For administrative purpose, especially the deprovisioning process, it'll be useful to know if a user has shared any of his resources (Docs, files etc.) with other users.
Any tips or code that could solve this task?.
You can check what permissions are given to users toward a file by using this drive.permissions.list request:
GET https://www.googleapis.com/drive/v2/files/{fileId}/permissions
The response gives you information about what users are authorized to interact with the file, including user's id, name, role, type ... that you can choose to store in your database.
You can test this by using Google API Explorer
Related
I am using the Survey Monkey api to get the url's of surveys I have created which allows me to display surveys from within my application. To do this I have to send my key and authorization with the request.
What concerns me is that Survey Monkey has an api 'create_flow' that allows surveys to be created. Using fiddler I can see my requests including the key and authorization token. As far as I can see, this means that anyone could use this information to access the api and create a new survey on my account, which I do not want.
Is there any way to stop someone from creating new surveys using the API and the auth token? I'm not really bothered about people getting access to the survey details or Uri's as all they can do is post junk survey results that only I will see, but I absolutely don't want anyone else to be able to create a survey that will be presented to all my users with potential malicious text.
It is not possible to make an account read-only.
So if I'm understanding correctly, you're shipping an application which contains your api_key and access token?
This is very much not recommended - the access token is equivalent to your account password, it gives full access to your account.
If you want a way to dynamically list your surveys, the best way to do it is create a proxy web app / API you host yourself. When someone hits that address, it uses the access token / api key you've stored on your box and grabs the list of surveys and then returns it to your app. This is the only safe way to do this.
I am trying to use the Desire2Learn REST API to return semesters, but I'm getting a 403 Not Authorized error.
The request I am making is:
GET /d2l/api/lp/1.1/outypes/semester
I am making this call while authenticated to the system as a student user.
This is a test environment, so I have full control of the student user's permission, but I haven't found which permission setting controls access to the semester org unit. Is it possible for someone with lower level permissions to make this call?
What permission would this user need to be able to make this call?
Thanks!
Student-type user roles are not typically given permission to make calls like this one.
The particular permission at play here is likely Org Unit Type Editor > Can Create and Edit Org Unit Types at the root organization level (you'll notice that the same behaviour is at play around the API call to retrieve the entire catalog of known org-unit types); however, you almost certainly do not want to grant this role permission to a student role: the role permissions for this tool bind together the ability to create and edit org unit types with the ability to see their definitions.
There's a subset of users which will not have access to the system I'm implementing in the beginning but I need a mechanism for them to capture data for one specific part of the process.
An authorized user creates the original record for a Person with some basic details i.e. First name, last name etc.
I then create a 'DataRequest' record which has a unique guid and the external user is sent an email with a path which is effectively http://sampleapplication/Person/Complete?guid=xxxx
The external user adds additional details like Date of Birth, Eye colour etc, submits and saves to the DB. The DataRequest for that guid is then expired and cannot be accessed again.
The Complete action doesn't have any authorization as these external users do not have user accounts.
My preference is to force these users to use the system but at this stage I'm not sure it's practical.
Is this a bad practice?
Should I be implementing some additional security on this like a one time password / passcode contained in the email? Are there alternative approaches I should consider?
There's nothing wrong with opening up a section of your site to the public. Tons of websites have secured and unsecured sections. However, there's also nothing saying that you have to expose your secure site at all. You can create another site that merely has access to that change those records and make that site alone, public.
As far as securing the information of the user, passcodes by email are the invention of some developer somewhere with limited mental ability or a severe lack of sleep. If the link is only available by email (not discoverable by search engines and not easily guessable), then anyone with the link will also have the passcode, making the passcode to access the link redundant.
You should however log when the email is used to finish the record and then disallow further uses.
I have a cics application and i don't want to develop an login screen, instead i want to restrict the access by fetching the user id and then to verify if they are allowed to run my application. Is this possible? Thank you
There are probably better ways of restricting access to certain transactions within a CICS environment than by grabbing the USER ID and comparing to a list. Most shops have developed standard techniques for restricting access to transactions within CICS. However, if you must find the User Id, try something like this:
EXEC CICS ASSIGN
USERID(WS-USERID)
END-EXEC.
where WS-USERID is a working storage PIC X(8) field.
This is a link to the documentation for CICS ASSIGN.
EDIT
How to check against multiple user ids? You need a list of authorized users to compare the current user id against. If the
user id is in the list, the user is authorized to use the transaction. Typically you have a couple options for managing such a list:
SELECT against a database table containing authorized user ids. Use the current user id as the predicate (eg. WHERE USER_ID = :WS-USERID). If you get a row back, the user is authorized.
SEARCH/SEARCH ALL a WORKING-STORAGE table populated with authorized user ids for a match. If you get a match, the user is authorized.
The WORKING-STORAGE table solution is the least flexible since the program may need to be updated and re-compiled each time a new user is added or removed.
However, as pointed out by myself and cschneid, access security is best handled outside of applicaion programs
using something like RACF or ACF2. Your local systems
administration should be able to help you get this set up.
CICS can talk to an external security manager, such as RACF, CA-ACF2, or CA-Top Secret. Applications are often secured at a transaction level by having the correct rules or profiles in place in the external security manager.
This way, security actions are performed external to the application logic. Access is granted by security personnel and not by an application developer.
To follow on to your comment to NealB's answer regarding multiple users: Your security administrators can add all of the userids in question to a group, and then define access permissions to that group for your transaction.
You really should let your security administration handle transaction access. Good system design puts security management outside of the application.
With CICS TS V4.2 and above with the Security Extensions Feature Pack (integrated in V5.2) you can use SAML assertions coming from distributed applications to provide even more granular access control.
I've read that it is possible to access Facebook Insights programmatically:
The Graph API provides programmatic access to all of this data so you
can integrate Platform data into your own, custom analytics systems.
I have two questions, though:
Is it possible to access data from a domain, using Facebook Insights
for domains?
How to get data from a public URL? I've wrote this small script that returns the number of shares for a given URL without using data from Facebook Insights for domains, but how do I get all possible information from a given URL (e.g. who shared it, who liked it, who commented, etc)? Is this even possible?
To get insights for a domain, get the read_insights permission, then GET
https://graph.facebook.com/insights?domain=example.com&access_token=TOKEN
To get insights for a particular URL on your domain, GET
https://graph.facebook.com/?id=YOUR_URL&access_token=TOKEN
Not all of the data you want is available - for example, you can't get the UIDs of the users who shared and liked your URL, but you can get the count.
If you have the comments plugin embedded on your URL, you can get the UIDs of the users who have commented on your URL as comments in the plugin are always public.