I have a workflow that requires me to hand a file around my team and each of my team members needs to do something with this document. They have to do it in a certain order and one after another.
The current solution is that I send an email to the first person with this file and wait until I receive the document back. Then I send the received document to the next person and so on...
I already looked at all the connectors, especially the email with options from the outlook connector and the Approvals Connector look promising.
Getting the file into the workflow and attaching it to an email is easy and I am stuck for quite some hours now on how to get the received file back into the workflow. I should add that in the ideal case the file goes directly back into the workflow without taking the detour through my mailbox.
The is a bunch of commercial solutions out there, e.g. Adobe Sign, but i would really like to solve this without having to upload my files to some other service and rely on an other company (other than microsoft obviously).
I would really appreciate any suggestions on how one could solve this task!
Thanks a lot.
Short Answer
You need to have a shared storage that all members of the process can access, the file should then be opened and updated from there
My recommendation is (if your company teams/365 groups are set up well) to just use a specific folder in your team's SharePoint site (O365 group) that will be accessible via teams, a browser, or any of the applications required.
This can then be done in the approval flow you're playing with, or via one or several approval flows within the context of a BPF.
Those methods:
Approval Flow
Business Process Flow (BPF)
Detail
Shared Storage
This won't be hard to sort out, if the people involved are only a few in a larger team, and the data is sensitive, then create a separate folder and restrict access. Otherwise, you should at least restrict write access, to ensure that only the people involved can modify the file.
As mentioned earlier, the only thing that could hold you back is the company's set up with regard to O365 Groups, Azure (and normal) AD groups, and the literal teams. But it really shouldn't be an issue for this.
If there is bad group infrastructure, then it's all good, you can just lean in to that and make another brand new team in Teams. Once you've done that, find the new O365 Group it creates, and then just manage it all from SharePoint (you can even add a tab in the Team client to manage the process!) to ensure that the permissions are just right.
Approval Flow
Build the logic first. It should be relatively simple:
Person A performs their task, they click to say it's done.
Person B. Etc.
Then you can start worrying about the file, and how it's accessed and from where.
This is by far the easiest way to do things, and allows you to keep things as simple as possible. For the logic just plot it out step by step, then once you have that, take a look at it and see where you can economise it, and either loop elements, or use variables to make it not require the specifics that you begin with.
With any luck, you'll soon have it doing most of the work for you. You can even ensure that copies of the file are made at each stage and are then archived, if you like.
Business Process Flow
This is my preferred option because it will codify the process and you can make things however complicated in the flow(s) themselves, separately.
The BPF will ably show the organisation how your team performs the task, ie. Johnny edits, then Billy edits, then Jenna edits. However at each stage (or for bespoke tasks) you can call on different flows to perform whatever tasks you need performed.
There are positives and negatives to this approach, mainly:
Positive - You can set it up without ANY automation, and you can use it to manage your current manual process.
Positive - Later you can start to instill the automations you need to process what is required.
Negative - This is advanced stuff, and it's not only difficult to learn, but it's difficult to get right. That said, the end result will be amazing.
I want to share my final solution based on Eliot Coles answer and lots of internet research.
Basically I automated my mailbox meaning that I use the outlook connector to send and receive mails and handling the attachments between those.
The flow is triggered manually where the user has to enter the email-adresses of all the recipients and select the file to pass around. Then I store the recipients in an array to be able to loop over them later. Additionally an unique ID is generated to identify the emails belonging to this flow later on.
Next there is a loop over all recipients. The file is send to the first recipient in the array and another loop waits for the recipient to reply to the message before continuing with the next one.
Finally a close look at the "receive-loop". This runs until an email with attachment arrives from the recipient. All emails filtered by the ID generated earlier are reteived and if there is one with attachment, this attachment is stored in the file variable. If no email matched the criteria, it is waited for some time and the mailbox is checked again.
At the very end, I sent an email back to myself with the last received file, as the workflow is finished then.
Related
I have a specific use case for orbit-db but I am a bit fuzzy about a certain security implication.
I'm developing a web app where a user logs in through a Tronweb wallet account.
People can post questions, whereas other people can answer them and get paid for it.
In order to do so, I add the public key of the respondent to the question and save it to Orbit db.
Now it is my understanding that default access to any orbit-db instance is given to the app (identity) that creates it per default, or you can add custom access controllers. Let's say, if I want to create a db to manage tags, I could create an identity based on my own tronlink account and require a login to create those tags. Nobody else would be able to access that db.
Now what I am a bit fuzzy about is what happens when:
An OP creates a question, and a respondent registers an answer.
When the OP accepts the answer, and payment through the Tronlink plugin will be executed.
