I have a website that outputs Excel reports with hyperlinks back to secure content. One of the links would look like this...
http://www.[site].com/externalLinkDigester?externalSession=[SHA Encrypted Text]
The query string argument (externalSession) is a unique alphanumeric string that is only valid for 24 hours and can only be accessed by the user who created the report. My controller looks something like this...
class ExternalLinkDigester{
def springSecurityService;
def index = {
def currentUser = springSecurityService?.currentUser
if (!currentUser){
redirect(controller:'login')
}
def request = ExternalSession.findByName(params.externalSession);
if (request.isExpired(){
//show expired content page
}
if (sameUser(currentUser, request.user){
//show content
}else{
redirect(controller:'login')
}
}
}
The problem is that no matter what the springSecurityService.currentUser is always null when coming form an external program like Excel even when I am logged before clicking the link however, if I copy and paste the link into the browser it seems to work fine. Help!
How can I securely access content this way?
Is it possible that Excel is opening up a different browser than the one you logged in with (eg. you logged in with Firefox and when clicking the link within excel, it defaults to opening the link within Internet Explorer). The new browser will not have the session cookie for the authenticated session so "currentUser" will appear as null.
Related
I have created a multi page app to use internally within our company.
However for some of my colleagues when using the app, whenever they click on a link to be directed to a new page, Chrome removes our company tag from the URL.
Normally the URL should be https://script.google.com/a/macros/**companyname.eu**/s and then the Script ID. But for some reason Chrome removes the **companyname.eu** part from the URL.
In the GScript I use the following code to make sure correct page is displayed -
function doGet(e) {
if (e.parameters.v == 'wishes' || e.parameters.v == "agents" || e.parameters.v == 'markets' || e.parameters.v == 'team_leads'){
let tmp = HtmlService.createTemplateFromFile(e.parameters.v);
return tmp.evaluate();
} else {
let tmp = HtmlService.createTemplateFromFile("wishes")
return tmp.evaluate();
}
}
And then in the HTML files for the links themselves I am using the following code -
<header>
Pending Wishes
Agents
Markets
Team Leads
</header>
For the same people using Safari instead of Google Chrome seems to fix the Issue.
Edit: Picture of the Publish Settings
The WebApp URL depends on how you publish the WebApp
If you set Who has access to the app: to only myself or Anyone within {Your domain}, the WebApp URL will be of type
https://script.google.com/a/YOURDOMAIN/macros/s/XXXXX/exec
If you set Who has access to the app: to Anyone or Anyone, even anonymous, the WebApp URL will be of type
https://script.google.com/macros/s/XXXXX/exec
For your domain, please publish set the access to Anyone within {Your domain} and make sure that your domain users only open it when signed into their browser session with their domain account
I want to prevent from IDOR attack in yii2.
If user change url in browser and request was Invalid stay in current page.
I use below code .I stay the current page and dot render page with id manipulate after change Id by firebug in link page.
But if I change id in browser I redirected to home page.
for example, the user(by Yii::$app->user->identity->id that is 19) is on this page : url http://localhost:8080/profile/test/19 and see own profile. if user change url to http://localhost:8080/profile/test/25 in browser and press enter , see the same page again http://localhost:8080/profile/test/19 That is, his profile but I go to home page, I think Yii::$app->request->referrer in empty in this case.
public function actionTest($id) {
if (Yii::$app->user->identity->id == $id) {
return $this->render('view', [
'model' => User::findOne($id),
]);
} else {
$this->goBack(Yii::$app->request->referrer);
}
}
I have created a campaign form in Mautic and used the manual copy feature to integrate it into my HTML landing page (this is a landing page I have made in HTML. It is not a Mautic landing page).
In Mautic, users are saved as a "contact". The contact has a field called "tags".
I would like to make use of the Mautic Tracking Javascript so I can send a value to this tag field from my HTML landing page.
Here is my code:
< script >
(function(w, d, t, u, n, a, m) {
w['MauticTrackingObject'] = n;
w[n] = w[n] || function() {
(w[n].q = w[n].q || []).push(arguments)
}, a = d.createElement(t),
m = d.getElementsByTagName(t)[0];
a.async = 1;
a.src = u;
m.parentNode.insertBefore(a, m)
})(window, document, 'script', 'http://newsletter.smile.ws/mtc.js', 'mt');
mt('send', 'pageview', {
'tags': 'sunshine-book'
});
< /script>
To test it out, I submitted a test contact on my HTML landing page.
