I just imported my app into a different workspace (a developer one) and am having issues while trying to open it up. I get the following error:
Insufficient privileges, user is not a Contributor
Access denied by Application security check
Technical Info (only visible for developers)
is_internal_error: true
apex_error_code: APEX.AUTHORIZATION.ACCESS_DENIED
component.type: APEX_APPLICATION_AUTHORIZATION
component.id: 7520010788215408503
component.name: End User Role
error_backtrace:
----- PL/SQL Call Stack -----
object line object
handle number name
0x6e2ee250 960 package body APEX_210100.WWV_FLOW_ERROR.INTERNAL_GET_ERROR
0x6e2ee250 1028 package body APEX_210100.WWV_FLOW_ERROR.INTERNAL_ADD_ERROR
0x6e2ee250 1420 package body APEX_210100.WWV_FLOW_ERROR.RAISE_INTERNAL_ERROR
0xab143348 831 package body APEX_210100.WWV_FLOW_AUTHORIZATION.IS_AUTHORIZED
0x6137ca48 2919 package body APEX_210100.WWV_FLOW.SHOW
0x6137ca48 5323 package body APEX_210100.WWV_FLOW.RESOLVE_FRIENDLY_URL
0xb05740f0 4 anonymous block
I tried to add myself as an admin using the following procedure:
begin
APEX_ACL.ADD_USER_ROLE (
p_application_id => 255,
p_user_name => 'SCOTT',
p_role_static_id => 'ADMINISTRATOR' );
end;
And I actually see myself on the apex_appl_acl_user_roles table but still get the same result when trying to open up my app.
Authorization Scheme (shared components -> security) is set to 'End User' (which is basically two levels down on the hierarchy. Admin being the top one).
Does anyone know how to fix this?
thanks!
Roles are exported along with the app, users are not. Try giving yourself all roles via Shared Components > Application Access Control. Or use sql commands to backup the other apps' roles and restore them in this workspace. Here is a blog explaining how you can do that: https://seanstuber.com/2019/06/06/extracting-apex-access-control-users/
Related
i want to display these images in oracle apex:
Images are saved on local network share folder in following path:
\\SCANS\01\01-0001.GIF
\\SCANS\01\01-0002.GIF
\\SCANS\01\01-0003.GIF
...
\\SCANS\99\99-9999.GIF
You might want to upload those images to Oracle Apex using
Application --> Shared Components --> Static files --> Upload file
Then,once the images are in Apex, you can use #APP_IMAGES#nameoftheimage.gif to reference the image and use it in your application.
Regards
Connect to SQL plus as SYS and create directory:
create directory my_img_dir as 'c:\my_images\';
Grant read privilege on directory to DAD user (ANONYMOUS):
grant read on directory my_img_dir to anonymous;
Grant read privilege on directory to your application parsing schema. Change "my_schema" to your own schema:
grant read on directory my_img_dir to my_schema;
Create new app and 2 blank pages. I assume first page (id 1) is where you show images. Second page (id 2) is just for call application process. Create application process point "On Load:Before Header"
DECLARE
l_lob BFILE;
l_length NUMBER;
BEGIN
l_lob := BFILENAME('MY_IMG_DIR', :REQUEST);
l_length := DBMS_LOB.getlength(l_lob);
htp.flush;
htp.init;
htp.p('Content-length: ' || l_length);
htp.p('Content-Disposition: inline; filename="&REQUEST."');
-- close the headers
owa_util.http_header_close;
-- download the BLOB
wpg_docload.download_file(l_lob);
--
END;
Make process conditional if page is 2. Create HTML region to page 1 and place to region source:
<img src="f?p=&APP_ID.:2:&APP_SESSION.:my_picture.gif" alt="">
Note: More info please go this link https://blog.jaris.fi/apex/f?p=BLOG:READ:::NO::ARTICLE:91800346957167
1: Create Directory to save File and add privilege to write on Directory to You User
CREATE OR REPLACE DIRECTORY STOCK_DIR2 AS 'C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\i\STOCK_IMAGE';
GRANT read, write ON DIRECTORY STOCK_DIR2 TO STOCK;
2: Create column html expression in interactive grid Report
2: to get image dynamically
Note: this code copied from another blog. but fo preview image from directory i use this code
If those images are accessible from the client's side from an URL you should be able to render them in you page without any intervention from the application server.
