Going to my bot's getMe URL I get:
{"ok":true,"result":{"id":1966270303,"is_bot":true,"first_name":"{botname}","username":"{botname}_bot","can_join_groups":true,"can_read_all_group_messages":true,"supports_inline_queries":false}}
Which I assume means that it should be able to read group messages. Yet when I add it to a group (and send a dozen messages) and give it admit rights it still returns { "ok": true, "result": [] }
in /getUpdates. Am I missing something?
The answer is the "privacy mode" as explained in this FAQ Entry. Note that
making a bot admin in a group effectively turns off group privacy for that group
if you change the privacy setting with #Botfather, then you need to remove & re-add your groups to the group. Otherwise the changed setting doesn't take effect.
Related
We are developing feature that allows users to add identity verification to envelopes. And there's a checkbox which is called "Allow recipient to provide phone number"
We need to decide when to show that checkbox, because not all accounts have access to the checkbox.
From documentation (https://developers.docusign.com/docs/esign-rest-api/reference/accounts/accounts/listsettings/) I see that there's phoneAuthRecipientMayProvidePhoneNumber field which allows to determine that thing.
When I open the page for envelope creation I can see that the checkbox is available but API returns false value for that field. So we can't really decide do we need to show that field or not.
It seems like a bug in API.
I took a look into this issue and I see that I'm getting the same behaviour - "phoneAuthRecipientMayProvidePhoneNumber" is always returning "false" for me as well, so I believe that you're correct that there's a product issue here. Can you email go-live#docusign.com with a link to this question and reference case number 07556985, which is a case created for this issue? Once you do that, I can create a ticket for this behaviour and let you know as it progresses.
Like other personal messenger, a user might want to organise chat channels they no longer wish to participate in by leaving the channel.
In Getstream sense, it would be removing the user from the channel's member list.
There does not seem to be a functionality for this.
I have tried to include removeMembers permission to user, however, I am getting an error that members cannot be removed from distinct channels.
You have a couple options to achieve this:
Remove the channel server-side (this makes sense if the conversation
is over for both)
Hide the conversation for one user (see channel.hide). Doing so will hide the conversation for one user until a new message is added.
I've been wrestling with uniquely restricting one page in my Kentico installation to be viewed by only two Roles, everyone else should be redirected to a page telling them they need to jump over the paywall. I've not determined the best way yet to do this. Along the way I've found that when I try to access that page from the menu at the top of the page it respects my permission by denying access. However when I use that same link from an editable web part lower in the page it seems to ignore permissions. While it looks like two questions here what I really want to know is how to deny access unless a user is in a particular role and then if denied how do I redirect them to a page to explain why they were denied. Thanks.
Try this:
From your top level page (master page), add the role "Everyone" and grant them read access. This will replicate through the rest of the pages and everyone can see everything. Yes, sounds fishy but read on...
Next navigate to the specific page you want to restrict access to. On the Security tab, click the "Change permission inheritance" link. Then click the "Break inheritance and copy parent permissions". Next select the Everyone role and check the Deny full control box.
Now add your specific role(s) and set their permissions to Read.
This should get your permissions working as you want for that page.
As for a message and redirecting if in a particular role, you could place a webpart on a page and say if they are not part of a role, just redirect them to a page using your choice of redirects. The webpart itself will handle if they are in the particular role. Keep in mind the user will have to be logged in already and/or have access to that page so no restrictions can be on that page.
Thanks for all your suggestions. Here's what I found. First, the reason the two pages were acting differently was a brain cramp on my part. I had embedded two different links. My bad!
Secondly, on security, it appears that Deny takes precedence over Allow. If the role is denied no amount of "allow" will override the denial. The way I fixed the problem was to create a zone for those who I wanted to allow access to the text and a zone or web part for those I wanted to deny. In the Zone visibility section (click the arrow next to "Visible" to enter text) I put a boolean statement:
{% CurrentUser.IsInRole("Member") || CurrentUser.IsInRole("SecondRoleToTest") #%}
This way anyone who was in either of those two groups would cause a true value to this statement and visible would equal true (notice the"!"). For the zone or web part I wanted to present to those who was not a member of either of those to groups I put the opposite of that condition
{% !(CurrentUser.IsInRole("Member") || CurrentUser.IsInRole("SecondRoleToTest")) #%}
and it would display the materials for those who were not in either of those groups. In this case the text read the equivalent of "you need to be either this or that with a link to information on how they could become this or that". Have to admit I learned quite a bit on this one. Thanks for all your help, you helped lead me to the answer.
