I am using Coldfusion.
How can I prevent users from directly accessing a webpage?
i.e. when a user enters - "www.google.com/thispage" the user should redirect back to "www.google.com". The users can only access "www.google.com/thispage" via a link on "www.google.com".
OR
i.e. when a user enters - "www.google.com/thispage" the application should log out. The users can only access "www.google.com/thispage" via a link on "www.google.com".
Thanks! Any help is appreciated.
Related
I am using PHP for accessing Facebook friends location. I want to access location of all friends. I read that it requires "access tokens" to get client's public information from here
https://developers.facebook.com/docs/facebook-login/access-tokens#apptokens
and here
https://www.sammyk.me/access-token-handling-best-practices-in-facebook-php-sdk-v4
Is that token will be provided by Facebook at that instant of time or my app needs to wait till friend's approval.
I saw this post on stack overflow: How to get user access token?
But i still i can't figure out what if friend is offline. How that token will be passed to my application?
Or is it like that "Tokens are generated by Facebook at time when my application made the request but i can only access the user information later using the same token if he has given permission (when he gets logged in)".?
I am unable to find any explanation regarding this.
Thanks.
You canĀ“t get the location of friends at all. Friend permissions have been removed for privacy reasons, you can only get data of users who authorized your App too. Check out the changelog for more information: https://developers.facebook.com/docs/apps/changelog
That being said, there are different Access Tokens. You can get an App Token without authorization, but you need to implement an authorization process for User or Page Tokens.
More information:
https://developers.facebook.com/docs/facebook-login/access-tokens
http://www.devils-heaven.com/facebook-access-tokens/
We have created a site that needs to have most of the pages locked down to anonymous users. The only pages they should be able to access are:
Login
Reset Password
Account Validation
Page Not Found
Privacy Policy
T & Cs
The startItem of the website has been set to "/Home" as all of the other pages included those that are allowed anonymous access are below.
This node has had "extranet\Anonymous" read removed and then we allow read access of the specific pages that we want them to have access to.
What we have found is that if we request a Url such as: www.domain.com/page-i-cant-get-to then Sitecore will redirect you to the url set in the loginPage attribute on the site, which is correct.
However if I request www.domain.com I get a an error saying "The layout for the requested document was not found.
If I do login, then go the same Url, everything is fine.
I've stepped through the ExecuteRequest pipeline and have found when requesting www.domain.com/page-i-cant-get-to the Context.Item is null, so it's passed into the HandleItemNotFound(args) method.
If we request the root page, then this is set to be the root sitecore node ID {11111111-1111-1111-1111-111111111111} and so passes over the HandleItemNotFound and into the HandleLayoutNotFound(args)
I tried using the "requireLogin" attribute, but then I can only get access to the loginPage and not any of the other pages I want to allow anonymous access to.
I have also tried changing the startItem to be the login page, but then all the Urls for the pages are in an incorrect structure.
Is anyone able to shed any light on how this should be done?
Thanks in advance
Why don't you try leaving anonymous user with read permission on the home item and then deny the pages(items) you want to block?
I am trying to use the Google Contacts API and the Python / GDATA client handlers to access Contacts via OAuth 2.0 for users in the domain. I'm ultimately wanting to create a web service to add contacts for users, but the first step is getting this test working.
I can access my own Contacts just fine if I use the default URI. However, when I pass in the email address to construct the URI for another user, I can't seem to access the other user's Contacts. Here is the code that I'm using:
client.GetContacts(uri=client.GetFeedUri(contact_list=userEmail))
A 403 error is returned when I execute this.
gdata.client.RequestError: Server responded with: 403
Your client does not have permission to get URL /m8/feeds/contacts/<userEmail>/full from this server.
Mostly just trying to understand if what I'm attempting here is even possible. In the Email Settings API, for example, you can get authenticated to the domain and pass in a user's email to list their labels, add filters, etc. So, I would anticipate that the Contacts API would work the same, though handled slightly differently, i.e. modifying the URI, instead of just passing in an argument to the client handler. Please let me know if I am wrong in that presumption.
For authorization, I'm getting the details using flow_from_clientsecrets, then getting the token to authorize the ContactsClient for the domain. Again, I can access my own contacts fine, so authorization seems OK, but I can't access other users' contacts.
client = token.authorize(ContactsClient(domain=domain))
Seems like I'm missing something with respect to accessing other users. Is anybody able to assist me over this hump? Here are some things that I've checked / confirmed:
Contacts API is enabled for the project
Scopes have been authorized for the Client ID in the control panel > Manage 3rd party access
I am a Super Admin in the domain.
Thanks for your time!
I figured out the answer here from another post with exceptional detail:
Domain-Wide Access to Google GDATA APIs
You need to use "Service Account" authentication. For some reason, I was thinking that would only work with the newer discovery-based APIs. But, service account access also works for GDATA APIs. I can access all the Contacts for users in the domain now.
After the user has logged in; I have security on page 1 (homepage) of an Apex application which prevents unauthorized users getting any further. Once the user has logged in, it goes away to an apex authorization group and checks whether their name is in the group. If it isn't, it says...you shall not pass.
However if an authorized user copy's the web address of page 3 (view employee salaries), and gives it to an unauthorized user, they can use it, it redirects them to the login page, they login, and there in to that page!
To get round this as a temporary measure i setup each page to have the same authorization group as on page 1. This works but surely there must be a simpler way to manage this?
E.g. User enters the web address, it redirects them to the login page and once they are logged in it doesnt work as they are not part of the group?
I think I found a solution; there is a something called 'Deep Linking' under the security tab in the Application's properties. I have now checked this to disabled and it always redirects the user back to the homepage.
The correct method is indeed to set up authorization schemes on objects that have to be screened off. In apex 4.2 however (I believe - don't think this was in 4.1) you can go to "application properties > security" and there is an "authorization" section there where you can set up a global authorization scheme.
According to the documentation I must remove an apprequest when a user has accepted it. There is however a problem with this.
When I accept an apprequest, I will be redirected to my app. But in the url parameters only the apprequestid(s) are included. The userId of the current user is unavailable.
My app doesn't require authentication so I can't access the current users data.
How do I remove the apprequest for this user when I don't have acces to the userdata or accesstoken as described here:
The old method of the apprequest allowed me to extract the userid from the requestid. This is not possible anymore.
you have to have authentication to "tamper" with user data - that includes app invitations.
However with an App Access Token you might be able to delete the post without authenticating your user (you'll still have to aquire their UID - possibly from the signed_request . You can read at this link about app login and how to retrieve the correct access token.