Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
The full rule is the following:
Apps that display user generated content must include a method for
filtering objectionable material, a mechanism for users to flag
offensive content, and the ability to block abusive users from the service
My app does feature user generated content. I have a feature that enables users to flag a post if they find it objectionable. I receive notifications in the database when this happens, and I personally judge if the content should be deleted or not. However, there is no feature that enables a user to block another user directly. There is no "following" or "friend requests" in my app, it is more like a communal forum where you read others content and can post your own content, but don't directly follow others.
my method of blocking others from the service is deleting user accounts and their associated posts from the database. Is what I have enough? I find the wording kind of ambiguous in the guidelines.
The accepted answer is no longer true. I just had an app rejected because there is no mechanism for users to block other users. We already have a user-driven content flagging system, and demonstrated that there was a process in place for reviewing and removing objectionable content and blocking abusive users from the service altogether, but Apple said:
In addition to the reporting mechanism, it would be appropriate to implement a separate blocking mechanism that allows a user to block abusive users.
…where “it would be appropriate to” apparently means “your app is rejected until you.”
We indicated that our staff block users from the whole service if they post abusive content, but Apple says that this is not sufficient; users must now be able to directly block each other.
This is section 1.2 of the updated review guidelines.
You'll be okay. Our team created an app which allowed users to post video content in a communal context. We were required to implement a flagging system (which it sounds like you have), and show that we had a process in place to deal with the flagged content. Once we did that, we were approved.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I'm new to iOS and have just started leaning it. I want to develop a small app for bus passengers where-in all users in the bus must login using the app.
If user is using the app for 1st time, he must sign up . User must enter all details like Name,Age,Emergency Contact,Address,Source,Destination,Phone number etc.
If user already exist, then login with existing user name and password.
All details must be stored somewhere (not sure) and retrievable format.
Here comes all my question and doubts based on above app requirements :
do i need to follow client-server architecture ?(mobile app being client )
where all user details will be stored ( on mobile or server )
when user tries to login, how check if user already exists or not ?
if any communication protocol to be used for mobile app communication then which will be good considering the performance of app should be fast.
mobiles internet data should be available ?
which database to use to store user details ?
considering all above things i need to design my app.
thanks
I will try to give some points to start from.
1) I think yes (its really depends what you want to achive but if you only want to get/pos resources to/from server, http request should be enough to start from).
2,6) Depends which details.
For simple details which no need in protection NSUserDefaults Sqlite or Core data can fit. (also there are some nice wrappers for them for instance TMcache, you will need to investigate it).
If you need to save private details you will probably need to use keychain.(honestly I would avoid saving important details on the device everything can be hacked so try to limit it).
3) One of the common ways which come to my mind is to check in run time if the user already logged in is by saving login status in NSUserdeFaults and check it in - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions. If you need to check Existence of user in your system than probably some server help will be need.
4) Please refer to apple Docummentation NSURLSession should fit.Also AFNetworking is really good library.
Edit:
5) Usually IOS will use Current Internet Connection which is available and more efficient for the system it will start with WIFI then CellularData (Check Reachability for testing availability of internet connection its also included in AFNetworking library) .
-All those questions/answers can be found on stack.Hope I helped.
List of common IOS frameworks
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
I am fairly new to MVC and am interested in keeping my MVC app secure. One of my concern areas, for example, is an Approve page that is available to uses to approve items that are up for review. The issue is that certain users can only approve certain items. When approving the app posts the ID of the item being approved to an ApproveItem ActionResult in the controller. The issue is that in theory (e.g. with FireBug) someone might post random IDs to this ApproveItem controller (including items that they might not be allowed to approve). Instead of trying to catch every issue like this in filtering, why not just use a GUID as the ID? Then I am almost 100% certain that the user is only approving an item that they are allowed to approve.
What do you guys use for security in regard to situations like this? It seems to me that a GUID would be the simplest. What do you think?
Your question (or at least the tile) doesn't really make sense. You can use Guids for Globally Unique Identifers within a security system, but you shouldn't use them AS the security system.
#ePezhman alludes to a potential Insecure Direct Object Reference vulnerability but this isn't an issue if you are correctly validating your users` actions.
What you're suggesting is Security through obscurity. Your app isn't actually secure, it's just really hard to guess some naughty input. What you should be doing is what you're trying to avoid and validate that the current user has the required permissions to perform the action on the entity. That is, is the user allowed to approve the item? and if they aren't you should display an error message or take other appropriate action (logging the attempt, notifying an administrator etc?).