When I log-into Mautic and go to the contact page for the contact, the tag field is blank:
However, the tag does appear as an option in the tag menu:
How can I make it so the tag field is automatically filled with the tag?
The user renzof of the Mautic forum tested my code and it worked for him, but it didn’t work for me. I think I'm doing something wrong, but I can't figure it. Any ideas? Thanks!
The issue is the use of Http. The landing page uses https, but the code was using http (the s is missing), which is why it doesn't work. I updated all my code to use https and it worked.
there is actually nothing wrong with your code, I tested it and the only problem was browser blocking the request due to cors origin, other than that it worked fine.
But I have a hunch in case it doesn't work, i noticed the tags is actually plural and in mautic contact form it taken as array, so if cross domain issue isn't there at your end, can you try tags[] instead tags. However i think normal way should have worked.
I'm trying to post to a Facebook page AS the page using the Unity Facebook SDK running on iOS. As I understand, to do that, I need the pages access token with manage_pages and publish_pages. I know that I can get it from /me/accounts?fields=access_token, but how do I tell AccessToken.CurrentAccessToken to use my pages access token instead?
Right now i'm using the following:
var wwwForm = new WWWForm();
//wwwForm.AddField ("access_token", "A-T I NEED");
wwwForm.AddBinaryData("image", screenshot, "InteractiveConsole.png");
wwwForm.AddField("message", "herp derp. I did a thing! Did I do this right?");
FB.API("/PAGE-ID/photos", HttpMethod.POST, HandleResult, wwwForm);
I tried putting the access token manually, but that didn't work (so I commented it out).
With this as it is I'm getting an error, telling me that I need publish_actions, wich is not correct since I'm not trying to post as the user. If I also get publish_actions the Post goes online, but is posted to the page as the user speaking. (User is also Admin)
Any Ideas ? Thanks!
So, I filed a bug report to facebook and as it turns out: "… at this time this functionality is not supported." Wich simply means there is now way to use the Page Access Token you acquired via the FB.API within the FB.API. And they are not going to tell you abot it in the documentation.
As a workaround I simply use a UnityWebRequest like this:
IEnumerator UploadToPage(byte[] screenshot) {
var wwwForm = new WWWForm();
wwwForm.AddField("message", "herp derp. I did a thing! Did I do this right?");
wwwForm.AddBinaryData("image", screenshot, "Test.png");
string url = "https" + "://graph.facebook.com/"+ PageID + "/photos";
url += "?access_token=" + PageAccessToken;
using (UnityWebRequest www = UnityWebRequest.Post(url, wwwForm))
{
yield return www.Send();
if (www.isError)
{
Debug.Log(www.error);
}
else
{
Debug.Log("Form upload complete!");
}
}
Debug.Log(url);
}
I'm currently working on the imap class by barbushin. It's the only php class over the internet I can find regardless to any encoding issue. Thanks to the coder.
I have a list of messages in a table. Each message sending a message id as GET (say $mid). When a link clicked, the page turned into a view page. It should open that message and display the relevant content right? But it is not. Every message has the same content (the 1st content). The code is designed for gmail but I use it for my client. And it's work.
This is a code:
require_once('../ImapMailbox.php');
define('EMAIL', 'my#domain.com');
define('PASSWORD', '*********');
define('ATTACHMENTS_DIR', dirname(__FILE__) . '/attachments');
$mailbox = new ImapMailbox('{imap.gmail.com:993/imap/ssl}INBOX', EMAIL, PASSWORD, ATTACHMENTS_DIR, 'utf-8');
$mails = array();
// Get some mail
$mailsIds = $mailbox->searchMailBox('ALL');
if(!$mailsIds) {
die('Mailbox is empty');
}
$mailId = reset($mailsIds);
$mail = $mailbox->getMail($mailId);
var_dump($mail);
var_dump($mail->getAttachments());
The original is here: https://github.com/barbushin/php-imap
Finally, I found my way home. According to the script there's a line says "mailId". Which is straight forward what is it about.
It was set to the first array by reset(). So the only thing I need to do is extract the message id from it ($mailId is an array of ids). So I simply add an array behind it.
$mailId=$mailsIds[$_GET[uid]];
While $_GET[uid] is a message id sent from a previous page.