndPlay()
...addicted to flash games
hoanghuybao
Posts: 35
Joined: 22 Aug 2015, 16:20

Re: Permission Manager doesn't work as expected

Postby hoanghuybao » 03 Sep 2015, 07:54

You are right.
Thanks for your comment. :D
hoanghuybao
Posts: 35
Joined: 22 Aug 2015, 16:20

Re: Permission Manager doesn't work as expected

Postby hoanghuybao » 03 Sep 2015, 10:13

Hi Lapo,

I have one question for you.
You said: "you should recognize Guest users from client side (the User object tells you the permission profile) and inhibit the interface buttons that cannot be used by that class of users". I don't think that it's good solution. Because at Privilege Manager in Zone configure, the profile name GUEST was set some dined request(for example is Join Room). Its mean that the account with profile GUST cannot join room. But when implementing client, you want to check if the account is NOT GUEST, will join room.
In the case, the profile name GUEST don't set "BanUser" and I will check in client code, if the account is GUEST, it cannot ban user. So setting band user for the profile GUEST is meaningless. :( .

More detail, in some case, the account with profile GUEST don't have permission join room but I still want to show button Join room. How to resolve the case?

Regards,
Thong
Last edited by hoanghuybao on 03 Sep 2015, 11:31, edited 2 times in total.
User avatar
Lapo
Site Admin
Posts: 20110
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Permission Manager doesn't work as expected

Postby Lapo » 03 Sep 2015, 11:21

Hi,
I am sorry I don't understand what "band user" means.

Can you clarify?

Thanks
Lapo

--

gotoAndPlay()

...addicted to flash games
hoanghuybao
Posts: 35
Joined: 22 Aug 2015, 16:20

Re: Permission Manager doesn't work as expected

Postby hoanghuybao » 03 Sep 2015, 11:28

Hi Lapo,

Sorry, this is my mistake and inconvenience. I edited band ==> ban.
here Image

Regards,
Thong
User avatar
Lapo
Site Admin
Posts: 20110
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Permission Manager doesn't work as expected

Postby Lapo » 03 Sep 2015, 13:25

The configuration indicates that a User with GUEST privileges cannot ban other users.
Not that GUEST users cannot be banned.

By default only moderators or admins che ban other users (which can be changed if you need it)

Hope this is clear.

Cheers
Lapo

--

gotoAndPlay()

...addicted to flash games
hoanghuybao
Posts: 35
Joined: 22 Aug 2015, 16:20

Re: Permission Manager doesn't work as expected

Postby hoanghuybao » 03 Sep 2015, 13:54

Hi Lapo,

You don't understand my question. The "Ban User" only is example for the question. I have 2 situations:
1) The profile GUEST is set denied request "Join Room" and client code has the check

Code: Select all

User user = sfsClient.getUserManager().getUserByName(userName);
if (!user.isGuest()) {
                sfsClient.send(new JoinRoomRequest(roomName));
}

==>userName cannot join the room. This is expected.
2) The profile GUEST is NOT set denied request "Join Room" and client code has above the check too.
==>userName cannot join the room too.

My question: If client code has the same as above check, setting profile GUEST has denied request "Join Romm" is NOT necessary.
Please give your comment.


Regards,
Thong
User avatar
Lapo
Site Admin
Posts: 20110
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Permission Manager doesn't work as expected

Postby Lapo » 03 Sep 2015, 14:15

Thanks for the clarification.
The client check is done only for the purpose of showing the correct controls to the User.

I would expect that, as a GUEST, I am not shown parts of the interface that I cannot use. Right?
What is the point of showing me a "JOIN" button if I have no rights to join any Room? It would annoying.

So... detecting the User's privilege ID on the client side has only one purpose: to provide the user with the right controls.

Setting the profile from the Server side is necessary because malicious Users can easily work around your client check and attempt to perform unauthorized operations, if the server is not really checking.

In other words I could hack the client and successfully join any Room, even though my client is a GUEST and should not be able to do it.

Makes sense?

One more thing: the type of code you have posted is not what I would suggest to do. Checking if the client is GUEST before joining is indeed useless because the server will also check that for you.

Instead the User profile should simply inform the client application about what controls can be active / inactive for different types of Users.

cheers
Lapo

--

gotoAndPlay()

...addicted to flash games
hoanghuybao
Posts: 35
Joined: 22 Aug 2015, 16:20

Re: Permission Manager doesn't work as expected

Postby hoanghuybao » 03 Sep 2015, 16:45

Yes, thanks for your explanation. Now I understood reasons why we need to setting profile from server side.
P/S: the my code is only a demo for simple client from java. :D

Return to “SFS2X Java / Android API”

Who is online

Users browsing this forum: No registered users and 2 guests