How do unsubscribe link works?
I would like to know how an unsubscribe link maps to a user without the use of cookies. I know it has something to do with encrypted string in the link. I am curious about if there is some standard/good practice I should follow while creating such links.
Following are some examples..
http://www.codeproject.com/script/Membership/Unsubscribe.aspx?tg=30458880345&l=3
http://stackexchange.com/email/manage/126398/f5b119aca8179fad3ae6580843826519b97946c0bc490087ffe2111
It is usually just a random token stored in a database to map it to a specific account.
Related
Currently, the Google Vault API does not provide a way to get a report of all users in a G-Suite tenant or domain who are on hold in one or more matters. This information is currently available only via the admin interface for Google Vault under Reports/User Holds. It would be great to be able to obtain this report via an API call in JSON format rather than only via the admin UI. Am I missing something or is this functionality already available?
Respectfully, please keep in mind that suggesting that I perform API operations to search all matters and iterate through the users on hold in each matter to obtain this information is not the answer I am looking for. There should be a quicker, more efficient way to get this information since such a report is already available via the UI. I am simply asking if there is a way to get this same information programmatically via the APIs/automation. Thank you in advance.
Unfortunately, Vault API does not have a method for that. The only way to retrieve this information is to list all matters and iterate through them, as you already mentioned.
File a feature request:
It's not uncommon for a feature to be present only in the UI. If you want to see this implemented on the API, I'd suggest you to report it on Issue Tracker's Vault component.
I looked through the issues of this component, and it looks like this hasn't been requested yet. There's currently a somewhat related feature request, but not exactly what you're looking for:
Audit reporting functionality
Update:
The original poster filed a feature request in Issue Tracker. I'm add this to the answer in order to give it more visibility.
To anyone who would like to see this feature implemented in the future, I'd suggest starring the issue (star on the top-left) in order to help prioritizing it:
Vault API: Need API method to return list of all users who have active holds as available in Vault UI
Currently I set up a RESTful API backend using Django and I can list a set of articles by the following GET:
api/articles/
Also, I can get a single article by:
api/article/1/
Each article is owned by a certain user, and one user could have multiple articles of course.
On the frond end side, I present all the articles at loading of the page, and I hope the user who is logged in currently could see the articles that they own in a different style, e.g, outlined by a box, and has a associated "delete" or "edit" button.
This requires me to tell, after the retrieval of the articles, which ones are owned by the current user programmatically. One way of doing this is to check the current user id with the owner id. However I feel this is not a good choice as the user id is the check is done fully on the client side and may be not consistent with the actual server judgement.
Therefore, is there a way, to tell by looking at the response of the GET, (say, let the server return a property "editable=true/false") to get whether the current user could edit(PUT) the resource?
I understand that this could be done at the server side, by attaching such a property manually. However, I am just asking whether there is better/common practice.
I just started learning web development and I am sorry if the question sounds trivial. Thank you!
You can attach propriety manually as you suggested. The advance of this approach is that you dont need any other http request.
Second possibility might be, that your client intentionally request information about endpoint permissions. In this case I would suggest to use OPTIONS HTTP method. You send OPTIONS HTTP request to api/articles/1 and backend returns wanted info. This might be exactly what OPTIONS method and DRF metadata were made for.
http://www.django-rest-framework.org/api-guide/metadata/
I think that this is a very interesting question.
Several options that come to me:
You can add to the GET api/article/1 response a HTTP header with this information i.e. HTTP_METHODS_ALLOWED=PUT,PATH,DELETE. Doing this way helps the API client because it does not need to know anything else. I think that this is not a good approach when more than one entity is returned.
call to OPTIONS api/article/1. Allowed methods for that user on that resource can be returned but notice that, in my opinion, this approach is not very good in terms of performance, because it duplicates the number of requests to the server.
But what if the entity returned also contains information on the owner or it? can, in this case the client know which policy apply and try to figure out it by itself? notice that the policy can be obtained from another endpoint (just one call would be needed) or even with the login response. If your entities do not contain that kind of information, it could be also returned as a HTTP header (like first option above)
What is the exact use of session ID, is it system generated or we assign it as we assign other dictionary values of session ? Please explain in layman terms.
The Django Session Documentation give a good explanation as well as providing great examples. Give that a read and you should have a good idea about how you can use sessions with Django.
Essentially it gives a good way to associate data with anonymous users, for example I just built a site where users add items to their cart and purchase the items. To be able to do that without requiring them to sign up for an account, I used session data.
Here are some Example Code of how to use session data.
Sorry. Pretty new to this and trying to get a grasp on getting extended permissions/access_token for what I am trying to achieve.
All I need is to pull the public profile feed from someone's facebook page (returns in json format) so I can display it on said person's website. (I was going to parse this information using Jquery)
I think I understand that I will need to create an app in order to do this. Now will I need to create an app from said person's facebook account? Or is that something I can do myself, as a separate app?
Thanks for any info you can give on this.
You could in do it from both.
However im not 100% certain on if you would need any extra permissions from the target user or not. Because it is a public feed I would think not, but I haven't tried this myself so I can say for certain.
A site I am working on (using django) requires that users can access a subset of the functionality temporarily by following a URL sent by email, instead of having to login properly (i.e. with username and password).
I am, of course, aware of the potential security issues with this proposal. Therefore, the tokens included in the url are randomly generated and stored on the server (instead of hashing the username or something similar), and expire.
In addition, I would like to restrict the permissions of users accessing the site through such a token URL, so that they can only access some (very limited) information, while their credentials are required for any more substantial actions.
I had implemented this in a rather crude way: Briefly, instead of authenticating the user through the token, it is stored as a session variable, and the few views that recognize the token validate it. However, it would be great to have an extended solution: For example, a global user.has_token check would be brilliant. I can't imagine, however, how a more elegant solution might be achieved.
So my question is: How would you implement such a system? Is it, for example, possible to temporarily allocate or restrict permissions in django? Might a custom middleware be necessary here?
Any help would be much appreciated. Thanks a lot!
Edit: Following the discussion below, I would like to further specify the question: Would it be efficient to assign groups through a middleware on every page view? Would it be feasible to add properties to the user object at run-time (similar to the user.has_token example above)?
usings django groups you can restict access
below link gives you the example:
http://bradmontgomery.blogspot.com/2009/04/restricting-access-by-group-in-django.html