I'm using Devise with the gems "omniauth-google-oauth2", "omniauth-linkedin-oauth2", and "omniauth-oauth2", and looking for a way to do something like this:
<%= link_to user_google_oauth2_omniauth_authorize_path(registerable: true) %>
... so that I could condition on the response (specifically, to allow users to register this way from one page, but not from another)
The ideal would be just that the query was passed back to me in the auth params, but any way I could affect the params returned to me would do. But I don't see anything in the readme for any of the gems suggesting it's possible.
As a possible workaround, I was thinking we could set a cookie or store a session value when they visit one of the relevant pages, and then check against (and delete) that when we receive the oauth request, but that seems very hacky.
Related
I am new to oracle apex and having trouble finding resources on how to do it. Any help would be really appreciated.
If you want to display the same page differently to each user, you'd then use the "Server-side condition" whose type is a function that returns Boolean, e.g.
return f_app_type(:APP_USER) in ('MANAGER', 'ANALYST');
which would render that element (region, item, whatever) only to users who are either managers or analysts, while other users wouldn't see it.
Or, if you wanted to navigate users to different pages, then you could use a branch. As it also offers the Server-side condition, you'd basically use the same principle as above and redirect each user to their own page.
So basically, I'm using the PersistentRemoteUser middelware in django to handle authentication requests through a login page that is monitored by apache using pubcookie
I can do the basic user.is_authenticated bit's fine, but my problem comes from the fact that I have 2 types of users that require two different kinds of authentication. I have my admin users that require authenticating with 2 factor authentication, and standard users that use only user/password,
The authentication type can easily be viewed on the login page itself by accessing: self.request.META['AUTH_TYPE'] which will read as either "SecureID" or "NetID" depending on theauthtype`.
But I need to be able to perform a check on different pages to see if the user authenticated with secureid or netid to determine what parts of a page are viewable, or if they are allowed to see the page at all. But the meta data does not exist outside of the initial login page, only the request.user data, which does not, unless i'm missing something, contain any type of auth_type.
is it possible to either access the metadata from another page, or save the users authtype to some kind of post or session variable that gets carried around for the session?
Sorry if this question is a bit...dumb, I'm still fairly new to django and still trying to wrap my head around certain aspects of it.
You've answered your question.
Use a session that will persist the value (as long as the session is active).
request.session['auth_type'] = 'SecureID'
Then you can always make a decision based on the session value you stored earlier.
if request.session['auth_type'] == 'SecureID':
# do two factor auth stuff
pass
else:
# do normal stuff
pass
Currently I set up a RESTful API backend using Django and I can list a set of articles by the following GET:
api/articles/
Also, I can get a single article by:
api/article/1/
Each article is owned by a certain user, and one user could have multiple articles of course.
On the frond end side, I present all the articles at loading of the page, and I hope the user who is logged in currently could see the articles that they own in a different style, e.g, outlined by a box, and has a associated "delete" or "edit" button.
This requires me to tell, after the retrieval of the articles, which ones are owned by the current user programmatically. One way of doing this is to check the current user id with the owner id. However I feel this is not a good choice as the user id is the check is done fully on the client side and may be not consistent with the actual server judgement.
Therefore, is there a way, to tell by looking at the response of the GET, (say, let the server return a property "editable=true/false") to get whether the current user could edit(PUT) the resource?
I understand that this could be done at the server side, by attaching such a property manually. However, I am just asking whether there is better/common practice.
I just started learning web development and I am sorry if the question sounds trivial. Thank you!
You can attach propriety manually as you suggested. The advance of this approach is that you dont need any other http request.
Second possibility might be, that your client intentionally request information about endpoint permissions. In this case I would suggest to use OPTIONS HTTP method. You send OPTIONS HTTP request to api/articles/1 and backend returns wanted info. This might be exactly what OPTIONS method and DRF metadata were made for.
http://www.django-rest-framework.org/api-guide/metadata/
I think that this is a very interesting question.