GUID will be very simplest way to achieve this.
Otherwise you can go for "person -roles " level security to approve your items.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Closed 8 years ago.
Improve this question
Background:
I'm creating an e-commerce controller that has subscription plans to sign-up for.
Step 1: A user picks a plan.
Step 2: Then enters in their credit card info.
Those actions reside in one controller, and that controller will also have actions such as
edit credit card info
changing their subscription plan
canceling a plan, etc.
Problem Statement:
I want to redirect all of the actions in the controller except picking a plan if the user hasn't picked a plan yet.
Example:
In the UI the user will see links for their billing information and subscription settings, but if they click on those links and they don't have a plan picked yet they get redirected to the action/page to pick a plan.
Question
Is a filter the best place to handle that scenario, and if so how would it be coded?
Is there a better way other than using filters?
What I don't want is to put at the beginning of each action an if statement that checks if the user has a plan, and if they don't redirect them to the pick-a-plan page. Seems like there would be a better way.
I think that in this case a Filter can do the work pretty easilly.
A filter similar to the following one should do the trick:
class MyFilter{
exceptPlan(controller:'myController',action:'pickPlan', invert:true){
before = {
if (!session.plan){
redirect action:'pickPlan'
return false
}
}
}
}
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
So I have this web app that in theory may one day become a for-pay application - if anyone actually finds it useful and worth it.
I have all the logic to handle payment, check to see if the account is overdue etc. in place. It is all stored in RavenDB (RavenHQ actually) - not that this should matter to the question at hand.
Now, I am trying to follow best practices, and I want my application to be performant, i.e. not micro-optimizing, but I want to do things in a way that will scale relatively well with load (if it takes off it will be hosted - I would love to not have to pay for more servers than is strictly necessary).
My app uses something close to the default login/account model. Users log in securely using forms authentication over https.
At what point should I check that a user is actually allowed (with regards to payment status etc - a domain model concern really) to be using the web application? Consider that this will mean requesting a single document from the RavenDB backend and checking if the current payment period has expired.
Should I:
Check every time the user logs in, and make them unable to "Remember me" for more than x hours, where x is a relatively small number?
Check in a few central controller actions that the user would visit relatively often - the application would essentially be severely restricted if these actions were not available.
Do a global action filter that checks for every request, then redirects to the "Pay nooooow!" page as soon as stuff expires?
Another option?
RavenDB does clever caching, so I don't think a request for this document would kill performance, but should the application really take off (unlikely, but one can dream), an extra database request per http request will probably lead to Ayende hunting me down and mercilessly beating me. I don't want that.
It seems to me like this is something that others would have thought about and solved, so I am asking - what would be the right way to handle this?
Thanks for any insights!
I don't think this is a framework issue strictly, it's more like how you want your site to behave and then use framework to support it. Generally speaking you want to make the site usable and not too restrictive unless when that's necessary, e.g. surfing the site with no restriction whatsoever, but checking out should be done very securely.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I'm working on an ruby on rails app that has a special billing method.
I'm creating a store where users can reserve products but will not get charged for these products until a certain amount has been reached. This amount cannot be quantified by time so I'm wondering if this is a recurring payment. However, accounts will have to provide a payment method in order to reserve these products and it is cumbersome to have them give their information every time. What's more is that I need their information so I know they want the product but I won't charge it right away.
What to do?
First you want to capture card details up front, but not make any charge.
That can be done with most payment service providers (PSPs). Usually you will redirect from your site to a site hosted by the PSP which captures the card details. Once the user leaves that page they will redirect back to your site, and you will receive a payment Token, which is essentially a GUID which can be used in future transactions instead of a card number.
Each time you want to take payment from that card you can submit your Token Id and payment value to the PSP for authorisation and settlement. Bear in mind that its entirely possible that the authorization could fail or be declined.
This is technically known as a recurring payment in that there are potential complications which your PSP should handle for you, such as credit cards expiring, or being replaced. Decent PSPs will make use of the Visa Account Updater service, or the equivalent Mastercard Automated Billing Updater to ensure that behind the scenes the card number is automatically updated. Worth checking that your chosen PSP provides this capability.
I recommend outsourcing this to a company that handles payments, I advise against PayPal because of charges. You will end up getting into a lot of trouble if you are writing everything from the ground up.
Beyond that I am assuming this is a real world scenario. In that case I wouldn't consider it a recurring payment, on account of it is a once and done payment. Forgot to add, store their information with a 3rd party vendor or get really good at knowing the rules of what you can and cannot store online.