You have been redirected from an outdated version of the article.
Below is the content available on this topic. To view the old article click here.
User
User is the base type for all types that need user functionality. A user is a Principal, i.e. can be used to provide Ownership.
User extends AbstractNode and provides the following additional properties.
Name | Type | Description
– | – | –
confirmationKey
| String | A temporary unique token used in the process of User Self-Registration
img
| Image | The profile image of a User
imageData
| String, input only | A special property that can be used to Create an Image from a Base64 string
homeDirectory
| Folder | The home directory of a user. Only valid if the [Filesystem] … settings are enabled (TODO!)
workingDirectory
| Folder | The working directory of a user. Used in the SSH and FTP services
groups
| List of Groups | The Groups this User is a member of
eMail
| String | The e-mail address of this user, used for Authentication
twitterName
| String | The twitter name of this User, can be used in the process of User Self-Registration
localStorage
| String | TODO
backendUser
| Boolean | Indicates whether this User has access to the Structr Backend
frontendUser
| Boolean | Indicates whether this User has access to the Structr Frontend
isUser
| Boolean | A read-only value that will always be true
for all User types and their subtypes
Search results for "User"
user_changelog()
Returns the changelog for the changes a specific user made.
user_changelog(user [, resolve=false [, filterKey1, filterValue2 [ , ... ] ] ] )
$.user_changelog(user [, resolve=false [, map]])
User Configuration
There are three main properties you can change to control the two factor authentication behaviour for a specific user node.
User.twoFactorConfirmed | This is automatically set to true after a user authenticates via two-factor authentication. If this is set to false the user will always be shown the QR code for him to scan. |
User.isTwoFactorUser | Controls if the user wants to authenticate via two factor authentication. This only works if the setting TwoFactor.level is set to 1. If the setting is set to 2, the flag will automatically be set to true after a user logs in. |
User.twoFactorSecret | This is the secret which is used to generate tokens. It is automatically generated for every user. |
Changelog
Verb | Event type | Keys in changeset |
create | Creation of an object | verb ,time ,userId ,userName ,target |
delete | Deletion of an object | verb ,time ,userId ,userName ,target |
link | A relationship to/from another object has been created | verb ,time ,userId ,userName ,target , rel |
unlink | A relationship to/from another object has been removed | verb ,time ,userId ,userName ,target , rel |
change | One of the properties of the object has been changed | verb ,time ,userId ,userName ,key , prev , val |
{"time":1455195862431,"userId":"f02e59a47d[...]","userName":"admin","verb":"change","key":"name","prev":null,"val":"My new name"}
{"time":1455195903852,"userId":"f02e59a47d[...]","userName":"admin","verb":"change","key":"name","prev":"My new name","val":"New Name"}
{"time":1455196049579,"userId":"f02e59a47d[...]","userName":"admin","verb":"link","rel":"has","relId":"97d26b5778[...]026eb615e","relDir":"out","target":"4e32a9f6eb[...]bd7a6a"}
{"time":1455195961348,"userId":"f02e59a47d[...]","userName":"admin","verb":"unlink","rel":"has","relId":"97d26b5778[...]026eb615e","relDir":"out","target":"4e32a9f6eb[...]bd7a6a"}
{"time":1455196115875,"userId":"00000000000000000000000000000000","userName":"superadmin","verb":"unlink","rel":"OWNS","relId":"b29e98329fb[...]864aa038","relDir":"out","target":"f02e59a47d[...]"}
Users and Groups
The Users and Groups
tab has two subsections: The left section lists all system users that exist in the database. Users can be created by clicking on the "Add User"
button on top of the list and deleted by clicking on the delete button which appears when you hover over the user element.
A user’s attributes like name
, eMail
or password
can be edited via the Edit Properties
dialog. Here a user can be given admin permissions by activating the isAdmin
flag.
In the section on the right, user groups can be created and managed. Groups can contain users and other groups which can be added and removed via drag-and-drop. This allows the creation of a group hierarchy and thus a very flexible and versatile security system.
Deployment Format
{
let necessaryUser = $.getOrCreate('User', 'name', 'necessaryUser');
let myUserGroup = $.getOrCreate('Group', 'name', 'myUserGroup');
if (!$.isInGroup(myUserGroup, necessaryUser)) {
$.addToGroup(myUserGroup, necessaryUser);
}
}
Data Deployment Format
{
let necessaryUser = $.getOrCreate('User', 'name', 'necessaryUser');
let myUserGroup = $.getOrCreate('Group', 'name', 'myUserGroup');
if (!$.isInGroup(myUserGroup, necessaryUser)) {
$.addToGroup(myUserGroup, necessaryUser);
}
}
About Me
The About Me section displays information about the user that is currently logged in to the system.
ID | The UUID of the user. |
E-Mail | The E-Mail address of the user. |
Working Directory | The directory in Structr’s virtual file system that the user is currently visiting. This is also the directory where files uploaded via the Structr upload servlet will be uploaded (if no upload path is provided). |
Session ID(s) | A collection of the current session IDs of the user. |
Groups | The list of user groups the user is a member of. |
In addition to these information, Structr also stores the UI preferences of the logged-in user. They can be reset by clicking on “Reset stored UI settings”.
