You have been redirected from an outdated version of the article. Below is the content available on this topic. To view the old article click here.

User

User is the base type for all types that need user functionality. A user is a Principal, i.e. can be used to provide Ownership.

User extends AbstractNode and provides the following additional properties.

Name | Type | Description
– | – | –
confirmationKey | String | A temporary unique token used in the process of User Self-Registration
img | Image | The profile image of a User
imageData | String, input only | A special property that can be used to Create an Image from a Base64 string
homeDirectory | Folder | The home directory of a user. Only valid if the [Filesystem] … settings are enabled (TODO!)
workingDirectory | Folder | The working directory of a user. Used in the SSH and FTP services
groups | List of Groups | The Groups this User is a member of
eMail | String | The e-mail address of this user, used for Authentication
twitterName | String | The twitter name of this User, can be used in the process of User Self-Registration
localStorage | String | TODO
backendUser | Boolean | Indicates whether this User has access to the Structr Backend
frontendUser | Boolean | Indicates whether this User has access to the Structr Frontend
isUser | Boolean | A read-only value that will always be true for all User types and their subtypes

Search results for "User"

user_changelog()

Returns the changelog for the changes a specific user made.

user_changelog(user [, resolve=false [, filterKey1, filterValue2 [ , ... ] ] ] )
$.user_changelog(user [, resolve=false [, map]])

User Configuration

There are three main properties you can change to control the two factor authentication behaviour for a specific user node.

User.twoFactorConfirmed This is automatically set to true after a user authenticates via two-factor authentication. If this is set to false the user will always be shown the QR code for him to scan.
User.isTwoFactorUser Controls if the user wants to authenticate via two factor authentication. This only works if the setting TwoFactor.level is set to 1. If the setting is set to 2, the flag will automatically be set to true after a user logs in.
User.twoFactorSecret This is the secret which is used to generate tokens. It is automatically generated for every user.

Changelog

Verb Event type Keys in changeset
create Creation of an object verb,time,userId,userName,target
delete Deletion of an object verb,time,userId,userName,target
link A relationship to/from another object has been created verb,time,userId,userName,target, rel
unlink A relationship to/from another object has been removed verb,time,userId,userName,target, rel
change One of the properties of the object has been changed verb,time,userId,userName,key, prev, val 
{"time":1455195862431,"userId":"f02e59a47d[...]","userName":"admin","verb":"change","key":"name","prev":null,"val":"My new name"}
{"time":1455195903852,"userId":"f02e59a47d[...]","userName":"admin","verb":"change","key":"name","prev":"My new name","val":"New Name"}
{"time":1455196049579,"userId":"f02e59a47d[...]","userName":"admin","verb":"link","rel":"has","relId":"97d26b5778[...]026eb615e","relDir":"out","target":"4e32a9f6eb[...]bd7a6a"}
{"time":1455195961348,"userId":"f02e59a47d[...]","userName":"admin","verb":"unlink","rel":"has","relId":"97d26b5778[...]026eb615e","relDir":"out","target":"4e32a9f6eb[...]bd7a6a"}
{"time":1455196115875,"userId":"00000000000000000000000000000000","userName":"superadmin","verb":"unlink","rel":"OWNS","relId":"b29e98329fb[...]864aa038","relDir":"out","target":"f02e59a47d[...]"}

Users and Groups

The Users and Groups tab has two subsections: The left section lists all system users that exist in the database. Users can be created by clicking on the "Add User" button on top of the list and deleted by clicking on the delete button which appears when you hover over the user element.

A user’s attributes like name, eMail or password can be edited via the Edit Properties dialog. Here a user can be given admin permissions by activating the isAdmin flag.

In the section on the right, user groups can be created and managed. Groups can contain users and other groups which can be added and removed via drag-and-drop. This allows the creation of a group hierarchy and thus a very flexible and versatile security system.

Deployment Format

{
	let necessaryUser = $.getOrCreate('User', 'name', 'necessaryUser');
	let myUserGroup   = $.getOrCreate('Group', 'name', 'myUserGroup');

	if (!$.isInGroup(myUserGroup, necessaryUser)) {
		$.addToGroup(myUserGroup, necessaryUser);
	}
}

Data Deployment Format

{
	let necessaryUser = $.getOrCreate('User', 'name', 'necessaryUser');
	let myUserGroup   = $.getOrCreate('Group', 'name', 'myUserGroup');

	if (!$.isInGroup(myUserGroup, necessaryUser)) {
		$.addToGroup(myUserGroup, necessaryUser);
	}
}

About Me

The About Me section displays information about the user that is currently logged in to the system.

ID The UUID of the user.
E-Mail The E-Mail address of the user.
Working Directory The directory in Structr’s virtual file system that the user is currently visiting. This is also the directory where files uploaded via the Structr upload servlet will be uploaded (if no upload path is provided).
Session ID(s) A collection of the current session IDs of the user.
Groups The list of user groups the user is a member of.

