We are currently working on a Django CRUB style webapp where multiple 'tenants' each have their own 'members' (users linked to that tenant), 'Courses', etc.
We want to include a 'login with google' option and have thus turned to Django-allauth. Most Tenants use Google G suit with their own [name]#[tenant].com address.
A user is assigned to their tenant after their account has been created, to prevent users of tenant B from creating a account in tenant A, we've included a function that checks if the domain of the email matches the 'domain' field in the Tenant object. Only if this match does indeed occur is the account created.
However recently one of our tenants has begun using more than 1 email domain which required us to update the code and Tenant Object.
(Making the code handle multiple email domains, chancing the models so tenants can have multiple email domains)
This left us to wonder if there is a better way to do this - we've been investigating if Google provides a company_id response, or anything that would help us identify a company aside from their email domain. Those values could help us check if a users does indeed belong to that tenant, without having to constantly check / update email domain fields - but we've been unable to find anything of the sort.
Responses to this similar stackoverflow question suggest a similar approach to the one we are currently taking, but that was five years ago - is this still truly the best way?
Related
Apologies since this might not be the best way to word the question nor is this a coding question per say. I get the general process of creating a staff user within Django.
What I would like to know is if companies send email links that allow their workers to sign up a form to be a staff user or if the employer provides their details and someone on the backend creates this account for them, or some other process I am unaware of?
Well, most of the time they create you account with documents/personal info you've provided to the organization. In my university user accounts are created by staff(no need to fill forms and besides, you can fake that information). At the end, we just go to the website and login with provided credentials, we can add extra info/change password etc. in our account settings.
In conclusion, I would say, it depends.
Sorry if my English is weird.
I would like to know how a non-admin account can use the Admin SDK.
If you have any suggestions, please let me know.
I'm developing an add-on for an elementary school using Google app script.
I want to limit the API by student, teacher, grade, etc. So I need to get the organization information.
There were a few other similar questions, and apparently it would be impossible to try to do it normally.
When using the Admin SDK, Google will display an acceptance confirmation screen to the user.
Once the user agrees, Google gives the app an access token that is valid for a short period of time. I'm thinking that I can do this by using that access token. Is this approach dangerous from a security point of view?
I'm sorry for the lack of explanation.
I'm currently developing a google slides add-on for an elementary school.
It's supposed to display a SPA made with vuejs in the sidebar and let you manipulate it.
For example, we can manage a whitelist of organizations that can use this application in advance, and not allow organizations that do not match the whitelist to use it.
If the organization is managed by school unit, access control can be done by domain, but in some areas, the organization is managed by city, so access control by school unit cannot be realized...
Also.We want to do the following if we match the whitelist.
The functions that can be used by teachers and students are
different.
The buttons can be changed depending on the grade level of the
students.
Automatically enter student names and class names on slides.
Use an organizational structure to manage the school and students. (https://support.google.com/a/answer/4352075?ref_topic=4390186&hl=en)
We think we can achieve this by using the Admin SDK to get organization information
Answer
It is not possible to use Admin SDK with a non-admin account as Google says in the documentation: This API gives administrators of Google Workspace domains (including resellers) the ability to manage devices, groups, users, and other entities in their domains.
However there are two workarounds for your problem, but you would need to use an admin account to configure the scenario.
Initial approach
Get the user that is running the application with the class Session and the method getActiveUser and getEmail: var email = Session.getActiveUser().getEmail();
Get the organizational unit that each user belongs to. With this information you will be able to filter users and display different options in the add-on. The main problem is that you need to use AdminDirectory.Users.get(userEmail) to get the organizational unit, and it needs the following authorization scope: https://www.googleapis.com/auth/admin.directory.user.readonly.
Solution 1
Create a Spreadsheet with all the users that are going to use the add-on and its organizational unit
Use List all users to get all the users in a domain and write each email in the first column.
