I'm doing my first steps with ColdBox and I just got stucked. I have two database tables, users and firms and each user belongs to one firm. After a user logged in to the application, he can list every firm, but can only edit the firm he belongs to.
So how can I manage that the user only has an edit link for his firm? And how should I secure the firm handler and edit action?
I'm working with ColdBox VirtualEntityService and Coldfusion ORM. Should I write a function in the UserService which validates the users permission?
Your edit permissions should be part of the session somehow and your view should contain some logic as to wether a firm is "editable" and display the edit link. Of course your controller will need to double check the user permissions when someone actually uses the edit link to make sure they do indeed have the permissions they need.
This seems like a sort of "standard logic" question and has not so much to do with Coldbox. I'm not a CB expert but I don't think there's something specifically native to CB that handles your case. This is simply about writing good controller and validation code and figuring out what to store in your users session.
Related
Sorry if my English is weird.
I would like to know how a non-admin account can use the Admin SDK.
If you have any suggestions, please let me know.
I'm developing an add-on for an elementary school using Google app script.
I want to limit the API by student, teacher, grade, etc. So I need to get the organization information.
There were a few other similar questions, and apparently it would be impossible to try to do it normally.
When using the Admin SDK, Google will display an acceptance confirmation screen to the user.
Once the user agrees, Google gives the app an access token that is valid for a short period of time. I'm thinking that I can do this by using that access token. Is this approach dangerous from a security point of view?
I'm sorry for the lack of explanation.
I'm currently developing a google slides add-on for an elementary school.
It's supposed to display a SPA made with vuejs in the sidebar and let you manipulate it.
For example, we can manage a whitelist of organizations that can use this application in advance, and not allow organizations that do not match the whitelist to use it.
If the organization is managed by school unit, access control can be done by domain, but in some areas, the organization is managed by city, so access control by school unit cannot be realized...
Also.We want to do the following if we match the whitelist.
The functions that can be used by teachers and students are
different.
The buttons can be changed depending on the grade level of the
students.
Automatically enter student names and class names on slides.
Use an organizational structure to manage the school and students. (https://support.google.com/a/answer/4352075?ref_topic=4390186&hl=en)
We think we can achieve this by using the Admin SDK to get organization information
Answer
It is not possible to use Admin SDK with a non-admin account as Google says in the documentation: This API gives administrators of Google Workspace domains (including resellers) the ability to manage devices, groups, users, and other entities in their domains.
However there are two workarounds for your problem, but you would need to use an admin account to configure the scenario.
Initial approach
Get the user that is running the application with the class Session and the method getActiveUser and getEmail: var email = Session.getActiveUser().getEmail();
Get the organizational unit that each user belongs to. With this information you will be able to filter users and display different options in the add-on. The main problem is that you need to use AdminDirectory.Users.get(userEmail) to get the organizational unit, and it needs the following authorization scope: https://www.googleapis.com/auth/admin.directory.user.readonly.
Solution 1
Create a Spreadsheet with all the users that are going to use the add-on and its organizational unit
Use List all users to get all the users in a domain and write each email in the first column.
Use AdminDirectory.Users.get(email).orgUnitPath to get the organizational unit and write it in the next column
Finally, when users use the add-on, search the email of the active user (Session.getActiveUser().getEmail()) in the Spreadsheet, take the row number and get the value of the organizational unit that is in the second column.
Solution 2
Create a custom admin role and assign it to every user that is going to use the add-on. You must be signed in as a super administrator for this task. You can do it here and select Users -> Read,
Assign the new role to each user creating a role assignment
Finally, users will be able to use var organization = AdminDirectory.Users.get(email).orgUnitPath
I am new to django. I want to edit default user auth_permissions. More precisely I want to add an integer field in addition to "label", "code" features to distinct permission types (like strong, moderate and etc.). So far I could not find anything like this. I tried to make custom permissions, but could not add them to the permission database. Anyone could help me?
