joomla 2.5 custom extension about users - joomla2.5

I want your help to solve a problem in a site.
I know that when a user makes a subscription in the site through joomla log in form , it is stored in a table in sites database.
I want to the user to be stored in a custom table that I will make and it will be somewhere in the site.
The result I would like to be like this:
The site is for a school. Each student will made a subscription and his/her name will be stored to a table with lessons of the school. The teachers will log in the site and they will have to put the test results of each student in each lesson in this table.
it will be like:
lesson 1----lesson 2-----lesson 3
user's name 1-------- grade----grade----------grade
user's name 2-------- grade----grade---------- grade

You will need to look into custom component creation. As it is quite a simple component, the available component creators may do most of this for you. However it makes sense to understand the basics of how a component works first so that you know how to tweak and test it.
Simple components like this are ultimately just data entry into a single table, which is what most tutorials will cover. Components get more complex when interacting with other components or require more tables.
If students do not need to log-in to the site (and if they are unlikely to in future), then they do not need to be made users, but rather can just be a component item which is created by the teachers when they enter the data. If students need to log-in, then the id of the #__users table should be the match field in the new table.
When adding users to a site, it is important to make sure their permissions are set correctly so that they cannot access inappropriate data or make changes that they are not permitted to.
Also : If you are storing private information, it is particularly important that you keep Joomla patched for security - 2.5 is now rather out-of-date.

Related

How to encrypt or Obfuscate REST API URL in Django

Hello Django REST API Experts,
We are building University Course portals where app offers various user types like Professor, Students and Admins using DJANGO/REACT. We are using REST API to connect between backend and frontend.
So, far we are able to perform some basic operation and it really works great. However now I need help from this group to do following:
When students enrolled in course it generates an acknowledge document stating course description, and its prerequisite which needs to get signed by students to ensure student acknowledge they fulfill these requirements.
In order to do this we have following:
Model for each course which contains the Content, Description and Prerequisite for each course.
StudentCourseAck Model which has FK to Course, Signed Boolean field, Binary field to store signed doc.
User flow:
Student logins to portal,
Select the Course, which generate StudentCourseAck entry.
Let Student review document and signed the document (on client side using sign pad).
The Signature gets stored in PDF (as binary field).
So far so good…
Now we want to enhance the featureset which allows admin to email student the link of studentcouseack document incase its not signed before course start. Also this link should only be valid for 48 hours or else it will expire.
So we need some help to enhance these featuresets as follow:
Current the API is exposed to frontend like: mysite.com/courseack/studentid/documentid
However we want to encrypt this so the link look like this: mysite.com/uniqueid
Where uniquid is mapped to /studentid/documented
So I have following design question:
Question 1: Should we enhance StudentCourseAck which store the UUID for each document?
Question 2: If I store UUID for each document, how do I make it expire once its generated?
Question 3: When Student is finished signing, I need to update the document into database to ensure that right document is saved to right student profile, so how can I ensure this security requirement.
I would really appreciate some expert opinion or some guidance so we can proceed this feature implementation. Any other alternative which is simpler and easier to maintain.
Once again thank you for your time and consideration.
Thank You.
Any other alternative which is simpler and easier to maintain.
Keeping the above phrase in mind I propose this solution.
Firstly I will not consider this as a DRF problem but as a general problem and proceed to answer your Questions.
The simple solution lies in 4 steps
Create a UUID field inside StudentCourseACK so that you can map this uuid with your url mysite.com/uniqueid, catch the document id inside the StudentCourseACK record as a foreign key and also create a created_at inside the model (this will be required for expiry timer)
Make a view inside your views.py that takes this StudentCourseACK UUID as a url parameter where you will have to fetch courseack, studentid and documentid from this StudentCourseACK mapping table and redirects it to mysite.com/courseack/studentid/documentid. When you link this view with your url pattern make sure the listing is at the very bottom.
To make an expiry timer you can check the created_at date in your StudentCourseAck record for 48hours limit before redirecting inside Step 2
Finally when the student is redirected to the mysite.com/courseack/studentid/documentid endpoint you will have to follow a simple process of getting the StudentCourseAck data via .filter(studentid="some value", documentid="somevalue") and make changes to this data accordingly.
Another thing that I realise is that you can completely ditch the long mysite.com/courseack/studentid/documentid url and correspond it's logic inside the new view, but I assume that you want to keep it that way.

