I'm trying to allow Anonymous users to search for plone Members. I got it to work setting the Anonymous role to have "Manage Users" permission, which is not appropriate, of course. Is there a more specific permission for this? "List portal members" didn't work. I need to allow anonymous search because our intranet users generally don't authenticate. Our plone members come from LDAP with custom fields (telephone, location, register). This was done with plone.app.ldap. I'm using Plone-4.0 and PlonePAS-4.0.1-py2.6
This is what triggers some exception and open the login_form for the anonymous users
member_search_results.pt
<metal:main fill-slot="main"
tal:define="search_view here/##pas_search;
listing_allowed python: checkPermission('List portal members', here);
results python:listing_allowed and search_view.searchUsersByRequest(request, sort_by='fullname') or [];
If I set the listing_allowed to False, the template is rendered normally, informing the user that it couldn't do the search, because it has no permission. But if the listing_allowed is True, it goes to searchUsersByRequest returning the login_form.
Already look at the PlonePAS configure.zcml to see the permissions, but there's nothing wrong there too. Tried to change the permission to zope2.Public and zope.Public, but no success
<browser:page
for="*"
name="pas_search"
class=".search.PASSearchView"
permission="zope2.View"
allowed_interface="Products.PlonePAS.interfaces.browser.IPASSearchView"/>
Any help is appreciated.
Thanks!
You will probably be better off using https://pypi.python.org/pypi/Products.remember/1.9.2 as it gives all members content objects that should be searchable.
Otherwise, you might have to implement your own view that does the search and bypasses security considerations on poking around about users.
Related
I am new to this linkedin api. I have made a small example which is working when I am using the keyword search by using the following url:
https://api.linkedin.com/v1/company-search:(companies:(id,name,universal-name,website-url,industries,status,logo-url,blog-rss-url,twitter-id,employee-count-range,specialties,locations,description,stock-exchange,founded-year,end-year,num-followers))?keywords={IBM}&oauth2_access_token=<access Token>
But when I am searching any company info by using the email-domain search then it is giving me 403 error:
<error>
<status>403</status>
<timestamp>1432820120642</timestamp>
<request-id>XLWN5Y7T7R</request-id>
<error-code>0</error-code>
<message>Member 385883298 does not have permission to get company 66028</message>
</error>
I am using the following url for this:
https://api.linkedin.com/v1/company-search:(companies:(id,name,universal-name,website-url,industries,status,logo-url,blog-rss-url,twitter-id,employee-count-range,specialties,locations,description,stock-exchange,founded-year,end-year,num-followers))?email-domain=ibm.com&oauth2_access_token=<acess Token>
So as you have posted your answer which is related to this problem I guess you are saying that I have to be the administrator for the company page for which I am searching. As like in my above url i.e. email-domain=ibm.com. If I am wrong or not getting the things, please guide me.
Thanks
As part of the recent changes to the LinkedIn API - you are required to be the administrator of the company you are making API calls on behalf of. As a result, the company search calls are no longer openly available.
You can make a call to check whether the authenticated user is an Administrator of a given company like this:
https://api.linkedin.com/v1/companies/{Insert CompanyID here}/relation-to-viewer/is-company-share-enabled?format=json
This will return a boolean value. If true, you're good to go. If false, you'll need to get an existing company admin to grant the user company administrator status using the tools available on www.linkedin.com
Could you please advice me how to check user status upon login?
I have added a new field named user_flag in wp_users table to control user status. user_flag has value of active or deactivate.
I want to check this field's value when user logs in.
if value is active, then user can proceed login,
but if value is deactivate, then user can not login, and a message will be displayed to notify user that his account is deactivated and he need to contact admin to re-activate account for him to be able to login.
I looked at wp-login.php file but had no idea where to write code to check above logic, could you please advice me where to check user_flag at login time?
Thank you so much.
Stop trying to modify core code and learn to use the pluggable architecture. Also stop modifying the core database tables. You can store additional fields for users in the usermeta table with add_user_meta and retrieve them with get_user_meta. If you start modifying core code and database tables, you will never be able to upgrade wordpress.
To answer your question, use something like the following in functions.php
add_filter('wp_authenticate_user', function($user) {
if (get_user_meta($user->ID, 'user_flag', true) == 'active') {
return $user;
}
return new WP_Error('Account Not Active...');
}, 10, 2);
See https://codex.wordpress.org/Plugin_API/Filter_Reference/wp_authenticate_user
I have only recently been looking into ACS, AAL, WAAD and I would like to avoid redirecting users to the login page of their IDP. I want to keep my users within my site and present them with a dropdown to choose who they wish to authenticate with and an area to request a username and password, then acquire token via code. Is this possible?
I have been reviewing some sample applications and produce a quick mock-up, but cant seem to get things working e.g.
_authContext = new AuthenticationContext("https://littledeadbunny.accesscontrol.windows.net");
string enteredEmailDomain = UserNameTextbox.Text.Substring(UserNameTextbox.Text.IndexOf('#') + 1);
IList<IdentityProviderDescriptor> idpdList = _authContext.GetProviders("http://littledeadbunny.com/NonInteractive");
foreach (IdentityProviderDescriptor idpd in idpdList)
{
if (String.Compare(ServiceRealmDropDownList.SelectedValue, idpd.Name, StringComparison.OrdinalIgnoreCase) == 0)
{
Credential credential;
credential = new UsernamePasswordCredential(enteredEmailDomain, UserNameTextbox.Text, PasswordTextbox.Text);
_assertionCredential = _authContext.AcquireToken("http://littledeadbunny.com/NonInteractive", idpd, credential);
return;
}
}
Using the code above, when I try to use the Windows Azure Active Directory User (admin), i get the error "Data at the root level is invalid. Line 1, position 1." where I attempt to acquiretoken.
