Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 2 years ago.
Improve this question
I have build a web application using Django, Vue.js and deployed it on Heroku. It is a web application made for a big charity where you can win prizes by donating to the charity. The following information is collected:
Name
Username
Email
Password
Which is pretty basic, I guess. The reason no payment information is stored is because, upon clicking 'Donate', the user is redirected to JustGiving (implemented the JustGiving API) where they enter their payment information and such and are then redirected back to our website.
A few emails are sent:
An email when somebody wins a prize
An email if you are the winner of the prize
An email when a new prize draw is taking place
A receipt of your donation
This will be the first time I properly publish a web application so wanted to ask what steps I need to ensure to make sure the web app is legal. I know I have to probably have a 'cookies' alert and a section where users choose to receive emails or not.
What other steps must I take to make sure I am not breaking any rules?
GDPR can feel complex, but since you're gathering minimal information here, it doesn't need to be. Following best practice as a developer should ensure you're doing your due diligence with regards to security.
To keep you and the charity safe in case of a breach, I would ensure you have a signed document between you laying out clear responsibilities, and detailing how long you will be holding the information. For example, if someone signs up but doesn't win a prize, at what point is you holding that person's information unnecessary?
I would work through the ICO's guidance to charities - https://ico.org.uk/for-organisations/in-your-sector/charity/charities-faqs/
GDPR compliance is shaped by the eight rights bestowed on users with respect to their data. You need to ensure all of the rights are preserved:
Right to be informed
Your use of user data must be transparent. What data do you collect, what do you use it for, and with whom is it exchanged? This is typically documented in your site's privacy policy.
Right of access
If someone asks you for their data, you must provide it to them. The way you provide it needs to be a commonly used format, e.g. JSON or CSV.
Right to rectification
If there is incorrect data about a user you must let them correct it.
Right to erasure
Users can ask that their data be deleted or removed, if there isn't a strong reason to keep it around. In your example this would correspond to deleting their account.
Right to restrict processing
Users can ask that you block any further processing of their data; you may continue to store it but you can't perform other business operations on it.
Right to portability
Similar to the right of access above, you must allow users to export and reuse their personal data for their own purposes.
Right to object
Users can object to having any personal information used for purposes they don't want, like for analytics or marketing.
Individuals can object to having their personal information used. This includes for purposes of direct marketing, research and statistics.
Rights related to automatic decision making
This defines requirements you have to meet to use user data as part of automatic decisions like issuing credit or deciding whether they can be on a waitlist.
Ultimately, however, GDPR compliance is a legal question and can't be answered through a technology lens.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
i have been looking in to different IOT esb and platforms but its hard to check them all and test them all, and for a company in the startup process its even harder.
I have a hardware device which will send very little data but important data once in a while, there will however be some devices out there.
What i want to accomplish is this
My device react to a condition and send a message to my choice of iot platform
the iot platform will have a user management so the event can be stored for this user, the user will get a email and/or sms about the event.
I would like a dashboard for myself to view whats going on and be able to see what device belong to what user and status of it.
I want to be able to have an app that will show data / eventview for the specific user that owns the device.
Everything will be read only, i dont have need to send data to the device, only collect.
My need is rather simple, but i will charge a one time fee for the hardware and have no subscription, all the "cloud" platforms are rather expensive as i can see and they scale bad with their pricing. if i could get one that charge a few cent per device a year i could live with that and include it to the hardware price but the one i find is really above this or charge a high yearly fee from the start.
I have been looking around and trying to understand the program, platform and services out there.
Cloud:
Xively - Expensive and dont have a model that scales per device
Azure - Expensive, their price model is hard to understand
AWS - Cheap to begin with but then Expensive, their price model is
hard to understand
Mulesoft - Expensive for my needs.
Local installation: Free software, dont have everything included and/or pay for training.
WSO2 - This one is hard, it might be able to solve my issues, but they have an IOT server that will open for BETA soon so i dont know
much about it.
Mule community edition - Might solve my issues but seems to lack the usermanagement and dashboard i need?
FuseESB Might solve my issues but seems to lack the usermanagement and dashboard i need?
Kaa - i have a hard time to see where kaa fits in, im not a programmer by trade so i think this platform is to hard for me and i dont know
if it supports my needs, so far little information about it.
Can anyone sheed a light where i should look and put my effort in, i just dont have the time to give them all a shoot, and i might have misunderstood some of the platforms.
i would also appreciate an explanation what module,carbon, connects i would need to check in to, to solve my needs for the different platforms.
Might also be so that i have missed some superb platforms?
