I want to store a user in DynamoDB. It has an ID, email & password hash.
Both the ID and email will be unique. I want to be able to look up the user object using either the ID or the Email.
How do I both create this table and query/get a user object with just the ID and then again with just the email?
You describe two access patterns
Fetch user by email
Fetch user by ID
You could support these access patterns by creating a primary key of email in your base table and a global secondary index (GSI) on the user ID (or vice versa). The important point is that the attributes you want to search by are built into your primary key. This will allow you to execute a fast query operation for both of your access patterns.
Related
Here is a description of my tables
event {
id
organization__id
}
user {
id
}
organization {
id
}
organization_user {
user__id
organization__id
}
How can I restrict a user in order to allow him to insert/update event with only organization__id he belongs (through table organization_user)?
You definitely do not need to add any token session variable values other than an X-Hasura-User-Id which I assume you have already implemented.
Using Hasura correctly is all about making the proper relationships between your different tables.
It is important to remember, Hasura can use both object and array relationships for row level permissions lookups.
I am going to assume that the following relationships exist (if they do not, you can create them easily).
event => organization
organization => orgUsers (organization_user array relation)
organization_user => user
Event then has a direct lookup path to user.id and you can check that it equals the X-Hasura-User-Id. Although this is an _eq check, remember: the orgUsers array lookup in that path makes sure that if any orgUser.user.id matches, they will have row level access.
Comment if you need clarification of any of these points.
It's hard to say without knowing you permissions and authentication scheme, but you can accomplish this by using session variables in your row-permissions settings (docs).
First, you'll need your users to have a value in their session token that maps to the organization__id column in your database. For example, suppose your session tokens have a property called X-Hasura-Organization-Id.
Next, disable insert and update permissions on the organization__id column in the event table.
For insert permissions, configure a column preset which sets the organization__id value based on the user's session token value for X-Hasura-Organization-Id.
And, finally, to prevent users from updating records outside of their organization, you can configure a row-level permission rule which checks that the X-Hasura-Organization-Id in the user's session token matches the organization__id of the row they wish to update.
Am looking at the data structure in this post and want to know how you would go about getting the emails of users who belong to a certain group when they could belong to several groups and the GroupID stored against that user is the current group they are participating in?
Do you store the email addresses with the userid under the "members" or, instead, for each member of the group, get that user's email address from the "users" document userid (this would mean iterating through the group/members collection and doing a query for each user. Not very efficient).
Am used to SQL so this is all new to me.
You should have a single node for each user
/users/UID/emails/
/users/UID/emailunread/
/users/UID/settings/
/users/UID/details/
/users/UID/payments/
So you can simply do a subscription for a singular node path this.myDatasubscription = this.DB.list('users/' + this.uid).snapshotChanges() ensuring changes like new emails or account settings will detected and rolled out in real time back to the app, so your are using angular/ng or something similar client side then your variables {{this.email_list}} should update real time with no page changes.
Take a look at this one.
error: Property 'getChildren' does not exist on type 'DataSnapshot'
I'm building a simple web form which allows user to edit there data like email, emergency contact etc.
The edit form is rendered using Asp.NET MVC 5. Proper html fields are rendered for Id, email, emergency contact etc.
Lets say the request to save the data is received by the following controller method.
SaveData(recordId, email, emergencyContact)
{
;
}
Question: How do I make sure that recordId was indeed the id that was rendered as part of the edit form? We don't want this user to update another user's record.
I have the following options in mind
1. Create a hash of the record id and send the hash as well.
2. Ensure user is authorized to modify the record indicated in given record id.
Is there any other way? Does MVC 5 provide any features so that I don't have to put this sort of logic in my application logic?
Typical approaches are:
Store the ID of the record as a hidden field. If you are concerned with hijacking, encrypt the value and decrypt on the server.
Store the ID of the record in session; this way, you always pull back the record and keep the value on the server. But when session dies, so does the link to the record.
Yes I'd highly recommend check permissions to the record if you store the ID in the URL.
I am thinking of following what buttons the user has pressed. I intend to choose the CreateUserWizard control that will create a database for me. The Membership class has got a few functions to identify who the user is..e.g. GetUserNameByEmail..
What i am trying to do, is to track what each user has pressed and use his input for sqlCommand.
For example, when the user presses the "post response" button, i want to record his identity and use it in sql to insert his message and identity..
The problem is that in the Users table that i made it has UserID as a primary key that identifies the user..and in the CreateUserWizard database or Membership cookie, it has its own functions fields.
So the question is how do i SELECT the users identity from the database/cookie created to me, and incorporate it into a statement in the SQL for my sqlStatement..
I need to obtain the identity of the user and use it in an SQL statement.. How can i achieve that?
You can grab the user_id from the Membership provider...
for example:
System.Web.Security.Membership.GetUser().ProviderUserKey
the will give you the user id of the current user - and you can use that value in your sql statement. If you're using the default Membership provider - this value will be a unique identifier (Guid) so:
Guid currentUserId = new Guid(System.Web.Security.Membership.GetUser().ProviderUserKey.ToString());
In an asp.net webform app, I need to restrict the logged in user to show data only for their company. This is a primary key of my topmost table. How to I set that based off the user. I imagine I would have another table with some user ID mapped to company ID?
If a user can be part of exactly one company, then generally there would be a table of companies and a table of users, with the latter having a company ID foreign key column to the primary key of the former. The user object would then have the company ID throughout the application (such as in the cookie data or session data) and the application would apply filtering rules accordingly.