If I am understanding you correctly, you are saying that you have locked down a page to only 2 roles? If a person clicks on a navigational link that is not in those roles, they are denied access...correct? But if a person clicks on a link from a webpart on a page, they are not denied access...correct?
Where this is unusual I am also wondering how the link is setup in the webpart? Is it just a anchor link or are you using a Kentico permalink? These should not behave any differently, but just a thought. Sounds like more than likely there is some permission that is still allowing access to the page, but without seeing your actual permissions setup it is really hard to tell you what could be causing that.
As far as redirect, by default it should redirect to a login page if you have one of those setup (you would of set that up in the Settings Tab), otherwise the access denied would just happen. You could quite easily write some custom code to redirect users who are not into a role to another page. For re-usability, you could write it into a custom webpart and have a property for the roles the users need to be in and a property for the redirect page location and then handle it from there. Doing it that way would allow you to use the same pattern on any pages you desired...but you would then need to bypass the built in security lock down stuff.
Lastly (and I don't know the classes to use) you could probably override what happens when 'access denied' occurs in accessing a page in the site..then you could do your own custom redirect. I am sure someone else can chime in with the exact class.
before write the question sorry for my english. My question is this:
I have an web application in jsf, the application have new, edit and delete Categories, outgoings, Budgets, users, etc.
When open the edit page i have the url like this:
http://localhost:8080/Practica3/faces/usuarios/edit.xhtml?id=2
the problem is if the user change the number 2 for another number, and the another number exists in the dababase, the page change the data of the id 2 to the data of the new id.
The problem is if the id number X is of a data of another user, and the user that change the id is not in conditions to see that data.
How disable the edit of the id, or denied to show the data to the another user?
Thanks, and i hope have a response.
Just check in service layer if the current user is allowed to edit the requested entity. If not, then throw some security exception for which you could if necessary configure a custom error page in web.xml.
The technical problem has nothing to do with HTTP/JSF. If you "fix" it alone in JSF side, then you still have a gaping security hole in service layer which would affect any other frontend using it. The frontend is not responsible for business restrictions in service layer itself.
The problem is not stopping the editing of the ID. That is on the client side/browser and you cannot stop this value from being edited.
You need to implement propery Access Security Controls. When you get any response back, you need to check if the user can perform the action they specified (read, update, delete, etc.) as well as checking to make sure they have permission to the data they want to perform the action on.
These two topics are on the OWASP Top 10:
A4-Insecure Direct Object References
A7-Missing Function Level Access Control
The pages will tell you what the problem is, mitigation stragegies, and different ways of testing for that in your application.
I would also become familiar with the other Top 10 categories (this is not an all inclusive list but a good starting point).
I need to check when one of the server in my organization is added to security group, Means which date or if possible to check who added it ? is there is any power shell command from which I can check.
To get the information you need, you first need to make sure that you audit the changes in AD that you want. Try searching for "active directory audit security group" on google, or simply visit the first result: Auditing Group Membership Changes in Active Directory.
When you have enabled it, changes to accounts will be audited/logged in the Security log on the domain controllers. Now you can simply use PowerShell to search for it. Ex. if the group is a global security group, the eventid for added member is 632. So to search for group "FOO", use:
Get-EventLog -LogName Security -InstanceId 632 -Message "*FOO*"
This should (don't have a test-lab to verify with atm.) include who made the change, who was added to what group(FOO) and when it was done. The event will only show up on the domain controller that the request was sent to(!).
If you have multiple domain controllers(as you should), you should use Event Subscriptions to collect the events to a central server or your workstation. You could also use WMI-subscriptions to run a script whenever a new event like that occours. A simple search here on SO or google will show you how to do that.
EDIT If the person who downvoted me reads this later, could you please leave a comment with the reason. It's hard to improve when you never get feedback. The answer includes an explanation and a solution including the necessary PowerShell command, so I can't see what I did wrong.