I am developing a social plugin that allows users to post content. On the control side, I plan to display the users' posts and allow the admin to ban users if they post inappropriate content. Is there a way to do this with buildfire.auth or something else built into buildfire?
As of this date:
At the plugin-level, you dont have permissions to ban a user at the app-level. However, you may implement logic to ban them at the plugin-level using your own custom logic.
Related
In my app I want to have some feed where different users can add activities
How can I do this? Are there any settings of user rights?
It would help if you could elaborate on what you are trying to build (e.g. what kind of user ACL you are trying to offload to Stream) and whether you are using an SDK or the REST API directly. Multiple users can add activities to the same feed.
Regarding user rights, permissions they would be embedded in the JWT token when you're doing server-side authentication, as exposed here.
I'm struggeling with the Instagram Permssion Request. We need to use the API to scan for new uploads to Instagram with a specific hashtag, to trigger a machine.
For this, i tried to request the permission for "basic" and "public content". The request was declined for several times, primarily because the screencast does not contain any Instagram login process in our app. Since there is no need to login for our purpose, i dont know how to realize this. We also dont want to use any 3rd party tool, but just the Instragram API. Do you have any advice for this?
Instagram does not approve one-off projects for yourself, they only give permission if you are creating an app or platform for many to use.
https://www.instagram.com/developer/authorization/
One-off Projects. If you are an agency building websites or other
integrations, note that we don't grant permissions to clients created
for one-off projects. If you are interested in building a product,
platform, or widget that will be used as a service across multiple
projects, then you may submit a single client_id that you can use
across multiple projects.
If you are creating an app/platform you have to have a login flow for each customer to login and use, so you have show login flow in video screencast.
If you are not building an app/platform for wide audience, you probably will not get permission and are expected to use other apps out there that do what you want to do.
Also checkout the Instagram Graph API, this is API for business accounts to create one-off projects to moderate your accounts, but you will not have access to public hashtag posts, you will have access to all content for your account: https://developers.facebook.com/docs/instagram-api/v2.10
Is it possible? I have read the documentation but I wish to know there is one way. I need to create a gallery with some hashtags and filter by some users. Maybe something in the backend can do it?
No. From the official api, you can't get other users' media anymore. They only allow developers or users to fetch their own "RECENT" media. So does hashtags.
More and more restrictions and fewer and fewer APIs opened by Instagram, it's hard to do valuable stuff around IG now.
It is possible. The developer client key defaults to your own content in sandbox mode. You have to create a submission for approval, you can do this via: https://www.instagram.com/developer/clients/ and choose the client that you have created, then the permissions tab will allow you to apply.
I am going through the application process at the moment for our App, it is very difficult as Instagram are stringent.
I've read about security best practices saying that inactive user accounts should be disabled and even deleted to avoid security issues like unauthorized use. I can see that being true for regular username and password authentication sites, however my application was built to work only with Facebook groups and as such the only way to login or create a new account is to use the Facebook login.
The argument can be said that someone malicious could take control of one of my users' Facebook accounts and then use it access my application. Although that is true if they have control of a Facebook account my application would never know it's a malicious person so I don't see that as a valid criteria to use in determining if the account should be disabled.
Furthermore if a user is inactive and wants to become active again since it's Facebook login there really is no reason for them to go through some kind of reactivation process like confirming their email or changing their password.
I must be missing something here because it's certainly mentioned as a best practice to disable accounts but since my only login method is Facebook (OAuth) I can't come up with a valid reason to disable/delete inactive accounts.
Regarding other methods of unauthorized access I have security measures in place so I'd like to keep the answers relevant to the login method.
Please enlighten me if I've missed something.
If you have decided that your application needs to use Facebook authentication, then your system's identities will only be as traceable as Facebook's identity management permits. (And don't expect Facebook to help you by disabling / blocking users at their end ...)
You need to design it accordingly:
Don't make any assumptions that users will behave properly.
Don't rely on login controls to keep out malicious users.
Put in your own (sufficient) defenses against malicious behavior into your own system.
You are correct that disabling an account in your system won't achieve much if you also allow the user to (easily) reenable it. Given that it is easy to create (effectively) untraceable Facebook accounts, the chances are that a typical malicious actor will not just rely on old accounts. They may use a brand new account and connect from an IP address that you have never seen.
There are some things that you could do though. For example, implement mechanisms to do the following:
Make sure that users simply cannot upload dangerous content (e.g. files with trojans, web content with dangerous links or scripts.
Allow administrative locking an existing account or OAuth identity,
Allow blocking of creation of accounts or access in from specified IP addresses or ranges,
Keep an audit trail so that you can watch the history of user behavior.
I was thinking of retrieving a user's Instagram news feed, however the Instagram API doesn't allow you to do that because some users may be private. However, what if I just used an HTTP connection and logged in as the user then went to the user's 'home' page to get their news feed? I think this would work, but I'm not sure about the legalities behind doing so.
See their Terms of Use. Specifically...
We prohibit crawling, scraping, caching or otherwise accessing any
content on the Service via automated means, including but not limited
to, user profiles and photos (except as may be the result of standard
search engine protocols or technologies used by a search engine with
Instagram's express consent).