But since OrbitDB can run without a server (i.e. p2p based on a local IPFS node), what prevents anybody to set a breakpoint in the client-side Javascript code, get a handle to the db instance, and execute an update call to update the respondent's address locally in that question document, after which it will be synced to other nodes?
I store the public key of the respondent in orbitdb, but the transaction is still confirmed by the OP through Tronlink wallet plugin of course. But still, you cannot assume all users to check it every time.
Since there is no server involved, I don't see how you can prevent corruption of the db client-side by unwanted parties.
Could you enlighten? Let me know if my question is not clear.
what prevents anybody to set a breakpoint in the client-side Javascript code, get a handle to the db instance, and execute an update call to update the respondent's address locally in that question document
Nothing.
after which it will be synced to other nodes?
This is what makes OrbitDB secure. Each document that is synced to a new node, needs to pass through the validator function of this node. So, honest (the ones that have a correct AccessController) nodes will filter out malicious changes.
What that means? A node can be "corrupted" but it can't "corrupt" other nodes in the network.
So I've built an iOS app (my first) and I want to distribute it for free. It's a content creation app, and my plan is to allow the user full access to record up to 5 records of content for the purpose of evaluation. If the user likes the app and wants to continue generating new content, he'll have to purchase an unlock via in-app-purchase.
I've looked at the documentation, and I'm going to use MKStoreKit to do this. I understand that I'm going to be creating a non-consumable, non-subscription product to sell.
So my problem is that while I can find lots of information on HOW to do the actual IAP, I can't find anything on where or how to track that it was purchased. That is, how do I go about ensuring the app is unlocked? Does it require a round trip to the AppStore servers on every app startup? If this is the case, I'm a bit concerned about it because network connectivity is not a guarantee.
Another possibility I've been thinking about is writing some kind of semaphore somewhere when unlock is purchased, whether it's a file or just modifying a setting in a .plist. This is certainly optimal from a user-experience point of view, but can it be easily hacked? If I write a file, can a user just take that file and distribute it to whomever?
Is there some standard mechanism or methodology that's typically employed here?
Thanks for any assistance.
What I usually do is check with the Apple servers if the content is unlocked. If so, I change some attribute in a .plist and check it to unlock the content.
There are two common approaches to achieve that: The first is to check only if the attribute is not set (or with a specific value) and the other, more secure but, im my opinion, not the best, is to have a point in your app that everytime it is executed the Apple servers are verified again.
What you need to have in mind is that if your application is hacked, you can't do anything, but there is a great number of users (most of them) that don't care about hacks and not even Jailbreaks... so forget it and apply the check when the app opens and only if it is not unlocked yet.
Is it possible to create a script that is executed outside of the server,
or with a browser add-on for example it automatically fills in form values, then submits the form all ready to be parsed by the server ? this way in three minutes a billion fake accounts could get registered very easily, imagine facebook which does not use any visible to the human captcha, a browser add on that performs the form submission and inserts the vals retrieved from a local database for new emails to be associated as that is a check - no duplicate emails, can thousands and thousands of fake accounts be created each day accross the globe?
What is the best method to prevent fake accounts? Even imagining the scenario of a rotating ips center with human beings registering just to choke the databases, achieving 30-50 million accounts in a year. Thanks
This is probably better on the Security.Stackexchange.com website, but...
According to the OWASP Guide to Authentication, CAPTCHAs are actually a bad thing. Not only do they not work, induce additional headaches, but in come cases (per OWASP) they are illegal.
CAPTCHA
CAPTCHA (Completely automated Turing Tests To Tell Humans and Computers Apart) are illegal in any jurisdiction that prohibits
discrimination against disabled citizens. This is essentially the
entire world. Although CAPTCHAs seem useful, they are in fact, trivial
to break using any of the following methods:
• Optical Character Recognition. Most common CAPTCHAs are solvable using specialist
CAPTCHA breaking OCR software.
• Break a test, get free access to foo,> where foo is a desirable resource
• Pay someone to solve the CAPTCHAs.
The current rate at the time of writing is $12 per 500 tests.
Therefore implementing CAPTCHAs in your software is most likely to be
illegal in at least a few countries, and worse - completely
ineffective.
Other methods are commonly used.
The most common, probably, is the e-mail verification process. You sign up, they send you an email, and only when you confirm it is the account activated and accessible.
There are also several interesting alternatives to CAPTCHA that perform the same function, but in a manner that's (arguably, in some cases) less difficult.
More difficult may be to track form submissions from a single IP address, and block obvious attacks. But that can be spoofed and bypassed.
Another technique to use JavaScript to time the amount of time the user spent on the web page before submitting. Most bots will submit things almost instantly (if they even run the JavaScript at all), so checking that a second or 2 has elapsed since the page rendered can detect bots. but bots can be crafted to fool this as well
The Honeypot technique can also help to detect such form submissions. There's a nice example of implementation here.