Resource Access Grants
This part of Structr’s backend UI is the place where the entry points of Structr’s HTTP REST Service can be configured.
While the security system of Structr is focused on users and their security context (i.e. does the user has access to a given database entity?), the checking of resource access grants is focused on the URL path (the resource) of an HTTP request.
More precisely, if a user requests all entities of a given schema type via Structr’s REST
interface with a call to the URL /structr/rest/SchemaType
, Structr will check if the user is logged into the system and if a GET
request on the resource /SchemaType
is permitted for authenticated users. If the user is not logged into the system the GET permission for non-authenticated users has to be set for that resource.
Only when the permission for the resource is set, Structr will then check if user has grants for the actual database content and the entities of the type SchemaType
.
Visibility Flags
When the user accessing a node is no admin user and the first check didn’t return, Structr will check the two flags visibleToPublicUsers
and visibleToAuthenticatedUsers
on the data nodes themself. The flag visibleToPublicUsers
makes a node visible to all users, both to those who are authenticated and the non-authenticated ones. The flag visibleToAuthenticatedUsers
only makes a node visible to authenticated users.
User Self Registration
jsonrestservlet.user.autocreate | Enable this to support user self registration. |
registration.customuserclass | Specifies a special user class to be used when creating new users. |
registration.allowloginbeforeconfirmation | Enables self-registered users to login without clicking the activation link in the registration email. |
registration.customeruserattributes | Attributes the registering user is allowed to provide. All other attributes are discarded. (eMail is always allowed. It will always be included, so removing it here has no effect. It’s a generally a bad idea to include security-relevant attributes here as they can be set from an unauthenticated, unauthorized source. If unsure or you don’t know what that means, set only eMail .) |
JsonRestServlet
jsonrestservlet.defaultview | Default view to use when no view is given in the URL. |
jsonrestservlet.outputdepth | Maximum nesting depth of JSON output. |
jsonrestservlet.user.class | User class that is instantiated when new users are created via the servlet. |
jsonrestservlet.user.autologin | Only works in conjunction with the jsonrestservlet.user.autocreate key. Will log in user after self registration. |
jsonrestservlet.user.autocreate | Enable this to support user self registration. |
Deployment Format
{
let myUserGroup = $.getOrCreate('Group', 'name', 'myUserGroup');
let myNestedUserGroup = $.getOrCreate('Group', 'name', 'myNestedUserGroup');
if (!$.isInGroup(myUserGroup, myNestedUserGroup)) {
$.addToGroup(myUserGroup, myNestedUserGroup);
}
}
user
user list - lists all user in the database
user add <name> [<e-mail>|isAdmin] - adds a new user with the given name and optional e-mail address
user delete <name> - deletes the user with the given name
user password <name> <password> - sets the password for the given user
Data Deployment Format
{
let myUserGroup = $.getOrCreate('Group', 'name', 'myUserGroup');
let myNestedUserGroup = $.getOrCreate('Group', 'name', 'myNestedUserGroup');
if (!$.isInGroup(myUserGroup, myNestedUserGroup)) {
$.addToGroup(myUserGroup, myNestedUserGroup);
}
}
Graph-based permission resolution
In the above example, the schema is configured in such a way that users with the maintains
relationship to a ProductGroup
will have access to any Product
object in the group they maintain, but not to the subgroups of the given group.
Schema relationships that are configured to allow domain permission resolution are called active relationships. Active relationships are displayed in a different color than normal relationships in the schema editor.
When a non-admin user accesses a private object (e.g. a Product
node from the above example schema), Structr tries to find a path which ADDs the requested right or KEEPs the requested right from a node the user has the specific right on.
In detail: We assume that a user who has a read
permission grant to a ProductGroup
tries to access a Product
contained in that group (for which the user does not have direct rights).
Structr will then traverse the active relationship(s) until a path is found which ADDs or KEEPs the requested right.
Successful path evaluation:
- The
(ProductGroup)-[:contains]->(Product)
relationship is configured to keep read and write
- The effective permissions at the end of the evaluation process are read and write
Unsuccessful path evaluation:
- If a user who has a
read
permission grant to a product that is not contained in the product group he has access to, but in a subgroup of the given group, Structr will not be able to find a connected path of active relationships and will fail the permission resolution.
- The user does not have any permission grants set on any node or only visibility flags are set on the data nodes.
Relationship Details Dialog
The Cascading Delete
settings allow configuration of what happens when either end of the relationship is deleted. The possible values are explained in-depth in the help popup in the dialog.
Automatic Creation of Related Nodes
configures if it is allowed to include nested nodes in a REST POST request for this relationship. A node with the given property set is automatically created and linked to the node. If the nested node contains an id
attribute (or another property marked as unique) a node is searched for that property and linked if found.
Permission Resolution
allows configuration of rights propagation in the graph. If NONE
is selected, no rights propagation is applied for this relationship. If SOURCE_TO_TARGET
is selected the rights are propagated along the relationship direction to the next node. For TARGET_TO_SOURCE
the rights propagation is works against the relationship direction. For ALWAYS
the direction of the relationship does not matter and rights propagation is always applied.
