I am developing a plugin that allows the user the post content that I am storing in an object in publicData. To identify the user that posted the data, I am storing the _id that is returned from buildfire.auth.getCurrentUser() in that publicData object along with the content of the post.
Is there a way I can access a list of the users of my plugin, then iterate through that to find the user with the corresponding _id? A list of the users of my plugin must exist somewhere, I just do not know how to/if I can access it.
Any help on this would be greatly appreciated!
I would recommend caching the user object's nonsensitive data. Remember, you have a bit more access to the logged-in user over fetching another user profile using the user id. https://github.com/BuildFire/sdk/wiki/How-to-use-Auth#buildfireauth-getuserprofileoptionscallback
Since the user profile picture URL is really an API, you don't have to worry about the user changing it since it will always return the latest. The other property I recommend you cache is the Display name (not the first name and last name) since that rarely changes as well. This way your performance wont suffer and you can do a lazy fetch for a distinct list of user ids an update them as needed. KNowing most wont need an UI updates since nothing changed
Related
stack: NodeJS, ExpressJS, Firebase DB, VueJs
Question:
How to lock a firebase doc? I want to not allow two users editing a same document on front-end.
Example: Like in front-end if a user fetches a document by some id ant starts editing, editing takes like 10 minutes because there are a lot of inputs, but then a second user comes and tries to edit the same document by id. How to prevent it?
My solution: Create a database collection storing the id of currently edited document. And whenever a user tries to edit an document, there should be a check if the id doesnt exist in the collection and on save button the id should be removed from the collection.
Is my solution is good?
Maybe there are other solutions...
There is no pessimistic locking built into Firestore, but I'd typically implement this by adding a field to the document that is being locked. Something like currentEditor with as its value the UID of the current editor.
To manipulate this field you'll want to use a transaction to prevent users from overwriting each other's data, and you'll then want to use server-side security rules to enforce this.
So i have been struggling with this one question some time now:
How to handle details Page or deep linking on the Frontend.
So, say, we got a paged collection endpoint with user entities in it and a React App consuming the endpoint.
The flow would be, user authenticates, gets collections, clicks on an item and is either:
Redirected to a new Url say: webapp.com/users/userid
A modal opens with the user details.
Say we got a scenario were two people working with the webapp, Person 1 wants to share a link with Person 2. Person 2 should do some updates on a specific user, which is identified by the link.
The link should be something like : https://www.webapp.com/users/{slug or id}
With Option 2 this functionality is not mappable.
With Option 1 we got to expose the ids in the response to identify the resource, which may work, but we would still need to hardcode the url, as the findById method is not exported as a Uri Template.
So, my Solution would be to add a slug for the resources, implement a search method by the slug, and then get the user, if found, by its self-link.
Sounds like a good solution for me, but on the other hand, I would have to add an extra frontend id(the slug here) which would need to be also unique, to the database model.
So how do you guys handle a problem like this, or is there anybody using spring data rest in this way or in production mode where you have the handle situations like this?
Should mention that this isn’t a primary problem with spring data rest but rather with hateoas itself.
thanks in advance
Florian
You don't need to hardcode URL template. Spring data rest will generate links for each resource.
You can refer to it from front end by some format like: {your_user_object}._links.self.href
before write the question sorry for my english. My question is this:
I have an web application in jsf, the application have new, edit and delete Categories, outgoings, Budgets, users, etc.
When open the edit page i have the url like this:
http://localhost:8080/Practica3/faces/usuarios/edit.xhtml?id=2
the problem is if the user change the number 2 for another number, and the another number exists in the dababase, the page change the data of the id 2 to the data of the new id.
The problem is if the id number X is of a data of another user, and the user that change the id is not in conditions to see that data.
How disable the edit of the id, or denied to show the data to the another user?
Thanks, and i hope have a response.
Just check in service layer if the current user is allowed to edit the requested entity. If not, then throw some security exception for which you could if necessary configure a custom error page in web.xml.
The technical problem has nothing to do with HTTP/JSF. If you "fix" it alone in JSF side, then you still have a gaping security hole in service layer which would affect any other frontend using it. The frontend is not responsible for business restrictions in service layer itself.
The problem is not stopping the editing of the ID. That is on the client side/browser and you cannot stop this value from being edited.
You need to implement propery Access Security Controls. When you get any response back, you need to check if the user can perform the action they specified (read, update, delete, etc.) as well as checking to make sure they have permission to the data they want to perform the action on.
These two topics are on the OWASP Top 10:
A4-Insecure Direct Object References
A7-Missing Function Level Access Control
The pages will tell you what the problem is, mitigation stragegies, and different ways of testing for that in your application.
I would also become familiar with the other Top 10 categories (this is not an all inclusive list but a good starting point).
I am implementing an application that includes a user who logs in to access a document stored in a hosted CouchDB store. The user provides their credentials to the app, and once the app authenticates them, the app then has two jobs:
Get the Document ID associated with that user's data
Update the "lastOpened" value stored in that document
I am having to do those two things in a way that seems rather inefficient: I read a View which maps the app's user identifier (their email address in this case) to their Document ID. Once I have the Document ID (and have added it to the session for later use) I then have to request the Document, uptick the "lastOpened" value, then save the Document back to the store.
That looks like 3 trips to the database to me: 1. Get the Document ID from the View, 2. Get the Document, using that ID, 3. Save the updated Document.
Is there anyway to reduce that work to fewer database trips?
If you can change the document structure, you could use the user's login name as the document ID. That way, you don't have to use a view. Using update handlers, you could even do all the work in one request.
That looks like 3 trips to the database to me: 1. Get the Document ID from the View, 2. Get the Document, using that ID, 3. Save the updated Document.
Is there anyway to reduce that work to fewer database trips?
You can fetch document from a view by adding "?include_docs=true" query parameter in request. So two steps instead of three.
I've created two new custom attributes in the UserProfile. When the service we wrote returns data about a specific user by using the UserProfile object, sometimes the data isn't returned, even though if we look at the user in SSP it look populated. Some users work; this is the first user we set up with data. I'm not sure if sometime in the meantime after setting up the first user and testing, if there's something we ran and need to run again. How can I get all the users to get their data returned in a call to their UserProfile?
It may be a language issue, perhaps you can detect a pattern in working/not working users and their language?
Have you looked at the visibility of the custom attributes? Is it possible that it's a question of who is supposed to be able see the attribute that is causing your issue?
It could be connected to when the profile was created and when the attributes were added.
Is there any pattern to which users work and which do not?
Try creating a new user, and see if the attributes are available for that user.