Create a input box on a app using django

I am tasked with a project of creating an app with python. We have decided to use django for this purpose. Basically, I need to create an app where users can go on to a website, type their names, addresses and get the required information about their historical product purchase.
Now, I am using mariadb in python to query the names. The function I created successfully gets the users name using some name matching algorithm and gets their required information. If the user misspells his/her name, the program also outputs suggested names that match what the user implied. Hence, if the user clicks on his/her name, he will get all historical purchase history for that user.
I managed to use django to create a basic website. But, I want to create input boxes where users can put in their info. Do I actually go to models.py in django and create a names model? Also, is an administrative site required for this purpose?
Edit: from further reading, it seems I need to use inspectdb and tell django to automatically create models for me?
You may get all the information you need from the Django tutorial in the docs. The first three chapters talk about the initial setup for the database and administration site.
https://docs.djangoproject.com/en/2.0/intro/tutorial01/
The fourth one handles the the creation of forms:
https://docs.djangoproject.com/en/2.0/intro/tutorial04/

django group permissions for online collaboration

I am working on a database project for different users in Django, but I don't understand nearly enough about the idea of groups and permissions to know where to start for allowing users to collaborate on projects.
Essentially, I want each project (and its entries) to be owned by the person who created it (this part I have covered), but I also want users to be able to add usernames for other users onto each project (and its entries) so that other users can view the project, the entries, update them and create new entries for that project.
Also I want it to display only projects & entries that the user has either created or is a collaborator on.
I've never worked with permissions before and while I'm reading through "Using the Django authentication system" I'm not having much luck getting my head around it. Are there any good writeups on how to incorporate this or maybe something from another perspective or a tutorial?
I had originally made a text field column where a user could add usernames of fellow collaborators, then the views would check it and if one of the usernames matched the logged in user, it would allow them to view that project, but it sounds like this is not the secure way to go.
Thanks for any help.

User valuelookup in Sitecore 6?

I have some Extranet users. Each user has a dedicated page/item, that is maintained by the Admins. The Admins should manually be able to "connect"/reference the current item to a single extranet user. I am think of something like using a valuelookup type or similar on the template.
But how could i accomblish this, as the users are stored in ASP.NET membership, and not directly in Sitecore, as they were in previous versions of Sitecore.
I think you've got the right idea. Either store the users's full name (Domain\UserName) in the item, or store the item ID in the user's profile. If you go the Profile route, be sure and update Sitecore's User template in the Core DB so that you can see the value in the user manager.
There's also a Sitecore table you could use called IDTable which is normally used for mapping Sitecore item IDs to external data. That might be your best solution since user Profiles can be annoying... will also be the most efficient in terms of finding/indexing this data. Look at the Sitecore examples of importing data to get an example using this API.

How to secure my ColdBox application?

I'm doing my first steps with ColdBox and I just got stucked. I have two database tables, users and firms and each user belongs to one firm. After a user logged in to the application, he can list every firm, but can only edit the firm he belongs to.
So how can I manage that the user only has an edit link for his firm? And how should I secure the firm handler and edit action?
I'm working with ColdBox VirtualEntityService and Coldfusion ORM. Should I write a function in the UserService which validates the users permission?
Your edit permissions should be part of the session somehow and your view should contain some logic as to wether a firm is "editable" and display the edit link. Of course your controller will need to double check the user permissions when someone actually uses the edit link to make sure they do indeed have the permissions they need.
This seems like a sort of "standard logic" question and has not so much to do with Coldbox. I'm not a CB expert but I don't think there's something specifically native to CB that handles your case. This is simply about writing good controller and validation code and figuring out what to store in your users session.