Specific rights (Read
, Write
, Delete
, AccessControl
) can be added, kept or removed according to the propagation configuration. If a user has read rights to the previous node and Read
is configured to Keep
, the user also has read rights for the next node. (Specific User/Group rights are applied before using permission propagation - i.e. if a user has specific rights configured for a node, permission resolution is not evaluated as user rights are more specific).
Along the way of permission propagation, properties can be hidden in order to hide sensitive information from users who get rights from permission propagation. The property names can be separated by comma ,
or space
character.
There are 3 tabs where the functionality of the type can be configured:
Local Attributes
A Custom Type can be extended with dynamic properties to provide the data model for the intended use-case. This list contains all local properties (meaning they are defined on this type directly).
Views
The properties of a type can be combined into named Views, which are accessible under an individual REST URL. Access to these URLs can be configured independently for each HTTP method using Resource Access Grants, which makes them an ideal tool to create specialised endpoints for different client applications (e.g. mobile clients etc.).
Methods
There are different kinds of methods - callback methods and entity methods. Callback methods are automatically executed by the framework upon certain lifecycle events and have a strict naming convention. Entity methods are called by the user/programmer.
Entity methods are not automatically run by the framework and must be called manually. This either means making a POST request to /structr/rest/(Type)/(<a data-id="7c9c8218bced42bab66868373e64d885" class="mention">UUID</a>)/(methodName)
or in serverside JavaScript as node.methodName();
Permission Grants
The SECURITY
relationship can have different combinations of permissions in its allowed
attribute:
read | The user has access to the node and can read the node from the database. |
write | The user can alter the node in the database. This permission is also necessary for linking or unlinking the node to other nodes in the graph. |
delete | The user can delete the node from the database. If a node has relationships to other nodes in the database, the user has to have write permissions on those connected nodes, because delete one node in the graph will affect all neighboring nodes. |
accessControl | The user can grant access to other users and user groups. |
User self-registration
Instead of creating users in the Structr backend manually in the Users and Groups section of Structr’s admin UI, you can allow users to sign-up/self-register. The registration process uses double-opt in by default. All you need is a simple page where new users can enter their e-mail address so Structr can send them an e-mail with a confirmation link.
The following pre-defined MailTemplate keys can be used to configure the self-registration process. In version 4.0 they have been renamed to have a more uniform structure.
Note: The Mail Configuration Settings have to be done for self-registration mails to be sent.
Name | Old Name (removed as of v4.1) | Used as | Default |
CONFIRM_REGISTRATION_SENDER_ADDRESS | SENDER_ADDRESS | The sender address of the registration mail | structr-mail-daemon@localhost |
CONFIRM_REGISTRATION_SENDER_NAME | SENDER_NAME | The sender name of the registration mail | Structr Mail Daemon |
CONFIRM_REGISTRATION_SUBJECT | SUBJECT | The subject of the registration mail | Welcome to Structr, please finalize registration |
CONFIRM_REGISTRATION_TEXT_BODY | TEXT_BODY | The plaintext body of the registration mail | Go to ${link} to finalize registration. |
CONFIRM_REGISTRATION_HTML_BODY | HTML_BODY | The HTML body of the registration mail | <div>Click <a href='${link}'>here</a> to finalize registration.</div> |
CONFIRM_REGISTRATION_BASE_URL | BASE_URL | Used to build the link variable | ${base_url} |
CONFIRM_REGISTRATION_TARGET_PAGE | TARGET_PAGE | the target parameter value for the redirection target page name | register_thanks |
CONFIRM_REGISTRATION_ERROR_PAGE | ERROR_PAGE | the error parameter value for the error redirection target page name | register_error |
Notes:
- The visibility flags of these MailTemplates are ignored because the self-registration mail is created as a privileged user.
- A special
link
variable is provided for the TEXT_BODY
and HTML_BODY
templates and can be output with the usual syntax: ${link}
- Example
link
: https://support.structr.com/confirm_registration?key=<CONFIRM_KEY>&target=/dashboard&onerror=/register-error
- From v4.1 scripting is enabled in two templates:
CONFIRM_REGISTRATION_TEXT_BODY
and CONFIRM_REGISTRATION_TEXT_BODY
. The script is being run in the context of the user (me keyword points to the user).
- In any version prior to 4.1 scripting can not be used and simple text replacement is done
Registration Resource
The self-registration should be done via the registration resource. It is available under /structr/rest/registration
.
An un-authenticated user can issue a HTTP POST to that resource to begin the registration process. The accepted input attributes are configured in the configuration registration.customuserattributes
. eMail
is always supported and often used as a single attribute for registration.
The registration is then started by the user by making a HTTP POST request (via a signup form) to /structr/rest/registration
with the following body:
fetch("http://localhost:8082/structr/rest/registration", {
method: "POST",
body: JSON.stringify({
eMail: "user.name@mail.com"
})
})
The self-registration process would then send a mail using the above templates.
Notes: