The Conduit API in Phabricator does not support setting of authorPHID parameter while calling maniphest.createtask. I can imagine this is because of security or some logical reason.
But I am developping my own frontend for Maniphest where the users (logged through Phabricator, so they are phab users and have phid) will add and edit tasks. What I need is that if a user creates task, he is also the author of the task.
But the problem is, that I can't connect to Conduit as any other user than "apibot" because I don't have others certificates in my front-end to do it. But if I log in as "apibot", then "apibot" is set as an author of the task.
Three possible solutions came to my mind:
1. retrieve certificate directly from phab's database
2. keep a list of certificates in some file in my front-end and update it manually everytime somebody will register
I guess none of them are really smart...
The third solution would be nice, but I didn't find a way, how to do it:
3. log in as "apibot", get certificate of userXY and then log in as the userXY
What would you suggest?
Related
Woocommerce provides an API here which in order to use it, you have to provide a consumer key and consumer secret with a relevant authorization schema. What I fail to grasp is that, shouldn't be there an API for unauthorized / guest users ? I mean, I just want to create a display page (frontend) of available products, but without the need of generating CK/CS. Also looking in a similar question here
it seems that you cannot avoid using the keys. But a second question comes up. The frontend is not supposed to use the keys, because then the e-shop becomes exposed to the client. So, even by generating these keys in order to access woocommerce api, how am I supposed to correctly use them ? Please help me understand the flow.
TLDR;
Do NOT use CK/CS in front end. It's only for use in a secure backend. The keys can be used to read/write anything from products to, orders to all customer related information.
Based on you questions, I suspect APIs might not be the best way to do what you're intending to do. If you do need APIs, chances are, you have two backend servers communicating with each other. APIs are usually meant for use by other applications. For example, a lot of Point of Sale systems utilize this WooCommerce API. You might want to look into extending the WooCommerce plugin itself and creating end points to get the information or perform actions you need.
If you are not familiar with secure Authenticated APIs, I would highly suggest you familiarize yourself with them as failure to secure the website can result in huge financial losses to sensitive personal information leakage of the site users since WooCommerce APIs, at the time of this writing, only allows you to set read or write permissions with full access to everything.
With that in mind I will attempt to answer all of your questions one by one and give an idea of how you should use it.
To Answer your questions
What I fail to grasp is that, shouldn't be there an API for
unauthorized / guest users ? I mean, I just want to create a display
page (frontend) of available products, but without the need of
generating CK/CS
I'm guessing your misconception is that you need to use separate keys for each user. API keys are not meant to give access for front-end users. The API keys generated by the WooCommerece plugin gives full read/write access to any user to view/modify any information including that of other customers. Its meant for admins. If you check the official WooCommerce API reference for retrieving a customer you'll notice that you get to provide an id here. And if you check the response it shows everything from addresses to contact information.
The frontend is not supposed to use the keys, because then the e-shop
becomes exposed to the client. So, even by generating these keys in
order to access woocommerce api, how am I supposed to correctly use
them ?
Its quite simple actually. You just need to get between the communication between the front-end users and the WooCommerce API. If the users needs to be provided information from the WooCommerce end point, you need to get it for them using the CK/CS.
This way, you confirm what information is allowed to view/modify by whom, and the user does not need to be authenticated.
WooCommerce Endpoints <---> Your secure backend service/middleware/controller <---> front-end user
One thing to note though, is that you need to be careful about the parameters a front-end user is able to change in the request to your server end-point that is consuming the WooCommerce API key. A customer should not be able to change the id that is requesting their info for example. Id should be retrieved from the backend from the secure authentication information coming from the front-end.
I'm new to react native. I am trying to develop an application that uses firebase user authentication. But there is something I can think of. For example, 2 users have registered to my application but I want to show extra information to the first user according to a condition.
How can I separate these two?
Where exactly should I manage this condition?
The question is not super clear as to what issue you are trying to tackle so I apologize if I am inferring incorrectly.
I use MongoDB personally with a Node/Express backend for user data and haven't used Firebase myself but I'm sure you can do the same things with it. I'll be speaking in Mongo terminology but again I'm sure you can do the same with Firebase and at the least this will give a good idea of the thought process.
I have a UserSchema that holds all the user information. When logged in the client app would get this information to be used on the frontend after authentication.
Assuming you are only displaying "extra" information that doesn't need additional privilege you can just pull in the users data stored in firebase and handle the display of this extra info with logic on your frontend client.
If its extra privilege you need to setup firebase to look at the user data that is authenticating and only serve back information if they have the proper privileges.
Also important to note, you should ensure that when you are updating user information from client -> firebase backend you should ensure that you can only update specific user fields via read/write authentication on firebase.
Hope this gives a little better idea on how this process might look. I'll let someone who has used firebase specifically add tech specifics.
What's the best way to set permissions on objects in Apigee BAAS entities, collections in such a way that Users can edit what they create, and others can read them? There might be a case for Admins to be able to edit everything as well.