Use AdminDirectory.Users.get(email).orgUnitPath to get the organizational unit and write it in the next column
Finally, when users use the add-on, search the email of the active user (Session.getActiveUser().getEmail()) in the Spreadsheet, take the row number and get the value of the organizational unit that is in the second column.
Solution 2
Create a custom admin role and assign it to every user that is going to use the add-on. You must be signed in as a super administrator for this task. You can do it here and select Users -> Read,
Assign the new role to each user creating a role assignment
Finally, users will be able to use var organization = AdminDirectory.Users.get(email).orgUnitPath
Our website is using DocCheck, an external authentication provider, to authenticate and identify contacts. We use the DocCheck ID, which comes as the request parameter "uniquekey", as contact identifier, so that the contact, when logging in on another device, can be re-identified. These users are then authenticated in Sitecore via a virtual user.
Tracker.Current.CurrentPage.Session.Identify(Page.Request.QueryString["uniquekey"]);
In addition to that, we're planning an own user management with registration, login etc. The users will be logged in via email address and password. The email address should now be used as another identifier to identify the contacts loggin in with these credentials.
The users should then be able to use both DocCheck and our own login for different parts of our website, so that we have DocCheck contacts and our own users.
Is it possible to combine these two identifiers to identify as one contact?
Thank you and kind regards
Torsten
At the moment you can only use a single value to identify a user within xDB. This is potentially going to change in the future however for now you can only use one.
xDB is just a mongo database so how about persisting an additional collection that contains the relationship between identifiers. An example would be:
CustomContact
- _id: the xDB identifier
- alternativeIdentifiers: [docCheckId, formsAuthId, etc] - if this is indexed the lookup will be quick
Then when you come to identify the user you lookup in your custom collection your identifier, find the actual xDB id and then identify with that.
To find the item in the array look at elemMatch or in:
https://docs.mongodb.org/manual/reference/operator/projection/elemMatch/
and some examples on
https://stackoverflow.com/a/18149149/1065332
I am creating a django application for my company, and one of the things that still needs doing is a survey.
At the moment we use SurveyMonkey, but I can't manage to send via api invitations to the surveys(personalized ones like the web page allows, so we know who answered with which answers).
Does anybody know if it's possible to do this with SurveyMonekey api, or if not, any other django app that what I need, or another way to do this?
SurveyMonkey's API is currently read-only and does not allow adding users to email collectors. And option you might consider is pairing SurveyMonkey with MailChimp. MailChimp currently has docs on how to use it with SurveyMonkey here: http://kb.mailchimp.com/article/setting-up-your-surveymonkey-mailchimp-integration/
You could also create something like the MailChimp API in your own application by adding a unique ID to links you send to your respondents by appending ?c=UNIQUEID to the end of a web link collector URI. Then, in your application, you can send any email invitation you like to potential respondents and use the unique ID to correlate users with responses.
You'll need to request the "custom_id" by adding it to the "fields" array in your request to get_respondent_list in order to that unique ID back from SurveyMonkey using the API.
I'm using django-auth with the django-auth-openid extension to use OpenID (specifically, Google) to log users into my site. I have a user base of about 90 who will be using the site. All of them have Google accounts, and will be using them to access the site. Since the user base is set (there is no registration allowed, only admins can add users), I already have an exhaustive list of all of my users, including their email addresses and other information. How can I allow these users to login with their Gmail addresses without making them register first? Essentially, I'd like to make django-auth-openid match OpenID Gmail addresses to rows in the existing django-auth Users table. Is this possible?
Thanks!
I ended up using the python-social-auth library (which has Django support built in). The documentation for use with Django isn't great, but between the docs and the provided example it was relatively easy to integrate it with my existing django-auth setup. After that, I just deleted the 'create_user' pipeline from the SOCIAL_AUTH_PIPELINE tuple in my settings, and, that way, only users with existing OpenID connections were allowed in (no new registrations occurred from OpenID logins). This meant, though, that I had to create those connections (between OpenID identifiers and Users) manually, but that was pretty easy to do just using the Django Python shell.