In addition to these information, Structr also stores the UI preferences of the logged-in user. They can be reset by clicking on “Reset stored UI settings”.

Resource Access Grants

This part of Structr’s backend UI is the place where the entry points of Structr’s HTTP REST Service can be configured.

While the security system of Structr is focused on users and their security context (i.e. does the user has access to a given database entity?), the checking of resource access grants is focused on the URL path (the resource) of an HTTP request.

More precisely, if a user requests all entities of a given schema type via Structr’s REST interface with a call to the URL /structr/rest/SchemaType, Structr will check if the user is logged into the system and if a GET request on the resource /SchemaType is permitted for authenticated users. If the user is not logged into the system the GET permission for non-authenticated users has to be set for that resource.

Only when the permission for the resource is set, Structr will then check if user has grants for the actual database content and the entities of the type SchemaType.

Visibility Flags

When the user accessing a node is no admin user and the first check didn’t return, Structr will check the two flags visibleToPublicUsers and visibleToAuthenticatedUsers on the data nodes themself. The flag visibleToPublicUsers makes a node visible to all users, both to those who are authenticated and the non-authenticated ones. The flag visibleToAuthenticatedUsers only makes a node visible to authenticated users.

User Self Registration

jsonrestservlet.user.autocreate Enable this to support user self registration.
registration.customuserclass Specifies a special user class to be used when creating new users.
registration.allowloginbeforeconfirmation Enables self-registered users to login without clicking the activation link in the registration email.
registration.customeruserattributes Attributes the registering user is allowed to provide. All other attributes are discarded. (eMail is always allowed. It will always be included, so removing it here has no effect. It’s a generally a bad idea to include security-relevant attributes here as they can be set from an unauthenticated, unauthorized source. If unsure or you don’t know what that means, set only eMail.)

JsonRestServlet

jsonrestservlet.defaultview Default view to use when no view is given in the URL.
jsonrestservlet.outputdepth Maximum nesting depth of JSON output.
jsonrestservlet.user.class User class that is instantiated when new users are created via the servlet.
jsonrestservlet.user.autologin Only works in conjunction with the jsonrestservlet.user.autocreate key. Will log in user after self registration.
jsonrestservlet.user.autocreate Enable this to support user self registration.

Deployment Format

{
	let myUserGroup       = $.getOrCreate('Group', 'name', 'myUserGroup');
	let myNestedUserGroup = $.getOrCreate('Group', 'name', 'myNestedUserGroup');

	if (!$.isInGroup(myUserGroup, myNestedUserGroup)) {
		$.addToGroup(myUserGroup, myNestedUserGroup);
	}
}

user

user list                          - lists all user in the database
user add <name> [<e-mail>|isAdmin] - adds a new user with the given name and optional e-mail address
user delete <name>                 - deletes the user with the given name
user password <name> <password>    - sets the password for the given user

Data Deployment Format

{
	let myUserGroup       = $.getOrCreate('Group', 'name', 'myUserGroup');
	let myNestedUserGroup = $.getOrCreate('Group', 'name', 'myNestedUserGroup');

	if (!$.isInGroup(myUserGroup, myNestedUserGroup)) {
		$.addToGroup(myUserGroup, myNestedUserGroup);
	}
}

Graph-based permission resolution

In the above example, the schema is configured in such a way that users with the maintains relationship to a ProductGroup will have access to any Product object in the group they maintain, but not to the subgroups of the given group.

Schema relationships that are configured to allow domain permission resolution are called active relationships. Active relationships are displayed in a different color than normal relationships in the schema editor.

When a non-admin user accesses a private object (e.g. a Product node from the above example schema), Structr tries to find a path which ADDs the requested right or KEEPs the requested right from a node the user has the specific right on.

In detail: We assume that a user who has a read permission grant to a ProductGroup tries to access a Product contained in that group (for which the user does not have direct rights).
Structr will then traverse the active relationship(s) until a path is found which ADDs or KEEPs the requested right.

Successful path evaluation:

  • The (ProductGroup)-[:contains]->(Product) relationship is configured to keep read and write
  • The effective permissions at the end of the evaluation process are read and write

Unsuccessful path evaluation:

  • If a user who has a read permission grant to a product that is not contained in the product group he has access to, but in a subgroup of the given group, Structr will not be able to find a connected path of active relationships and will fail the permission resolution.
  • The user does not have any permission grants set on any node or only visibility flags are set on the data nodes.

Relationship Details Dialog

The Cascading Delete settings allow configuration of what happens when either end of the relationship is deleted. The possible values are explained in-depth in the help popup in the dialog.
Automatic Creation of Related Nodes configures if it is allowed to include nested nodes in a REST POST request for this relationship. A node with the given property set is automatically created and linked to the node. If the nested node contains an id attribute (or another property marked as unique) a node is searched for that property and linked if found.

