We have a build system on which we need to fetch documents for other user's builds. We don't have their password but only their login and we will use a service account. Is there a way to get the access rights for another principal with the FileNet API so we won't allow them to fetch something they don't have access to?
For performance sake, I would rather ask the CE to do the check instead of getting all permissions and checking them all one by one. Plus nested groups and security priority (direct/template/proxy) might slow things done a lot and make the code complex. Something like getAccessAllowed but given a principal or a User? If there is not, what would be the best way to do that?
I saw that get_MemberOfGroups deals with nested group but we still have to check against all the permissions, taking care of the source priority and deny/allow priority, which means re-implement the CE security strategy.
You can create custom LoginModule to authenticate user without password, then you can work with CE as original user without service account.
But you need to add this users in FN objects ACL's with correct permissions.
If I got what you are saying right, I think the best way to do this is other way around. You don’t look what access right own by user and match with the document, you need to see what that user asking and he have right access levels. Best way is to use an Active directory with user groups and set permission for them document type vie. But let’s say same how you have set access permission on document’s side. When user call the document, get an Instance of it
Document doc = Factory.Document.fetchInstance(os,ID,null);
And get the permission list
AccessPermissionList parmissin = doc.Permissions;
And with loop get what permission is set for that document
foreach (IAccessPermission owner in parmissin)
{
if (owner.GranteeName == "your loginuserpermission" )
{
// you can cont your work
}
}
and keep a local
Set of permission where you validate your user (db/txt) and if they match, use your service account user and show image and information.
Related
Is there any way to login other users account for admin user ?
Currently authentication based on Meteor Accounts
I saw this post but didn't working at all now.
The feature is important for us because when user have problem in system then admin need to see it this by simulating user account.
Thanks in advance.
It seems you want to impersonate a user. This means that you want to have Meteor.userId (or this.userId depending on context) reflect the _id of a specific user both on the client and the server.
afaict the only way to do this is to login as the user. Presumably you don't want to ask the user for their password so you have a couple of choices:
Save their existing password, replace it (temporarily) with a password of your choosing, then after you're done impersonating their account, restore their existing password.
You probably don't want to ask the user for their password and you don't need to. All you need to do is set aside Meteor.user.findOne(userId).services.password.bcrypt, then reset the password to your temporary value, then restore the original bcrypt value later.
The downside is that the original user would not be able to login while you are logged-in. Plus it's really hacky.
Extend Meteor's Accounts package to provide impersonation capability in a more elegant manner.
You might also look at validateLoginAttempt. The docs are unclear as to whether a failed login attempt could be overridden with a successful one but if it could then that would provide another pathway to solve your problem.
Instead of logging in as the users, which requires their password and which is a total no-no, you may use rather alanning:roles and allow the admin to assign the role of any user in order to draw views based the user's role.
This requires a well designed role system.
As a plus you could then at least load the documents associated with the user who you want to support.
This requires a well designed document and data model.
But generally spoken you should rather focus on writing good tests (test driven development) for components as unit tests, integration tests and UI tests.
This will reduce the need to manually view the app as an end user a lot.
The most common end user problems can be reduced by creating a good knowledge base like a wiki or video tutorials.
Even if then an error occurs in the end user side, I would rather try to implement a well designed error log that allows users automatically create tickets on error which also include the error stack.
All the above methods are to be favored before logging in AS THE USER.
As #Jankpunkt has already mentioned alanning-roles I can add something you can use without installing any external package.
Just keep a type key in the profile object of the users collection. Then define some types like 1 for super-admin, 2 for admin, 3 for general etc. Then check the authorisation of particular action by checking the value of user.profile.type key.
Caveats: Make sure you are checking the type in server side. By default profile field is writable from the client end, so if you are putting type field in the profile object make sure that you are not allowing users to modify users collection in the client end.
Here is how to restrict client end update in users collection:
Meteor.users.deny({
update() { return true; }
});
Read more on roles and permissions here:
https://guide.meteor.com/accounts.html#roles-and-permissions
We are trying to integrate our platform with Pipedrive. As far as we have researched, in a pipedrive account, there is one admin and he can add multiple users. And the users later can login in their respective accounts.
What we are trying to make sure is that once a Pipedrive account is integrated with our platform, the same account should not be integrated twice. So, I need a unique identifier, that lets me know whether the account has already been integrated.
My initial approach was to check the api key. But it was not successful, since every users in an account have different API Keys.
