I have a table called Goals with default CLP (Public read and write).
My mobile app has default ACL set so that only the owner for the data can read and write from it.
Let’s now assume that someone is able to obtain the client keys maliciously from the app, and add an entry in the table Goals without ACL using a command like that:
curl -X POST \
-H "Content-Type: application/json" \
-H "X-Parse-Application-Id: xyx” \
-H "X-Parse-REST-API-Key: 12345” \
-d "{\"name\":\"whatever\"}" \
https://api.parse.com/1/classes/goals
Now every user will load this new data, I would like to prevent that.
I assume there are two options:
Prevent Rest API users from writing data without ACL or with a Public ACL, perhaps with some CloudCode
In the app filter out the data that doesn't belong directly to that user
My question is, are the two above the only available options? Is the first option only doable with Cloud Code?
Ok, let's try this again. I think the best solution in this case is to create a beforeSave trigger in cloud-code that sets the ACL the way you want it. With the Parse Javascript SDK, you can construct an ACL that only gives access to the user passed to it in the constructor. Something like this (untested code):
Parse.Cloud.beforeSave("Goal", function(request, response) {
request.object.setACL(new Parse.ACL(Parse.User.current()));
response.success();
});
Note: I used this post as a reference. And this too
Related
When I start a GET request to https://youtube.googleapis.com/youtube/v3/search?part=snippet&channelId=*channelId*&order=viewCount&key=*apiKey* I am supposed to get the most viewed videos of the channel.
In the response's items array's first element is a 6 months old video with around 4k views.
On the channel's Youtube page if I sort by most viewed, the first one is 10 years old with 200k views.
Any idea why I do not get the correct results?
I double-checked, the channel id is correct.
Easy workaround:
Use my YouTube operationnal API, make a GET request to https://yt.lemnoslife.com/search?part=snippet&channelId=*channelId*&order=viewCount
A bit more complicated workaround:
curl -s 'https://www.youtube.com/youtubei/v1/browse?key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8' -H 'Content-Type: application/json' --data-raw '{"context":{"client":{"clientName":"WEB","clientVersion":"2.9999099"}},"browseId":"CHANNEL_ID","params":"EgZ2aWRlb3MYASAAMAE="}'
Don't forget to replace CHANNEL_ID with the channelId you want the most viewed videos from.
If you need more than the first 30 results, grab the continuation token from the response of the request above and use the following command (and if you're still interested for more results use the last continuation token you got):
curl -s 'https://www.youtube.com/youtubei/v1/browse?key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8' -H 'Content-Type: application/json' --data-raw '{"context":{"client":{"clientName":"WEB","clientVersion":"2.9999099"}},"continuation":"CONTINUATION_TOKEN"}'
Don't forget to replace CONTINUATION_TOKEN with the continuation token you got from the latest request reponse.
Note: don't pay attention to the key, it's not a Youtube Data API v3 key.
Any way to figure out tricks to login to an API by Dexcom? This article discusses an approach for accessing blood sugar values but the first step is to log into the API and it is unclear how that step was taken as this is an undocumented API.
We are trying to help a diabetic get access to her blood sugar values so she can code new insulin dosing algorithms. (She wants to prevent the crashes and spikes in her blood sugars that ruin her days and put her at risk for blindness and being on dialysis. She believes and hopes human + machine can do better than her alone.)
If we are able to login the next steps for retrieving the values seem clear:
curl -k -X POST "https://share1.dexcom.com/ShareWebServices/Services/Publisher/ReadPublisherLatestGlucoseValues?sessionID=GUID&minutes=1440&maxCount=1" -H "Accept: application/json" -H "Content-Length: 0"
Is there anything to try that could give us a clue as to how take the first step and login to this API?
Open the Dexcom clarity website
In your browser (let's assume Chrome for now) open the developer tools and go to the "Network" tab
Select the "data" XHR call. This is the "hidden API call" that populates the graphs in the Dexcom Clarity.
Right click and select "Copy > Copy as CURL (bash)". That will give you the CURL code that authenticates and logs into the website.