Per Object permission
When i first got into django i also tried relying on the permissions framework within django, I also found the permissions were too broad and inefficient, which lead me to researching django-guardian, I tried to submit an edit to the Django project itself to make more object-base permissions with no success, they said as per object permissions were too personalised for the framework.
The thing is, after getting to work in the industry i realised how people do these permissions in the industry (which honestly was something that bugged me), they mainly create custom login middlewares to keep track of authentication types and add the checks on the view itself. So basically you will have to check in the view who the user is and if you want to give them permission to whatever.
When in MIT they kept asking me to make some weird permissions and I created a table called ExtraordinaryPermissions, this had a ForeignKey to the user and could be used to check within the views what objects the user had access to
It is troublesome, but as-per-object permissions are handed this way in the industry
good luck
I am working on a database project for different users in Django, but I don't understand nearly enough about the idea of groups and permissions to know where to start for allowing users to collaborate on projects.
Essentially, I want each project (and its entries) to be owned by the person who created it (this part I have covered), but I also want users to be able to add usernames for other users onto each project (and its entries) so that other users can view the project, the entries, update them and create new entries for that project.
Also I want it to display only projects & entries that the user has either created or is a collaborator on.
I've never worked with permissions before and while I'm reading through "Using the Django authentication system" I'm not having much luck getting my head around it. Are there any good writeups on how to incorporate this or maybe something from another perspective or a tutorial?
I had originally made a text field column where a user could add usernames of fellow collaborators, then the views would check it and if one of the usernames matched the logged in user, it would allow them to view that project, but it sounds like this is not the secure way to go.
Thanks for any help.
I'd like to create a tooltip bubbles for my site for new users - many other sites do this (most google apps). I'd like to show them for all accounts created within the last week, unless the user specifically 'dismisses' the tip.
I thought about doing this with cookies - ie. set a "-dismissed=True" value that I could check as well as the account creation date and determine whether to show the tips.
However - this doesn't work across browsers, since cookies aren't shared between browsers. So if a user logs into chrome, dismisses the tip then logs in in FF the tip will reappear.
Does anyone know if there is common way to do this sort of thing? Or at least a better way than what i've described?
I'm using browser length sessions so I can't store it in the session.
You could have a user preferences model, with a one-to-one relationship to the main user model, which stores preferences like this. Create an instance when the user entry itself is created, and default the 'show tips' field to True.
You could also use the new custom user model functionality in 1.5 to store this in the user model itself, but that seems like overkill here.
On the site that I'm developing we need to track the last visited page for each user (users login to the site). What's the best way to do this? We are already using a custom profile so adding a new field is easy. The site will not have a lot of traffic so updating this field wont be an issue, i think. Are there better ideas? Does sitecore already offers something that we can possible use?
OMS has a "Top Exit Pages" report by default... but that is tracked across sessions, not users.
A good IIS log parser should also be able to give you this information... again, that would be by session (or IP) and not logged in user.
If you really want to get every exit page AND filter by logged in user... what I would do is add a new pipeline processor to httpRequestBegin, and place it after the ItemResolver. Then save the Item.Paths.Path. I would advise against writing this data to the user Profile if you are using the default ASP.NET Profile handler and you have a decent amount of traffic, because it is highly inefficient. Roll your own simple storage solution here, or just dump the data to a log.
My first question would be: Why do you need only the last visited page of the user? What are you trying to determine?
In a lot of cases, you are probably starting down an analytics route, or perhaps even trying to drive some marketing.
If the analytics is what you are going for, you can probably just pop an event out to your google analytics account with the current username as an event variable to allow you to look at analytics by user and by page. Alternatively, you could use the Sitecore OMS/DMS features for tracking all that data and looking at the analytics there.
If you are looking at driving marketing, you probably want to use OMS/DMS, especially if you want to start getting into personalization or engagement plans. OMS/DMS will track user activity, and all the pages they visit, though not by user account. With some customizations, you can probably add that data in, but it will depend on what you are trying to use the information for. The username may not be what is important to you.
If, however, you just want to know what page to send the user back to after logging them in, it would be better to just store that in session or pass as a post parameter if session is not a viable option for you.