BR
Dimi
For WSO2, sign up for the beta here: http://wso2.com/landing/wso2-iot-server-beta-program/
This page has lots of info on how you can use already released components of WSO2 stack for your scenario: http://wso2.com/landing/wso2-iot-server-beta-program/ - see the reference architecture and webinars on the Resources tab.
Use reekoh.com(data collection capabiliteis) and mule(if you don't want to pay then use MULE CE)
You may have a customisation work.
The Watson IoT Plaform is available in IBM's Bluemix cloud and allows up to 20 registered devices, and 100 MB of data exchanged free.
More detailed pricing info is available.
Real-time insights alerting can be configured to help provide the device specific data for users.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 years ago.
Improve this question
I am willing to use synchronisation service for my application. But I want to choose the best one. I want to know which one is better among all these. My application will run on Android , IOS , Windows and Web.
I am going with Firebase because I tested it. It is giving me fast results and it is also allowing me to work offline. Is it better or I will go with Parse or AWS Cognito?
I Also have an option of Google Cloud. Does Google Cloud provides service like Firebase? And are realtime updates possible with Parse as like Firebase?
Codeek has a good point that this question is opinion based, so take my answer with a grain of salt.
I have experience with both Parse and Firebase, but not with Cognito.
In my experience, Parse is better when working with large relationship-based databases. (I.E. databases where multiple classes of objects are pointing to each other and interact.) In this system, it is easy to store a lot of data very succinctly, but working with this data is done via snapshots. This means that you can take a snapshot of the data, edit it, and then refresh the server with the updated snapshot. This is perfect for things like my delivery application where only one user is updating the orders on our server at any one time.
Firebase implements a model-observer scheme, and so it is much better for applications that are highly interactive. For instance, I have used Firebase for creating a real-time game of hot potato. The advantage here is that changes to the data on the server are automatically pushed out to all devices that have registered as listeners (functionality not available on Parse from my experience). This keeps all users on the same page all the time. The downside is that the database is structured in a hierarchal manner and doesn't have defined "objects". Rather, it is structured via key/value pairs where parent keys cannot have an associated value. To illustrate this, a sample structure for storing a game on my database went something like this:
-Games
--1
---Users
----1 = "example#gmail.com"
----2 = "example2#gmail.com"
---PotatoHolder = 1
---TimeRemaining = 30
---Loser = -1
Cognito I am not familiar with, so I'll allow someone else to explain how that database system is designed.
In summary, codeek is correct that this is an opinion-based question, but for two of your options a good rule of thumb from my experience is that Parse is fantastic for large relationship databases in conjunction with single-user applications (i.e. single-player or turn based games). Firebase is more suited to hierarchal data systems in conjunction with real-time multiplayer applications.
I hope this helps! If you could post a little more about what kind of application you are trying to build then perhaps I, or someone else, could provide a little more guidance.
Expanded Answer: Although this question has been marked as off topic, to answer Nidhi's follow-up question if there is a way to use Parse as a model-observer scheme: Not easily. Using a timer is the simplest option. The other option is to use push notifications. This would require getting permission from you user. You can set the Cloud Code on Parse to automatically send push notifications all relevant users and then intercept them within your client so that they are "silent". In other words, when they arrive, you can have your client respond by updating your game without showing a ribbon or notification like normal push notifications. I have not done this myself, as I prefer using Firebase for that kind of application, but I believe that it is possible.
Source: PFQueryTableView Auto Refresh When New Data Updated or Refresh Every Minute Using Parse
Keith's answer is similar to Nidhi's reference to refreshing PFObjects via a Timer, Handsomeguy's comment refers to the possibility of "silent" push notifications.
I am trying to prototype a system that will display a list of choices to a user, and allow them to place an order for the one they select (an over simplification of the prototype, but sufficient to get to the point). I have the users credit card number, billing and shipping addresses, and other contact information, but I can't find any web services that will let me actually purchase something with this information to complete the prototype. I have checked directories such as Programmable Web and Xmethods, but they just seem to point to APIs that let you check for prices and availability, but not actually place an order. Does such a thing exist, or is there some reason (such as security) that I am missing, that prevents such a service from being offered?
The most important thing about online shopping is the security of transmitted information (e.g. credit card data). So the ideal case is to transmit these information directly to the related bank's (issuer of the credit card) payment services, rather than passing it via other service providers. This is what 3-D Secure does.
So when you use a common API this means putting an extra broker between, and passing the secure information to this party which increases vulnerability. Since such a broker cannot use 3-D secure (since it is not the merchant so not possible to make an agreement with the banks) and it should pass the information to online shopping site.
Moreover, an online shoping site can block traffic coming from such an intermediary webservice at any time if you do not make an obligatory agreement and making agreements for each online merchant is practically not very possible.