(Optional) Take the CURL command and paste it to https://curl.trillworks.com/ to translate the CURL code into some
other language
curl 'https://clarity.dexcom.com/api/subject/1522320180078ZZZZZZ/analysis_session/1560634749054XXXXXXX/data' -H 'Origin: https://clarity.dexcom.com'
-H 'Accept-Encoding: gzip, deflate, br'
-H ..... -H 'Referer: https://clarity.dexcom.com/' -H --data-binary '{"localDateTimeInterval":["2016-05-01/2016-07-29"]}' --compressed
Notice that you can change the data range by changing the values passed at localDateTimeInterval and get access to the full data in the account at a resolution of 5-min measurements. The returned JSON also includes all other events, such as calibrations, etc.
I'm not sure if this is a possibility but I am trying to update the status of a text widget in Dashing using curl.
The status I would like to update is 'warning' or 'danger' to reflect if a server has gone down or become unresponsive. My idea is that the dashboard will be populated with several green text widgets all saying online when the dashboard initialises. Periodically services running on other machines will post requests to the dashboard changing the status of widgets.
I have tried using curl to simulate the post messages from other machines and I'm able to update the text and title of the text widgets but have had no luck updating the status.
I have been using:
curl -d "{ \"auth_token\": \"YOUR_AUTH_TOKEN\", \"status\": \"danger\" }" -H "Content-Type: application/json" http://localhost:3030/widgets/frontend11
But the widget does not change colour. I have seen examples where the coffee script code was amended to include this possibility, but I thought that this functionality was included in all widgets?
We do this - changing status via curl - and it works great. Here's a snip of our code:
json='{ "auth_token": "'$dashing_auth_token'", "current": '$widget_value', "value": '$widget_value', "status": "'$widget_status'" }'
curl -H Content-Type:application/json -d "${json}" "${dashing_url}widgets/${widget_id}"
The above is in a function that gets passed all of the variables, but the variable names hopefully are easy enough to read there that you can make sense of it. I can write up more (or send the whole function) if it'd help you, but I think just the two lines should be enough to get you there without all the rest of the clutter. Let me know if more would be helpful.
I want to send a REST command (using PHP curl) that will target (for example) the following scenario:
where (
(user subscribed channel "channel1" AND user subscribed channel "pref1")
OR
(user subscribed channel "channel2" AND user subscribed channel "pref2")
OR
(user subscribed either ("channel3","channel4") AND user subscribed channel "pref3")
)
is it possible to create a payload that will contain complex conditions like the one above in parse REST?
Thanks :)
Yes, you can use compound queries with the $or operator. From https://www.parse.com/docs/rest#queries-compound:
If you want to find objects that match one of several queries, you can
use $or operator, with a JSONArray as its value. For instance, if you
want to find players with either have a lot of wins or a few wins, you
can do:
curl -X GET \
-H "X-Parse-Application-Id: <appID>" \
-H "X-Parse-REST-API-Key: <restKey>" \
-G \
--data-urlencode 'where={"$or":[{"wins":{"$gt":150}},{"wins":{"$lt":5}}]}' \
https://api.parse.com/1/classes/Player
I am playing with the open data project at spogo.co.uk (sport england).
See here for a search example: https://spogo.co.uk/search#all/Football Pitch/near-london/range-5.
I have been using cygwin and curl to POST JSON data to the MVC controller. An example is below:
curl -i -X POST -k -H "Accept: application/json" -H "Content-Type: application/json; charset=utf-8" https://spogo.co.uk/search/all.json --data '{"searchString":"","address": {"latitude":55,"longitude":-3},"page":0}'
Question:
How can I find out what other variables can be included in the post data?
How can I return all results, rather than just 20 at a time? Cycling through page numbers doesn't deliver all at once.
AJAX is simply a technique of posting data over a connection asynchronously, JSON is just a string format that can contain data. Neither of which have built in mechanisms for querying information such as what fields are accepted or the amount of data returned.
You will want to check the web service documentation for on spogo.co.uk for these answers, IF their web service exposes such functionality they will be the final authority on what the commands and formats are.