After a bit of research, I found out that there is an identifier called company_id which is common for all the users in an account. But I could not find anything regarding it in documentation. So, I am not 100% confident to go ahead and implement it in our code.
Does anyone have an idea about this?
Pipedrive support rep here.
The most sure-fire way to ensure this is to make a GET request against http://api.pipedrive.com/v1/users?api_token=your_token_here.
You are correct in assuming the company_id in the additional_data object in the response is static and won't change across any users on the account.
Note that a Pipedrive account may have more than one admin, and that non-admins (regular users) might have visibility (and editing) restrictions in place, which may cause some of your GET, PUT and DELETE requests to fail.
In case you're not doing this already, I'd thus advise filtering the data array from the abovementioned endpoint for user.is_you to equal true and check whether the is_admin property is set to 1 during "registration" to ensure the user setting up the integration is an admin.
Hope this helps!
I'm not quite sure what you're asking for. Are you looking for a unique identifier for each user?
Each user has an id, you can get all users by calling
https://api.pipedrive.com/v1/users?api_token=____
This will return a JSON Object with data on your users, including their names and associated IDs. Admins are just users with different privilege levels. All admins are users, but not all users are admins. All users are part of a company, the company is identified by the first part of the Pipedrive account url ie.
https://FooCompany.pipedrive.com
Are you trying to see if a certain company has been integrated already?
Is it possible to disable requests sent to Parse without a master key? I'd like to only access Parse through my custom backend and not give users direct access. Does public 'read' set on the User class mean that anyone can read the records in that class? If so, why is this a default - wouldn't that be against good security practices?
Thanks,
Daniel
Public read means that anyone with your api key can read the user collection from your parse server. Api key is not the best approach to protect your app because anybody can know it by putting "sniffing" your network requests.
In order to protect and provide access you can protect your objects with ACL's which allows you to create access for specific user (who is logged in) or to specific role. So you have couple of options:
Create a master user - each user must have username and password and when you create your parse objects make sure that only this specific user create/read/delete and update them. You must only to make sure that when you create an object you create ACL for this user so only this user will be able to modify and read the object. You can read more about parse-server security and ACL's in here: http://docs.parseplatform.org/rest/guide/#security
Using parse cloud code - In cloud code there is a nice feature of useMasterKey which provide full access to any object of parse-server so for each operation that you run (via JS SDK) you can also set the useMasterKey to true and then parse-server will ignore all the ACL's and will execute the query for you. The useMasterKey feature work only in cloud code context so it's safe. If you want to provide additional level of security you can run the cloud code function with your master user (from section 1) and check inside the cloud code for the user session so if the session is empty then you can return an error.
You can read more about cloud code in here: http://docs.parseplatform.org/cloudcode/guide/
This is the code which validate the user session:
if (!request.user || !request.user.get("sessionToken")) {
response.error("only logged in users are allowed to use this service");
return;
}
I'm connecting to the v1 connect API to grab inventory for a couple items in my store. I'm using the PERSONAL_ACCESS_TOKEN
The end point is connecting fine, but it's returning a blank dataset, presumably because when i connected to v1/me
I only have the following permissions :
"account_capabilities":["EMPLOYEE_MANAGEMENT","TIMECARD_MANAGEMENT"]
Inventory needs "ITEMS_READ", is there a way to change this without having to use OAuth, or am i stuck making an oAuth request everytime i need to pull inventory?
I believe this is occurring because your Square account is a Multilocation account. Because of this, you need to access Connect API endpoints slightly differently:
Use the List Locations endpoint (/v1/me/locations) to get the id for each of your business's individual locations.
To access item, inventory, or payment information for one of your individual locations, provide that location's id as the value of the merchant_id path parameter (instead of providing me) in your request.
Note that the account_capabilities listed by /v1/me are different from capabilities described by OAuth permissions. Regardless, your personal access token grants you complete access to all endpoints for your own Square account.
Is it possible to manage multiple calendars from a single program? The task is to add events for different users in a domain, but do it from single program without knowing all users domain passwords. What type of authentication should be used to connect EWS? Is there any admin account exists? How to specify which calendar to update on each operation?
sure is this possible. You will have to create an ExchangeService-instance for each user and set the ImpersonatedUserId property to the mailbox of the user you want to the appointment or whatever you want to add.
have a look at http://msdn.microsoft.com/en-us/library/exchange/dd633680(v=exchg.80).aspx there you can find how to work with impersonation and also have a look at http://msdn.microsoft.com/en-us/library/bb204095.aspx where you can see how to set the rights your user needs to impersonate.
hope that answers your questions...