There is no such free API available the simple reason behind that information like credit card is very secure and confidential and there will security threat on free API's.
here is list of best 10 online payment system
http://sixrevisions.com/tools/online-payment-systems/
and this one who providing live demo
http://www.fastcharge.com/
I think it is possible though I don't know in depth information. I think this is what you see. In next steps you will be redirected to payment gateway of the bank and then you can complete the transactions just by answering some security questions. I think this is a service you should obtain from the bank. And I haven't seen any universal API that can perform the task you have mentioned.
Dialog GSM - Sri Lanka
Anything.lk - Sri Lanka
I'm a member of a facebook group that has contests with artists on a weekly basis. There are over 5000 members to this group, fortunately not all of them participate because at the end of each week there is a voting for the favorite/best artwork of that week. And the admins have to manually go through image by image and count votes. Voting is limited to those who participate in the contest, so the artist places their vote as their image description... or part of it anyway.
I wanted to create an app that would retrieve the photo info from the album to build a list of the submitted images and the artists to make counting votes much easier.
I have, in fact, created such an application but it seems it only works on personal profiles and pages... not groups due to the need to be on a "white list". It strikes me as strange when a group is "OPEN" and an app isn't even allowed to read data there, but OK.
My question is if it is possible to get an app on that white list or at least to build an app specifically for a group for this purpose? I have been unsuccessful in my attempts to find any information on this subject. So, I am asking you all here at stack overflow since you all seem to be in bed with facebook in someway. I am just hoping to get a reply from someone that knows something rather than guessing or assuming.
The last contest had 325 participants and it was entirely too many for a poll.
I do not know if this topic has already been addressed... I used the search but stack overflow uses Google for a site search and because these topics are paginated Google has indexed results to be on a certain page but when you go there the topic is nowhere to be found... not very helpful...
Anyway, thanks for your time and I would be most appreciative of getting a reply rather than the post just getting buried to the point nobody will see it...
I was wondering the same thing for a similar reason.
It appears not:
user_groups
Provides access to the list of groups the user is a member of as the groups connection.
This permission is reserved for apps that replicate the Facebook
client on platforms that don’t have a native client.
https://developers.facebook.com/docs/facebook-login/permissions/v2.0#reference-extended-profile
If anybody discovers otherwise I'd love to know.
I don't know the exact answer of whether apps can be built only for groups without short-listing, but here is an alternative solutions.
If the purpose of this exercise is to limit some functionality (or entries) only to those users who are a member of a group, then why not get the "user_groups" permissions from the user, access his groups through the Graph API and flag users as either being a member of the group or not and extend the functionality accordingly. Perhaps you could even limit registrations to only those who are currently members of the group.
I just wrote one of my first web applications (Linux, Apache, MySQL, Django), and would like to launch it publicly. It's a webform-based task disguised as a game; I intend to eventually put it on Amazon Mechanical Turk and give small bonuses to people who achieve certain scores.
Even though this app does not have a tremendously high security risk, I need to safeguard it against manipulation and reverse engineering. However, I have little formal training in testing/security. Given that there are tangible prizes to be won, I know people will have an incentive to cheat, whether by altering POST data, pressing "back" and re-submitting data until they win, etc. So far, I have been dealing with these issues on an ad-hoc basis by putting in security tests as I think of possible exploits. However, I realize there are probably lots of forms of manipulation that I haven't thought of yet.
Can anybody recommend some reading materials from which I can learn how to protect my website against manipulation and reverse engineering?
A very good place to read up is OWASP; see http://www.owasp.org/index.php/Main_Page. They have extensive documentation regarding website security.
Edit: For a quick overview, check the "Top Ten."
The Google Browser Security Handbook has a lot of information about potential vulnerabilities in the web architecture, in particular the details that are affected by the behavior of web browsers (as opposed to server based vulnerabilities, like SQL injection attacks and the like). It is a good starting point for learning about how browsers work in ways that impact security, like how they handle cookies, cross domain requests, images and MIME types, etc.
SQL Injection
Prevent malicious users from altering SQL queries via URL query strings.
DoS Attacks
Prevent users from the same IP address from accessing your site an excessive number of times in a small space of time.
Password Strength
When allowing users to create their own passwords, show a password strength indicator which encourages users to enter stronger passwords.
Captcha
Stop non-human users from submitting to forms by presenting a captcha image. You may also want to use this if password authentication is failed multiple times, to prevent robots from guessing passwords.
One book I might recommend is "Security Engineering" by Ross Anderson. It's fairly detailed and it gives a good overview of many different topics relating to computer security, although not all of it is relevant for securing a website.