I let an authenticated user to add more users to a group. This happens by sending the user's ID to my controller (it can be an array). I add every single user to the group by ID.
I'm worried about security terms. I would'nt like someone to guess an ID and send that info to me.
Is there a proper way to do this?
I'm only showing those users that have privacy as public (if that helps)
Related
I am currently using the PayPal API to process payments inside my application. My problem is the following: My application is now capable of creating an order and letting the user approve the order. What I want to accomplish is authorizing the amount the user approved to directly after the user approved the order. I know it is possible to authorize an order but from what I understand this is only possible after the user approved the Order. So what I want to know is the following: is it possible to let the user approve with the order and then authorize in one step, without the interfering of my backend(Spring Boot). Or should I let the frontend make a call after the user approved, so that another endpoint in my application can try the authorization of the funds. It al comes down to the fact that I don't know when to make the authorization call. What is the best practice?
So basically you want to create an order with "intent": "authorize" and then authorize it from your backend after approval (rather than capturing it, as would be the case for intent:capture).
For this you need to make two routes, one for 'create an order for authorization' and one for 'authorize an order', documented here. These routes should return only JSON data (no HTML or text). The second one should (on success) store the resulting authorization ID, purchase_units[0].payments.authorizations[0].id ...for later capture
Pair these two routes with the following approval flow: https://developer.paypal.com/demo/checkout/#/pattern/server
i am working on a multi user application where i have two tables for authentication, admins table and users table.
currently when a user registers, their information gets saved in the admins
table(which automatically makes them admins for the registered account) and are authenticated using the same table.
These admins can create other users and assign roles and permisions to restrict them from accessing certain information associated with that account.
These users are saved in the users table with admin_id to track which account they belong to,they are authenticated using the same users table.
Now my issue is how to track all records created by all these different users of the account.
For instance when and admin creates a post, the admin_id will be used to track the post and when a user creates a post the user_id will be used to track the post and with the help of a hasManyThrough relationship between the Admin,User and Post models all posts associated with the account can be obtained and displayed to the admin.
But for a case where a user is given the permision to view all posts associated with the account i do not know how this is going to work.
Initially, what i wanted to do to avoid all these confusion was, during authentication,i would just get the id (if admins table is being used for auth) or admin_id (if users table is being used) and store as account_id in localstorage or session.
This way, account_id will be the same for all the different users of the account and posts created by an admin of an account will be tracked with the same id as posts created by different users of the same account.
So is this approach good enough?
Is there a better approach to this problem?
and finally is this a dumb question?
Help me out guys!
Thanks in advance.
i am confuse about database relationship...I am creating website like classified ads..without registartion how user can post??
Registration users and without registration users form are same...but how to store data without registartion user
This is form
This is database
user.id is required on your Advertise table only. So, what you can do is first set the user_id on Advertise table that way you can have advertises from registered users and non users.
So if a particular user can check his ads then he can check his ads.
About the unauthenticated users they wont have the deligacy of viewing their ads.
Or you can do something like :
Check auth()->check() if auth exists then give that form if doesn't then get the unregistered user email and give the services of checking ads with email
We are trying to integrate our platform with Pipedrive. As far as we have researched, in a pipedrive account, there is one admin and he can add multiple users. And the users later can login in their respective accounts.
What we are trying to make sure is that once a Pipedrive account is integrated with our platform, the same account should not be integrated twice. So, I need a unique identifier, that lets me know whether the account has already been integrated.
My initial approach was to check the api key. But it was not successful, since every users in an account have different API Keys.
After a bit of research, I found out that there is an identifier called company_id which is common for all the users in an account. But I could not find anything regarding it in documentation. So, I am not 100% confident to go ahead and implement it in our code.
Does anyone have an idea about this?
Pipedrive support rep here.
The most sure-fire way to ensure this is to make a GET request against http://api.pipedrive.com/v1/users?api_token=your_token_here.
You are correct in assuming the company_id in the additional_data object in the response is static and won't change across any users on the account.
Note that a Pipedrive account may have more than one admin, and that non-admins (regular users) might have visibility (and editing) restrictions in place, which may cause some of your GET, PUT and DELETE requests to fail.
In case you're not doing this already, I'd thus advise filtering the data array from the abovementioned endpoint for user.is_you to equal true and check whether the is_admin property is set to 1 during "registration" to ensure the user setting up the integration is an admin.
Hope this helps!
I'm not quite sure what you're asking for. Are you looking for a unique identifier for each user?
Each user has an id, you can get all users by calling
https://api.pipedrive.com/v1/users?api_token=____
This will return a JSON Object with data on your users, including their names and associated IDs. Admins are just users with different privilege levels. All admins are users, but not all users are admins. All users are part of a company, the company is identified by the first part of the Pipedrive account url ie.
https://FooCompany.pipedrive.com
Are you trying to see if a certain company has been integrated already?
I have set up on my test server codeigniter with tank_auth but I would like to know how I would be best to make sure when new user is registered make sure some selected data goes in to the database table user_profiles i.e. Country, Website,
I am going to be creating a users profile page dashboard/account/
If there are any links on this subject please give them to me.
It's best to just let people make a basic account: email, password (, username) and after they are registered and logged in let them add this extra info (e.g.: gender, website, county, etc.) on their profile page.
That's the way way i do it and i think it works fine.