This page also talks about a Form Token method. The Form Token is one I'd never heard of until just now in this context. It looks similar to an anti-csrf token in concept.
All told, your best defense, as with anything security related, is a layered approach, using more than one defense. The idea is to make it more difficult than average, so that your attacker gives up ad tries a different site. This won't block persistent attackers, but it will scale down on the drive-by attacks.
To answer your original question, it all depends on what preventative measures the website developer took to prevent people from automatic account creation.
Any competent developer would address this in the requirements gathering phase, and plan for it. But there are plenty of websites out there coded by incompetent developers/teams, even among big-name companies that should know better.
This is possible using simple scripts, which may or may not use browser extension (for example scripts written in Perl or shell scripts using wget/curl).
Most websites rely on tracking the number of requests received from a particular browser/IP before they enable CAPTCHA.
This information can be tracked on the server side with a finite expiry time, or in case of clients using multiple IPs (for example users on DHCP connection), this information can be tracked using cookies.
Yes. It is very easy to automate form submissions, for instance using wget or curl. This is exactly why CAPTCHAs exist, to make it difficult to automate form submissions.
Verification e-mails are also helpful, although it'd be fairly straightforward to automate opening them and clicking on the verification links. They do provide protection if you're vigilant about blocking spammy e-mail domains (e.g. hotmail.com).
A users workspace contains several chiklets that can often refer to retired servers and throws the error "You are not authorized" if sent a link to a new replica of that application. To fix this issue the user can right click on any open space of the workspace and choose the 'Refresh Unread Count' option which removes any chiklets referring to retired servers. I was able to get a handle on the workspace, desktop8.ndk, but the call to 'GetAllUnreadDocuments" does nothing. I also looked in the Lotus C API 8.5 Reference and found a few entries of which I wasn't sure would solve my problem and checked the 6/7/8/8.5 forums.
So, the question is: can a routine be created that will automate the "Refresh Unread Count" process so that a call can be made to it from a button or during post open of the inbox?
I think the company Panagenda has a process that will remove old servers from the workspace, but not sure how they are going about that. I did see that the 'cache.ndk' has a field, $SourceDbPath, that stores the server/path of databases. Maybe parsing that and making a call to the server to open the 'names.nsf' is the way to go. However, the 'cache.ndk' doesn't contain all applications on the user's workspace.
Thanks,
Dwain
As far as I know, the workspace does not use ordinary Notes document structures and there are no published APIs specifically for accessing it. Panagenda has done extensive research to reverse-engineer the data structures and has written their own low-level code to manipulate them.
I am writing a WP7 app and would like to include features to share highscore data using Amazon's AWS as storage service.
As far as I understand WP7 XAP files are (currently) safely encrypted and no known jailbreak for the phone exists. However, given that such a 'safe' encryption can be temporary, I would like to understand if/how this violates best practice.
AWS' dynamoDB uses temporary access tokens that can be generated using given account data and are valid for 36 hours the tokens must be verified using a signature with any request.
I am considering that all access data will be stored in the XAP file, which will also generate the temporary access token and signature. The information will be passed via https requests between the phone and AWS.
I was trying to work out alternative processes including passing the generation of the temporary token calculation to an external webservice, however I cannot think of a way to protect this data which would not be similarly compromised if the XAP file was accessible.
Am I missing the best practice approach completely or am I just overly cautious?
Thanks.
You won't ever be able to prevent users from sending false scores, pretty much for the same reason as unofficial cheating apps exist for every popular game. The best you can do is making it harder.
With a simple approach, the client sends the score directly to the server, without any kind of encryption. Someone can cheat just by running the app on the emulator and capturing the outgoing packets, then opening the same URL on his desktop browser. Estimated time: less than 10 minutes, and it can be done by anyone who knows that he can download XAPs directly from the marketplace, remove the manifest, and deploy it on the emulator.
Then you can add an encryption key on the client. Now someone has to know C# and Reflector to extract it, but it's still easy for someone having those skills.
Next level, you can add an encryption key AND obfuscate the assembly. Knowledge of CIL and Relector are required to extract the key. It'll take 30 minutes to an hour to a highly skilled developper to extract the key, and many hours for most developpers.
Finally, you can add multiple steps to confuse even more the intruder (for instance, downloading a temporary token from a server and using it somehow in the score sending process). Also, you can design the scoring system in a way that some scores are illegal (dumb example: if the minimal scoring action earns 2 points, then if someone sends an odd number as a score you know he's cheating. This one is easy to figure out, but you can make much more complex rules).
In any way, keep in mind that your system will always be vulnerable, it's only a matter of how much time it will take to the attacker to break through it. If it takes many hours or days to a highly skilled developer, then unless you're offering some worthy prize to the best player, you can safely assume that nobody will bother doing that.