I have a workspace in which I have many applications based on the same schema.
Every applications has his own login page at the moment.
I want to build another application responsible for the login of all the other applications.
The login will redirect the user to a main page that will show the links to the different modules (applications) based on the user type.
Note that only the ADMIN user can see the links to all the applications.
Different types of user will see only the links to the apps that they are authorized to access.
I read other related posts, I know I have to change the cookie name for all the app I want to share the authentication.
But my question is:
If I login successfully with a user different from the ADMIN, I am still able to access all the applications via URL, even if their link is not visible in my main page.
How can I prevent this?
Check out the use of authorisation schemes (see under Shared Components).
If you had an authorisation scheme per application you check on each page so that if the current user was authorised that application. Don't forget that each authorisation scheme would also allow users who have ADMIN access.
Hope this helps.
Just had another thought. Check out this post http://www.explorer-development.uk.com/securing-vulnerability-exploits-apex-part-2/ by Craig Sykes.
Activating Session State Protection and using Checksums would prevent a number of issues for you.
Related
So, I'm adding on another app to a webapp that I'm building for my company, this one involving bill creation for invoices. Unless one has a specific account with my website, they should not be allowed to access this specific app.
I am using Django's built-in authentication system. My LOGIN_REDIRECT_URI is set to redirect to one of my apps. However, I would like for the login redirect to send the user to the app that they were previously in after login. How might I accomplish this?
Thank you in advance!
I want to have two login systems in the same application. There is main site for the 'owners', the owners can have 'portals'. Each portal will have his own login system, this time for the 'users'. Users within the portal will have roles (admin, editor, etc).
Something like:
site.com -> owners loging
site.com/portal1 -> users login
site.com/portal2 -> other users login
Owners and users are stored in different tables.
I dont know how to achive this with Flask-Login. How should I proceed?
Other alternatives I'm thinking are:
Split this application in two, one for the main site and the other
one for portals.
Join users and owners in the same table, and make the distiction if the user is owner or not. This I think is not desired, because they have different attributes.
You can use third party frameworks to handle authentication in your application. I use Auth0 and have nothing to complain. They are really simple to use and have integration with Flask.
From their home page:
Add authentication to your web and mobile apps in under 10 minutes;
Using Auth0, you can define, for example, a callback URL based on the user role. So you can call /owner if the user is an owner or /portalX if the user is not an owner.
This way you don't have to develop many and many security layers to secure users login.
I have an application allowing users to sign in using their Facebook and Twitter accounts. I only need a very basic information like their email address and full name. Everything works fine and as planned.
Accounts.ui.config({
requestPermissions: {
facebook: ['email'],
github: ['user:email']
}
});
But, now I need to implement a feature posting to a Facebook page and Twitter on behalf of the admin users only. So, I need to get additional permissions from specific users only.
Admin users are eligible to manage our page at Facebook. The app needs to request additional permissions to be able to post to the page. I wan't to keep those basic permissions for regular users.
How can I accomplish that?
One way you can do is,
If you know that logged in user is Admin, put the re-authenticate button in user-dashboard (or somewhere which makes sense) that will do authentication user of user for whatever permissions as required by application.
This will basically do, oauth with social service like usual and upon completion you will get aceess code and against this code get the re-newed access token from social service. (This is normal , how you basically do the oauth manually) Now, use this access token to post to social services.
For this, you will need to use node modules such as for facebook -fb_graph , for twitter- twiiter
Hope this helps
I was just wondering if an app exists for Django that helps connecting all 3 social networks, imports basic info, profile picture, but most importantly pushes the post user makes to these three website accounts. I looked into django-social-auth but that just lets you register or login with these websites,not push posts.
django-allauth http://github.com/pennersr/django-allauth/ stores basic info for FB/G/Tw (and more), provides basic access to the profile picture, and stores the access tokens in the database.
Whatever you do with the access token is project specific and beyond allauth scope. For example, in order to post to the users wall you need:
The user's permission (you can do this by configuring the proper scope for the Facebook provider, search for SCOPE in the README.txt)
Once the user is logged in via FB, the access token is stored in allauth.socialaccount.models.SocialToken. Simply lookup the token for the user that is logged in.
Then, given the token use whatever method you like to post to the Facebook API on behalf of the user. E.g. https://github.com/pythonforfacebook/facebook-sdk
For some more background on the relation between a Django user and the Social* models, see:
How can I get the user's facebook id with django-allauth?
There are django apps that do what you need individually (Facebook example), but I'm not aware of one that works with multiple.
django-social-auth will get you half way there by obtaining the users information and permission to post to the social network on their behalf.
Once you have users authenticating via django-social-auth you'll have access to the users access token needed to post to respective network on their behalf.
From there, you're going to have to stitch together some additional python modules like the Facebook example above to do the actual posting.
Is there any way to authorize user (acting as a Page or Page administrator) in the same like FB Conect does but using Page data?
E.g. I would like a company, say local barber, authorize in my system as a certain Page (can be indirect, i.e. through a private account but I would like to know if this user is a page administrator). The purpose of this is to link an account on my website with a certain business that has representation on Facebook.
Well, you could ask the user for manage_pages permission and look if the page you’re interested in is amongst them, but since that’ll give your app also their page access tokens, I doubt they’ll grant you that.
Less intrusive and much simpler would be to have them install your app on their page as a page tab, and then look into the signed_request parameter once their using your app - it has a boolean flag for wether the user is admin or not. After that they can remove your app again.