When I use Google, I get an error "0x8010000C: No identity provider matches the requested protocol".
If there is a working sample? if I am doing something obviously wrong, I would appreciate the correction.
This is not supported for passive identity providers. IdPs like Google, Facebook, etc. don't want other people collecting credentials for them, as this leads to security issues and possible phishing attacks. They also don't support it because they need to be able to show a permission dialog (that screen that asks the user if they want to release data to you) which they can't do without the browser redirecting to them. Furthermore, Google in particular supports two-factor auth, which you couldn't replicate, and generally collecting credentials opens up whole cans of worms around other UI problems such as incorrect or forgotten passwords.
This is also generally a bad user experience, because your users are fairly likely to already be logged in to Google and have cookies there. If so, and if they've already consented to your app, they would just be silently redirected back to you. In your scenario, even if the user is already logged in they'd still have to provide a username/password.
The correct way to do these sorts of logins is to render a browser control in your app that allows the user to log in at their IdP, which is what AAL helps with.
I had the same error, executing a powerscript solved that error
PS C:\windows\system32> $replyUrl = New-MsolServicePrincipalAddresses
-Address https://mydomain.accesscontrol.windows.net/
PS C:\windows\system32> New-MsolServicePrincipal -ServicePrincipalNames
#("https://mydomain.accesscontrol.windows.net/") -DisplayName
"MyDomain Namespace" -Addresses $replyUrl
But i'm stuck anyway with a 403 permission error
If you get any further i would like to know how :)
I'd like to limit a view in the Plone site root for logged in members only.
Which permission I should check?
For the clarification I'd like to use this permission as Zope 3 view config and have something which works by default. I don't want to create and assign a permission to Authenticated myself if I can avoid the situation.
There is no "authenticated" permission, all permissions are for specific actions only and if an authenticated user needs to be able to execute that action then you should assign the corresponding permission to the 'Authenticated' role.
To get a quick list of (Zope2 string-based) permissions for the 'Authenticated' role, use the following ZMI view:
http://localhost:8080/Plone/manage_roleForm?role_to_manage=Authenticated
where I assume you run your site on port 8080 and you named the Plone object Plone. It shows all permissions in a multi-select list with those currently assigned activated.
On a default site, this list is pretty meagre, only Set own password, Set own properties and Use external editor are assigned. For the first two, Zope3 equivalents are defined in Products.CMFCore; they are cmf.SetOwnPassword, and cmf.SetOwnProperties; the third one doesn't have a Zope3 equivalent at the moment, but would be easy to define, just add this to a ZCML file somewhere:
<permission
id="plone.UseExternalEditor"
title="Use external editor"
/>
Zope3 permissions are simply aliases for their Zope2 counterparts using valid python ids.
I really do not know what you want to do with your view, but your best bet is to either find an appropriate permission and assign it to the 'Authenticated' role, or create a new permission.
The latter is really easy, actually.
Say I want to create a 'Access foo bar' permission, I'd simply register it directly with a Zope3 identifier in a ZCML file:
<permission
id="foobar.AccessFooBar"
title="Access foo bar"
/>
That's all there is to it; the "Access foo bar" permission will now be visible in the ZMI.
If you want to give this permission to specific roles by default, list them as contained elements:
<permission
id="foobar.AccessFooBar"
title="Access foo bar">
<role name="Authenticated" />
</permission>
This only works for 'global' roles (defined at the Zope root), such as 'Manager', 'Anonymous' and 'Authenticated'.
Optionally, list it in a GenericSetup profile using the rolemap.xml file to assign this new permission to the Authenticated role:
<?xml version="1.0"?>
<rolemap>
<permissions>
<permission name="Access foo bar" acquire="False">
<role name="Authenticated"/>
</permission>
</permissions>
</rolemap>
You'll need to use the latter only if you want to assign permissions defined at the Plone level, such as 'Site Administrator' or 'Editor'.
In a stock Plone authenticated but not anonymous users may change their own password. You can use that permission. It is called:
cmf.SetOwnPassword
Currently if a user is not logged in, they are redirected to the "login page" when checking out in UberCart. I need them to rather be redirected to the "registration" page.
In other words:
Go here: user/register
NOT here: user
The key here is to get it to work with UberCart. I know you can use login toboggan and other tricks to do it normally, but I can't get it to work with UberCart?
UPDATE
I still don't have a decent solution so I added bounty for this. Currently, if you have "anonymous checkout" disabled, ubertcart automatically add these messages:
You must login before you can proceed to checkout.
If you do not have an account yet, you should register now.
This is also a problem in that it doesn't make sense showing them if you go to the user page. So even my hard hack of forwarding the user to /user/register whenever it encounters "user?destination=cart/checkout" and the user is not logged, to forward them to "user/register?destination=cart/checkout" does not work that well.
Any ideas?
UPDATE 2
This is where the magic happens: line 94, uc_cart.pages.inc
// Send anonymous users to login page when anonymous checkout is disabled.
if (!$user->uid && !variable_get('uc_checkout_anonymous', TRUE)) {
drupal_set_message(t('You must login before you can proceed to checkout.'));
if (variable_get('user_register', 1) != 0) {
drupal_set_message(t('If you do not have an account yet, you should register now.', array('!url' => url('user/register', array('query' => drupal_get_destination())))));
}
drupal_goto('user', array('query' => drupal_get_destination()));
}
So, basically I need a way to override that behaviour? (i.e. without hacking core?)
You should look into the rules and token module. You will create a rule when a user logs in to redirect to the the TOKEN. Make sure you enable the token actions module as well.