I asked a similar question here Securing apigee baas that was more around securing the app id/secret which would be needed to make the call to update permissions, but I was wondering if there is any best practice around doing this sort of thing from a mobile application.
My initial thought would still be the service callout (not sure how Apigee-127 which was mentioned in the previous question would be any different to a service callout directly to the BAAS as to me 127 looks like I'm just writing my apis in Node.js rather than using the edge console), but I don't know if there is an easier way in terms of securing all entities, in specific collections ,created by specific users? I guess I could add a created by column which I could check from an app perspective, but this wouldn't stop someone from potentially hitting the BAAS directly and retrieving this info unless permissions are also set at an entity level requiring a user access token.
Is it possible to secure the BAAS in such a way that only calls from Edge can hit the BAAS url?
(Disclaimer: I have not tried this myself but here is a suggestion.)
API BaaS Automatically sets the path segment to the UUID of the currently authenticated user when $user is used. For example, if you sent a request with a valid access token for a user with UUID bd397ea1-a71c-3249-8a4c-62fd53c78ce7, the path /users/${user} would be interpreted as /users/bd397ea1-a71c-3249-8a4c-62fd53c78ce7, assigning the permission only to that user entity.
In this way, through your application, you can set permission for each user, and each object as soon as the objects are created from your application. Assuming you have the user authenticated, of course.
Ref: http://apigee.com/docs/api-baas/content/using-permissions
I'm working on a chat app with Meteor and I want to be able to ban people. I have Meteor accounts-ui installed but I don't really know where to go from there. Does anybody know how to set up a blacklist of some sort to ban people from my website?
I've found this two packages on atmosphere, maybe they can help you to do what you want.
Roles: Role-based authorization, compatible with Meteor's built-in accounts packages. Includes example app, unit tests and online API docs.
Groups: Simple system for authorization groups.
You can attach arbitrary data to a user object, so you could just set user.banned = false in Accounts.onCreateUser and check Meteor.user().banned server-side when someone sends a message. The hard part would be building an admin UI to ban a specific user; there isn't baked-in support yet for administrative backends, so you'd probably have to hardcode your own email address as an administrator and only show the admin UI if the current user has that email.
I Love BitBucket.org
But is there a way to configure BitBucket to accept email and automatically put them into my 'New' Issue list in the issue tracker?
BitBucket sends out email notifications, but I want something the other way around. I don't want to have to go in and create an issue manually each time someone emails me about a problem. I want to forward those emails to Bitbucket so problems to go directly into the issue tracker via E-Mail.
And: Similarly, can you configure Bitbucket so that it listens for code check-ins and it auto-magically set issues to complete/fixed etc.?
Is there a way?
I don't think there is a way to submit issues via email and now that Atlassian has bought Bitbucket I doubt that they will spend much time improving or enhancing the issue tracking inside Bitbucket as their main product (JIRA) is an very comprehensive issue tracker.
I would sooner expect some sort of integration of the two and a phase out of the current issue tracker. But then we will probably have to pay :-(
Re adding emails:
I want to forward those emails to Bitbucket so problems to go directly into the issue tracker via E-Mail.
Yes you can do this - you need to have an endpoint that receives emails, so for example sendgrid allows this (see Sendgrid webhooks docs), and will call a webhook on your server whenever an email comes in. You then need a bit of glue code on the server to post that issue to bitbucket via the bitbucket API (see the bitbucket api docs). So there are two parts to doing this, and you will need to write some code I think.
I'm currently working on a tool to do just this at Project Page. If anyone would like to try it out let me know. I'm also planning to let it interrogate the user to get a bit more detail about things like priority and urls associated with the problem.
Re the second part of your question:
Similarly, can you configure Bitbucket so that it listens for code check-ins and it auto-magically set issues to complete/fixed etc.?
Yes you can close issues automatically - just use the text fixes #n, so for example:
fixes #123
in the commit message, where 123 is the number of the issue you want to close.
There is a API to create issue http://confluence.atlassian.com/display/BBDEV/Issues.
And a custom script which may or could be able to fetch email and post to issue tracker.
Yes, it's possible. Bitbucket has a robust REST API that lets you do it at least two ways:
Option 1: 3rd Party Service
Use an online API automation service like
Zapier or
Integromat
(Click those links for specific email/Bitbucket integration examples.)
You have a couple of options with this approach. With Zapier, for example, you can have a dedicated Issue-only Gmail address, and any email sent to it creates a new Issues ticket. OR you can automatically create Issues just by assigning a specific label to an email in an existing Gmail account.
Oddly, IFTTT doesn't currently offer Bitbucket integration.
Option 2: Write Your Own Server Script
If you have server access, you can configure your Message Transfer Agent to send certain emails to a PHP script that will create a Bitbucket Issue.
The script will need to use the Bitbucket API repositories > {username} > {repo_slug} > issues > POST method.
A great how-to article for this approach is Process Incoming Mail with PHP Script with Exim.