Umbraco 7 : intercept user access check? - umbraco7

I was wondering : is it possible to intercept the event that checks authorization when attempting to edit a document (eg that returns error Authorization error: Unauthorized access to URL: )
and add my own checks (eg based on specific document ids, external user groupings etc)?

In ContentService.Save() there's an option to include a user ID. I assume the saving is then done in the context of that user and that users permissions.
Also, you can hook into ContentService.Saving event and do whatever checks you want (and cancel the save if your checks "fail").
https://our.umbraco.org/documentation/reference/events/contentservice-events

Related

Can I get current user's access/id token from SuiteScript?

I'm doing some discovery with NetSuite but am struggling to find a way to get the currently logged in user's NetSuite access or id token.
Use case is I want to call an external API (that I'm creating) from SuiteScript. I have decided to use the https module in a User Event Script when a record is created. I want to include the NetSuite access or id token in the Authorization header with this request.
I understand that I can use NetSuite as an OIDC provider which means I can access the public keys for my account via JWKS URL and validate the NetSuite token, verify user role etc. and permit the operation. Therefore securing my external API.
Is this possible?
You can get data on the current User by Using the N/runtime module.
Typescript import and examples of use

Onedrive OAuth 2.0 code flow for getting access token 'redirect uri' is not specified in the list of urls specified

Before adding, yes it works when I give the entire url like http://localhost:8080/onedrive/oauth2/success/1 in the list of uri in azure uris. I am using code flow to authroize these tokens.
But as per the docs, it should work with me just mentioning the domain name there, like http://localhost:8080. Which it doesn't.
I want to do something like send the user id along with every request for me to keep track of which user I should link this accees token to, and have no idea to do so, if this issue is there. My current application logic is, when my application sends the user details and calls my spring API, I want to handle all these transfer of tokens in the server side, so I want to transfer this userId as my path variable. How do I go about doing this? Has anyone done this, can they explain to me any other different solution?
You can't add custom details to OAuth redirects and it is best practice to always register the full redirect uri.
In terms of tracking the user, after login the token has a user id and you can also get fields such as user name and email - so both the UI and API will know which user each token is for. I can provide further details on mechanics if needed.
The user id in a token is often a generated value, whereas the user id you want to use in API path segments is maybe a user id from your app's back end database - if so you will need to map between token details and database details.
If you provide redirect uri as http://localhost:8080/ then it means you are handling the api response in
/
endpoint and not
/onedrive/oauth2/success/1
To get to know the user to whom you are linking, few ideas which you can use are
1) Use security to obtain the logged in user credentials (Ex: Principal if you're using Spring security in java)
2) After successful authentication, use the user id you have and send one more request to backend and store it database with userid as a key

Cloud function authorization vs validationHandler

Found myself opening a couple of functions for access to users with invalid session tokens. The only way I could find to do that is to intercept the request using a bodyParser before Parse gets the request and removing sessionToken from the request.
Now trying to do a better job managing authorization to all functions - My question are:
can I relax the requirement that if a sessionToken is included it must be valid in any other way? Is session token validation done using a default validationHandler that can be replaced or is that done elsewhere?
to control access to cloud functions, is there anything like ACL roles? does cloud function's "validationHandler" accept only param? or can I inspect the user object as well?
Yes. In parse-server you can make sure that the sessions are valid because if you will try to run any CRUD operation with invalid session you will get http 403 error that your session is not valid or expired. You can control on the "Length" of your session by changing the sessionLength property in your parse-server app. The default is 1 year
There is no control access to cloud functions but you can check if a logged in user trigger this function by checking if the request.user is not undefined. Cloud functions can get only params in key-value pairs and those params cannot be Parse Objects. if you want to send ParseObject you can send the objectId of the parse object and then query for it in cloud code to get the full object. You can always access the user context in request.user (only if cloud code was triggered by the user). If you still want to "protect" your cloud code you can check if the calling user have a Role by query the Role DB and check if the user is contained there.

Spring Security: Securing URL and Parameters

I have a requirement where application needs to secure URL for users based on the role user is having and parameter passsed..
Eg:
There are four roles
PREVIEW_VIEW, PREVIEW_MODIFY, PUBLIC_VIEW, PUBLIC_MODIFY
And URL hit is
http://myapp:8080/console/editGroups.action?orgId=1&recipientType=PREVIEW
Lets say User is having only 'PUBLIC_VIEW' and 'PUBLIC_MODIFY' permission.
If user is passing parameter 'recipientType=PREVIEW' then page should be accessible only if user is having 'PREVIEW_MODIFY' permission.
So how to secure URL and parameter together?
i.e Allow this URL(http://myapp:8080/console/editGroups.action?orgId=1&recipientType=PREVIEW) only if user is having PREVIEW_MODIFY permission
and
allow this URL(http://myapp:8080/console/editGroups.action?orgId=1&recipientType=PUBLIC) only if user is having PUBLIC_MODIFY permission
Thanks
Chetan
to me, this is the wrong way of proceeding. URLs are changable by definition by the client because it's the client itself who decides who or what to call. Therefore, URLs are the worse place to put security information. Besides, if you need to walk this way, I think you can't but leverage encyption.
The server is the one to decide which role(s) the client is associated to, therefore it forces the client to include a parameter with its roles combination. Of course, this MUST be encypted (symmetric encryption will be enough) since the client MUST NOT be able to alter it in anyway.
When the client performs the request, the server retrieves the encrypted attribute and decrypt it to obtain the client's roles.
If you need to make this attribute understandable, you could show it in clear and use an additional cryptographic HASH parameter.

Pausing and resuming a Mediawiki edit session

Is it possible to pause and resume a Mediawiki edit?
To explain, I've written a MW extension that accesses an external database; this database requires OAuth authentication, which is a three-step process requiring the user to be redirected to an external site to allow the extension access to the external db. If the MW extension already has an access token for the extDb, all is well. However, if there isn't a token, there is a problem. This is a tag extension, and is triggered by finding a certain XML tag in the wiki page, which typically occurs in the 'preview' or 'submit' of an edit, e.g. http://server.com/wiki/index.php?title=Bibliography&action=submit (the parser hook is ParserFirstCallInit). The callback URL constructed by the OAuth code returns you to the page you were editing, but in its pre-edit state: i.e. you lose all your edits.
How can I resume the edit and not lose my edit data?
You could just use store the data in $_SESSION. MediaWiki itself uses it to store user authentication data, so it should be well integrated with MediaWiki's own session handling.
Note that, by default, MediaWiki doesn't create a session for anonymous users unless they try to log in or do something else that requires a session. If your external authentication code is only meant to be used by logged-in users, this should not be an issue, but just to be safe you may want to make sure that a session is set up before trying to use it:
if ( session_id() == '' ) {
wfSetupSession();
}

Resources