Permission Resolution allows configuration of rights propagation in the graph. If NONE is selected, no rights propagation is applied for this relationship. If SOURCE_TO_TARGET is selected the rights are propagated along the relationship direction to the next node. For TARGET_TO_SOURCE the rights propagation is works against the relationship direction. For ALWAYS the direction of the relationship does not matter and rights propagation is always applied.
Specific rights (Read, Write, Delete, AccessControl) can be added, kept or removed according to the propagation configuration. If a user has read rights to the previous node and Read is configured to Keep, the user also has read rights for the next node. (Specific User/Group rights are applied before using permission propagation - i.e. if a user has specific rights configured for a node, permission resolution is not evaluated as user rights are more specific).
Along the way of permission propagation, properties can be hidden in order to hide sensitive information from users who get rights from permission propagation. The property names can be separated by comma , or space character.

There are 3 tabs where the functionality of the type can be configured:

  • Local Attributes
    A Custom Type can be extended with dynamic properties to provide the data model for the intended use-case. This list contains all local properties (meaning they are defined on this type directly).
  • Views
    The properties of a type can be combined into named Views, which are accessible under an individual REST URL. Access to these URLs can be configured independently for each HTTP method using Resource Access Grants, which makes them an ideal tool to create specialised endpoints for different client applications (e.g. mobile clients etc.).
  • Methods
    There are different kinds of methods - callback methods and entity methods. Callback methods are automatically executed by the framework upon certain lifecycle events and have a strict naming convention. Entity methods are called by the user/programmer.
    Entity methods are not automatically run by the framework and must be called manually. This either means making a POST request to /structr/rest/(Type)/(<a data-id="7c9c8218bced42bab66868373e64d885" class="mention">UUID</a>)/(methodName) or in serverside JavaScript as node.methodName();

Permission Grants

The SECURITY relationship can have different combinations of permissions in its allowed attribute:

read The user has access to the node and can read the node from the database.
write The user can alter the node in the database. This permission is also necessary for linking or unlinking the node to other nodes in the graph.
delete The user can delete the node from the database. If a node has relationships to other nodes in the database, the user has to have write permissions on those connected nodes, because delete one node in the graph will affect all neighboring nodes.
accessControl The user can grant access to other users and user groups.

User self-registration

Instead of creating users in the Structr backend manually in the Users and Groups section of Structr’s admin UI, you can allow users to sign-up/self-register. The registration process uses double-opt in by default. All you need is a simple page where new users can enter their e-mail address so Structr can send them an e-mail with a confirmation link.

The following pre-defined MailTemplate keys can be used to configure the self-registration process. In version 4.0 they have been renamed to have a more uniform structure.

Note: The Mail Configuration Settings have to be done for self-registration mails to be sent.

Name Old Name (removed as of v4.1) Used as Default
CONFIRM_REGISTRATION_SENDER_ADDRESS SENDER_ADDRESS The sender address of the registration mail structr-mail-daemon@localhost
CONFIRM_REGISTRATION_SENDER_NAME SENDER_NAME The sender name of the registration mail Structr Mail Daemon
CONFIRM_REGISTRATION_SUBJECT SUBJECT The subject of the registration mail Welcome to Structr, please finalize registration
CONFIRM_REGISTRATION_TEXT_BODY TEXT_BODY The plaintext body of the registration mail Go to ${link} to finalize registration.
CONFIRM_REGISTRATION_HTML_BODY HTML_BODY The HTML body of the registration mail <div>Click <a href='${link}'>here</a> to finalize registration.</div>
CONFIRM_REGISTRATION_BASE_URL BASE_URL Used to build the link variable ${base_url}
CONFIRM_REGISTRATION_TARGET_PAGE TARGET_PAGE the target parameter value for the redirection target page name register_thanks
CONFIRM_REGISTRATION_ERROR_PAGE ERROR_PAGE the error parameter value for the error redirection target page name register_error

Notes:

  • The visibility flags of these MailTemplates are ignored because the self-registration mail is created as a privileged user.
  • A special link variable is provided for the TEXT_BODY and HTML_BODY templates and can be output with the usual syntax: ${link}
    • Example link: https://support.structr.com/confirm_registration?key=<CONFIRM_KEY>&target=/dashboard&onerror=/register-error
  • From v4.1 scripting is enabled in two templates: CONFIRM_REGISTRATION_TEXT_BODY and CONFIRM_REGISTRATION_TEXT_BODY. The script is being run in the context of the user (me keyword points to the user).
  • In any version prior to 4.1 scripting can not be used and simple text replacement is done

Registration Resource

The self-registration should be done via the registration resource. It is available under /structr/rest/registration.

An un-authenticated user can issue a HTTP POST to that resource to begin the registration process. The accepted input attributes are configured in the configuration registration.customuserattributes. eMail is always supported and often used as a single attribute for registration.

The registration is then started by the user by making a HTTP POST request (via a signup form) to /structr/rest/registration with the following body:

fetch("http://localhost:8082/structr/rest/registration", {
  method: "POST",
  body: JSON.stringify({
    eMail: "user.name@mail.com"
  })
})

The self-registration process would then send a mail using the above templates.

Notes: