I'm looking for APIs to fetch user info given a username.
I'm interested in Java API, serverside template/script root object, webscripts services, or even Share API.
Java API: PersonService
JavaScript & Temmplate (Repo-layer): person-Root Object (current user) or people.getPerson(username)
REST API (org\alfresco\repository\person\person.get.desc.xml) : GET /api/people/{userName}
For JavaScript APIs you can refer this
Person APIs
For All webscripts related to users you can check this link
Get User Webscripts
You can use any of this as per your requirements.
Related
I am trying to figure out how OAuth2.0 (or something else entirely) can be used to handle a situation where a user who is calling a backend api, can only retrieve data relevant to that user.
For example:
Lets say I have a bank application, and the customer account information is located at "bank.com/account/{customerId}". How do I restrict access to this, so that other customers cannot see each-others bank account information? As anyone with an access token could get anyone's account info and Roles can't solve this.
I have come up with a potential solution to this problem using Firebase JWTs which is to access the header of the incoming request and compare the User ID in the body of the token to that of the data being accessed.
My gut tells me I am missing the bigger picture, as this problem must be a common phenomena, and I could not find the answer elsewhere.
My Environment is a Spring Boot backend utilizing the Oauth2.0 resource server pointing to the firebase project. Backend is connected to a Postgres database. Frontend is an Angular Application.
To ensure users can access only their own resources, you must write it in your Spring Boot application. OAuth2 only provides you an access token which you can use to find out who is calling you and what scopes he has granted.
But the security logic is up to you to implement. If you have a userId in URLs, you should check that it matches the userId from access token. If user data is stored in a database, you will probably need to add conditions to your SQL queries such as WHERE user_id = :userId.
You can also use scopes from an access token to grant only partial access to user's resources. It's useful if another application can access user's resources on his behalf. Such as reading person's name and email when logging in somewhere using Google/Facebook/Github.
I created a user with username:aggr1. When I log in to the dev portal with aggr1 credentials, I can access all of the published APIs. How can I force this particular user to only see two or three APIS in Dev Portal?
Thanks
You can maange access to APIs through roles.
When creating an API, on the first page you have a dropbox "Access" (or "Visibility" orsomething like that) with default value All.
You can list roles, which are required to see the Api in the dev portal. And then assign (or not) the roles to the user.
By default APIs are set to public and any user who logs into the devportal can see the APIs. You can set role-based visibility or based on domain. Please refer the documentation - https://apim.docs.wso2.com/en/latest/learn/design-api/advanced-topics/control-api-visibility-and-subscription-availability-in-developer-portal/#control-api-visibility-in-the-developer-portal
I'm writing a chrome extension for quick search notes in fuzzy match model. So I need to cache all notes' metadata(title, url, createdTime,etc) in local storage.
According to evernote offical doc, there are two ways to authenticate to the Evernote API, developer tokens and OAuth.
But right now,
1. developer token has been deprecated.(if you go to the application URL you will get Update: the creation of developer tokens is temporarily disabled.
2. OAuth can only access one specific notebook(depend on user authentication)
So my question is : is there any way can work around to get all notes' metadata?
OAuth can only access one specific notebook(depend on user authentication)
This is not the case. By default, Evernote API keys are scoped to the account level; so you'll have access to all notebooks in the account of the user who authenticates using your OAuth process.
Evernote does also have an optional type of API key available, called an App Notebook key, that can be requested. But you have to specifically request that type of key when you request your API key; otherwise it'll be a full account access key.
I would like to download the call logs of all my account's users. As I only have one user in my sandbox account, I cannot test it yet.
In production mode, if I call /account/~/extension/~/call-log while logged in as the admin of my account, would I get the full list directly?
Alternatively, I have read in a post that I could achieve what I want by calling /account/~/extension and then the url above for each extensions, but I wanted to know if there was a more straightforward way of doing it.
Have a great day!
There are two APIs to retrieve call logs for all users:
account-level call log to retrieve all users at once
extension-level call log for each user of interest
Account Call Log API
/account/~/call-log
The account call-log API can be used to retrieve call logs for all users in one API call. Access to this account-level API requires Super Admin privileges. This API is currently in beta and available by creating a support case from the developer portal or emailing RingCentral dev support at devsupport#ringcentral.com .
Extension Call Log API
/account/~/extension/~/call-log
If you were to extension call-log endpoint in an account with multiple users, you would only receive the CDRs for your authorized extension. To retrieve call logs for all users using the extension call-log API, you would need to retrieve all the extensionIds from the /account/~/extension endpoint and then call each user's extension endpoint using /account/~/extension/{extensionId}/call-log. This approach also lets you limit who you want to retrieve records for.
I have built a web application that uses a service account linked to my own Google Account. We use Google Apps, so my Google Account is part of a domain. We have a server with shared contacts, so all of our clients are available as contacts for everyone. In my contacts, this group is called 'directory'.
The application retrieves events from the Google Calendar using the Google Api PHP client. It also retrieves attendees inlcuding all details for those attendees. But if the attendee is not within our domain, it will only retrieve the e-mail address. I also want to get the name for that attendee.
These names are in my contacts in the directory group. When I create an event and invite guests, I can retrieve these contacts and it will show the name and mail adress. But when retrieving the attendees via the API it does not show these names.
Is this a restriction of the API? Is there a solution for this?
I do not want to use the Contacts api with a non-service account, because I don't want to give permission everytime. It is not possible to use the Contacts api with a service account as far as I know.
You are correct that a service account won't work with the Contacts API, however you don't have to authorize it every time you use it. You can provide domain-wide delegation with two-legged OAuth 1.0a instead of 2.0. See https://developers.google.com/google-apps/contacts/v3/index#authorizing_requests_to_the_+wzxhzdk8+_service and https://developers.google.com/accounts/docs/OAuth#GoogleAppsOAuth.
Depending on your setup, you can also use the three-legged OAuth 2.0 flow for a single administrator account and save the refresh token. This would let you re-use that authorization without requiring explicit permission again.