Several options that come to me:
You can add to the GET api/article/1 response a HTTP header with this information i.e. HTTP_METHODS_ALLOWED=PUT,PATH,DELETE. Doing this way helps the API client because it does not need to know anything else. I think that this is not a good approach when more than one entity is returned.
call to OPTIONS api/article/1. Allowed methods for that user on that resource can be returned but notice that, in my opinion, this approach is not very good in terms of performance, because it duplicates the number of requests to the server.
But what if the entity returned also contains information on the owner or it? can, in this case the client know which policy apply and try to figure out it by itself? notice that the policy can be obtained from another endpoint (just one call would be needed) or even with the login response. If your entities do not contain that kind of information, it could be also returned as a HTTP header (like first option above)
I'm developing my Joomla! 2.5 Component.
It, with an username && password passed via admin area, could connect to a webserver that send info via XML.
I can show this component in any part of front-end without problem.
Now i need to insert, in frontend for end-user, a single text-area where users could insert a value (e.g., theyr card number [it's a loyalty component]) and this value must be passed to previous component.
ATM I don't need AJAX call, page could be refreshed.
So process it must textarea => insert data => press submit => show component with result (page refresh, no problem).
I need to develop a plugin? I need to "extend" component? Saw several topic on web but i didn't found any that show a (i think) simple case like my.
I need a hand from you, to be on correct way.
Thank you.
In your main controller file you can access the post & get values, so
Where you want to place the input: Just create a form that points to your component, with appropriate
<form action="index.php?option=com_yourcomp" method="get"
<input type="text" name="your_text_input"...
Add all extra fields that you need.
In the controller.php of the com_yourcomp you will be able to access the user data with
JRequest::getVar('your_text_input') or jInput as you prefer.
Note on method="get": you do so if you want your users to be able to bookmark the page or you plan a redirect in your component. The user inputs must be limited to a few thousand chars at most. Otherwise use post, it really depends on your needs.
Scenario:
I have an administration-application which manages the user accounts for another application. Now I would like to place an user-specific-link (e.g. Click here to login with user1) in the administration-application allowing the admin to directly log in with the user in a separate browser window or tab (target="_blank").
Problem:
When the admin clicks two or more links and opens two tabs with tab1=user1 and tab2=user2, the last clicked tab overwrites the session-variables of all other tabs. Sure... that's how sessions work, but I wonder if there is a way to let the admin manage multiple user interfaces with one session in multiple tabs? But I don't see a possibility to identify a specific tab in the browser so that I could say "in tab1 is user1 and in tab2 is user2 logged in ...
Question:
Has anyone done something similar and likes to share the basic idea of solving this?
EDIT:
One possible solution could be to add an parameter to the URL with the userid and hand it through to every page, right?
As your edit points out, the way to do this is with a url variable that specifies who the user should be.
There are a number of security issues with this approach tho.
I'm assuming that your initial link is doing some sort of security check to make sure that the initial "log in" of the user is an authorized request. You'll need to do a similar thing for this method. If your initial request is something like http://example.com/page.cfm?userid={id}&authtoken={encryptedtoken} I would then put that userid into the session scope as a valid userid that the admin can impersonate. The more links they click on the more users they can impersonate. On subsequent requests you check the requested userid against the allowed list in the session and either allow or deny the impersonation.
You'll also need to update all the links on the site so that they include the userid in them. The easier way to do this is to cheat and user jQuery or such to rewrite all internal urls with the userid appended. You would conditionally include that javascript based on the above check.
Lastly you'll likely want to prevent these urls that include the userid from appearing in search engines, if it's not a fully locked down site. You'll either need to use canonical urls to remove the userid, or set x-robots headers to tell search engines not to index the urls where the userid has been specified; or both.
That's the most primitive method of getting different "sessions" for multiple users in the same browser. However you'll then bump into issues if you're using the session scope for anything meaningful, because each tab will try overwriting the other. You'll need to overwrite the normal site session variables on each request, or you'll need to create different structures in the session scope for each userid that is used. How much of a problem this is depends on your application.
It's a do-able thing, but probably a lot more work then you were hoping for.
The other option is to get the admins to use Google Chrome with multiple profiles and copy and paste the login url into different profile windows. A slight inconvenience for them, but a lot less work for you.