We have an "image bucket" from which I access most of the images required for the application and it is as simple as uploading static files to APEX.
if you want to render in an image tag you could
<img src="URL_TO_IMAGE"/>
and technically you could serve them as background images for tags using CSS
.selector{
background-image:url(URL_TO_IMAGE);
}
EDIT: rest-server gives the option "Specify if you want the generated REST API to be secured: (y/N)", is this to enforce the acl?
I've been trying to setup a simple test using hyperledger-composer node js client. In my config I have the following:
"connection-info" : {
"participantId" : "gk1",
"participantPwd" :"CjysyeLjriRT",
"businessNetworkIdentifier" : "myBizNetwork",
"connectionProfile" : "defaultProfile"}
In my business network definition I have the following:
rule Default {
description: "DENY all participants access to all resources"
participant: "ANY"
operation: ALL
resource: "net.name.myBizNetwork"
action: DENY }
When I call the following code in node js app, I can still see the resources:
this.bizNetworkConnection.getAssetRegistry('net.name.myBizNetwork.TestAsset');
}).then((registry) => {
return registry.find('testAssetId = ' + id);
Obviously I'd like to do more scenarios with access control, but in my understanding this should work.
A good first point of call is to try out your model, acl, and script files in the online playground here https://composer-playground.mybluemix.net/
Note - you are an admin by default, to simulate being a participant you can do so by:
Clicking 'admin' in the top right of the playground
'+ Issue New ID'
Supply a User ID (whatever you like) and participant (will be one you created earlier) and then press 'Create New'
Select Option 2: '+ Add to my Wallet' (This will allow you to then use the identity and you will 'be' that participant
From looking at your code, the resource you deny is "net.name.myBizNetwork".
Following the documentation here https://hyperledger.github.io/composer/reference/acl_language.html I think that to deny access to the resources within your network you will need to add a '*' wildcard (see the Examples section in the link). If that doesn't work it may have something to do with identities.
Another note, from my understanding, you need to secure the API if you want to use identities. However, you also need to create/bind identities to existing participants, and then use those identities to 'be' that participant. See the article here https://hyperledger.github.io/composer/managing/identity-issue.html
By default, you are a Null participant (you can see what participant you currently 'are' by pinging the network)
I'm getting Insufficient permissions when trying to call the acl.list method of the google calendar api via python.
service.acl().list(calendarId='primary').execute();
*** HttpError: <HttpError 403 when requesting https://www.googleapis.com/calendar/v3/calendars/primary/acl?alt=json returned "Insufficient Permission">
I'm using the scope 'https://www.googleapis.com/auth/calendar' as recommended in the documentation. Additionally, other API methods do work, for example service.calendarList
service.calendarList().list(pageToken=page_token).execute()
What am I missing?
Here is the code I'm using based almost entirely on the sample they provide:
import sys
from oauth2client import client
from googleapiclient import sample_tools
def main(argv):
# Authenticate and construct service.
# import pdb;pdb.set_trace()
service, flags = sample_tools.init(
argv, 'calendar', 'v3', __doc__, __file__,
# scope='https://www.googleapis.com/auth/calendar.readonly')
scope='https://www.googleapis.com/auth/calendar')
try:
page_token = None
while True:
calendar_list = service.calendarList().list(pageToken=page_token).execute()
for calendar_list_entry in calendar_list['items']:
print calendar_list_entry['summary']
page_token = calendar_list.get('nextPageToken')
service.acl().list(calendarId='primary').execute();
if not page_token:
break
except client.AccessTokenRefreshError:
print ('The credentials have been revoked or expired, please re-run'
'the application to re-authorize.')
if __name__ == '__main__':
main(sys.argv)
You might have to delete existing credentials, in the form of .json files. I had a similar "Insufficient permissions" problem, and I had to delete stored credentials. I had the additional problem that because of trying out some of Google's scripts in their tutorials, unknowingly I had credentials stored in a hidden .credentials folder in my home directory (users/home). Since they were hidden, I had to look for them through Terminal (on Mac), and delete them there. Once deleted, the problem was solved, since I could create new and proper credentials, suitable for the scope of my new script.
Something is wrong with your authentication. Insufficent permissions means that you don't have access.
I can verify that the scope https://www.googleapis.com/auth/calendar is enough to display ACL.list on the primary calendar.
You have to find the location of "calendar-dotnet-quickstart.json" file and delete it. I used .NET example and I have to debug the following code the find exact location.
string credPath = System.Environment.GetFolderPath(
System.Environment.SpecialFolder.Personal);
credPath = Path.Combine(credPath, ".credentials/calendar-dotnet-quickstart.json");
Then change scope as bellow and rebuild the solution.
string[] scopes = { CalendarService.Scope.Calendar};
You will notice that google will ask to confirm the access again.
I connected Alfresco with my active directory I am able to login using windows credential but how to add userspace to these windows login. I am not able to able to create new content using windows login. Also I have to login twice inorder to view the alfresco explorer page. First in browser then in alfresco login page. How to make it as single page.
Here is my global property
### ACtive Directory Configuration ###
authentication.chain=passthru1:passthru,ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
passthru.authentication.sso.enabled=false
passthru.authentication.allowGuestLogin=false
passthru.authentication.authenticateCIFS=false
passthru.authentication.authenticateFTP=false
passthru.authentication.servers=192.168.100.100
passthru.authentication.domain=<Netbios Domain>
passthru.authentication.useLocalServer=false
passthru.authentication.defaultAdministratorUserNames=sameer
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP,NETBIOS
ldap.authentication.active=true
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://192.168.100.100:389
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=uid\=sameer,cn\=users,dc=<company.domain>,dc=com
ldap.synchronization.java.naming.security.credentials=<administrator.privilege.account.password>
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupDifferentialQuery=(&(objectclass=nogroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(& (objectclass=user)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupSearchBase=cn\=users,dc=<company.domain>,dc=com
ldap.synchronization.userSearchBase=cn\=users,dc=<company.domain>,dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=msExchALObjectVersion
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=Nogroup
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
synchronization.synchronizeChangesOnly=true
cifs.enabled=false
First error kind of in your properties:
Use the ldap.authentication.active=true or the passthru as active subsystem
This is the reason you need to login double.
So in this case just put the
ldap.authentication.active=false
I'm not sure why you're not an admin, can you try the following:
ldap.authentication.defaultAdministratorUserNames=sameer
or
ldap.authentication.defaultAdministratorUserNames=uid\=sameer,cn\=users,dc=<company.domain>,dc=com
Are you sure it's uid=sameer and not cn=sameer.
I've set a ondrop event on my drop area and it receives an event when I drag an image from my desktop to the drop area.
However, according to the Recommended_Drag_Types document:
https://developer.mozilla.org/en/DragDrop/Recommended_Drag_Types
A local file is dragged using the application/x-moz-file type with a data value that is an nsIFile object. Non-privileged web pages are not able to retrieve or modify data of this type.
That makes sense, but how do I prompt the user to escalate privileges to get access to the file data and send it via an XMLHttpRequest?
If I try it without escalating privileges when I do this code:
event.dataTransfer.mozSetDataAt("application/x-moz-file", file, 0);
Javascript returns this error:
Permission denied for domain.com to create wrapper for object of class UnnamedClass
The only article I can find on this is one from 2005 but I can't tell if the directions still apply to Firefox 3, it suggest doing this:
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
which doesn't seem to work.
If you haven't upgraded to 3.5 yet, you can use the dragdropupload extension.
I found out that if instead of escalating privileges globally:
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
...
function doDrop(event) {
...
var file = event.dataTransfer.mozGetDataAt("application/x-moz-file", 0);
...
}
I escalate privileges in the function's body:
...
function doDrop(event) {
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
...
var file = event.dataTransfer.mozGetDataAt("application/x-moz-file", 0);
...
}
I get rid of the error you described and gain access to the nsIFile instance I was looking for.