I need user's location to proceed my app. At start, I asked user to grant me permission. How to handle if user denied to grant the permission. After Denial I can see user's location in the log. So is there any way to get those geoPoint Or if there is another way to handle it?
If the user declines the permission request, their location will not be available to your capsule.
You are able to see the user's location in the log because user location is simulated when working with Bixby Studio's simulator. In a live environment, user location will not be available to your capsule if the user declines the permission request.
Refer to the documentation: https://bixbydevelopers.com/dev/docs/dev-guide/developers/deploying.prep-capsule
Check if the permission is granted using EL or Javascript and remind the user about certain features that might not be functional until permission is granted.
Related
We have a single-page Javascript app that makes calls to Microsoft Graph API using delegated permissions.
One of the things it does is get a list of users via the /users endpoint.
Now when the request URL was https://graph.microsoft.com/v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName,
everything worked fine.
But then we changed it to include a filter.
Specifically we only want Guest users.
So we changed the request URL to https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest'&$select=id,displayName,givenName,surname,mail,userPrincipalName,userType.
Now some of the users get a 403 Forbidden when we try to make the query.
What is puzzling is that they can get the full list of users, but are unable to get a subset of the users.
This user is themselves a Guest user, and has the Guest Inviter directory role.
This gives them the ability to read all users.
I have a Global Admin account which is able to use the second request as well (it would be pretty stunning if it could not).
The app itself has the necessary scopes since it is able to read the users, it just depends on the user and their permissions in AAD.
My theory is that the user does not have permission to access the userType property, and this causes the 403.
It is probably part of the "full profile".
Philippe confirmed this by stating you cannot access this property through the User.ReadBasic.All scope.
If we look at the Guest Inviter role's permissions: https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#guest-inviter.
We can see that they have microsoft.aad.directory/users/basic/read, a Global admin on the other hand has microsoft.aad.directory/users/allProperties/allTasks.
My question is, what do I need to do to enable this query for the user?
I would like to avoid giving them Global Admin in this case.
The application's token has the following scopes:
Directory.AccessAsUser.All
User.Read
We used a less privileged scope before,
but we needed to add features that required higher privileges.
The scope we have is the "most privileged" scope for listing users: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list.
The application is also registered as a Native app, if that makes a difference.
Signing out and signing back in (to refresh the token) also does not help.
This problem occurs with a fresh sign-in with the same scopes in the token.
The only difference is the role of the user in AAD.
Request id: 6079bcb2-6f90-44cc-8a57-83a8e1676333, timestamp Thu, 15 Nov 2018 06:49:59 GMT.
Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.
You are most likely experiencing this if your application only has delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. With only User.ReadBasic.All, your app doesn't have permission to read the userType property, which also means it doesn't have permission to filter on that property.
You'll probably find any user in the tenant will have the same experience, including a member or a global admin, not just your guest user. If your app requests for User.Read.All instead, the filter should work as expected for your guest user in the Guest Inviter role.
What do you have set under Azure Active Directory -> User Settings -> External collaboration settings -> Guest user permissions are limited?
If the guest permissions are limited, guest users are unable to enumerate the directory users & groups.
First of all, I am no developer. I manage an Office 365 server for my company and I would like to do some heavy reporting using excel.
I have learned of Microsoft Graph and how I could get my data with it.
I created an app in Azure Active Directory, and I tried to set it up.
I added authorizations for Microsoft Graph, including Read All users full profile.
I add one Read directory data permission for Windows Azure Active Directory too.
I clicked on the Grant Permission button.
In the manifest, I changed those parameters to true :
oauth2AllowImplicitFlow
oauth2AllowUrlPathMatching
Now from Excel (2016), I am trying to add a new OData Source, and tried
https://graph.microsoft.com/v1.0/users
I entered my credentials (as Global administrator) using the Professionnal Account tab, and unfortunately, I only get Resource Access Denied (Sorry if the message is not accurate, I get it in another language).
Could anyone give me a hand in telling me what I have missed, please ?
Thank you in advance.
I had similar issue and found that the problem might be that incorrect flow is being used to authenticate.
Warning: once you change your permission and grant them it may take up to 30 mins for the permission to be granted.
First of all, please check your access token (you can decode it easily using https://jwt.io. As a result you should receive this part in your decoded payload:
"roles": [
"User.Read.All"
],
If you don't see it it means that permission is not granted properly. As you wrote that you enter the credentials I assume that you use authorization code grant flow.
To resolve this you you can first check whether you granted application permission or delegated permission to your app. You can look at this page to see the difference. If you want to use application permission you can use client credential flow. If you want to use delegated permission you can use authorization code grant flow.
In application settings > Required permissions you can check which permissions you granted and correct it, if needed:
If you are using authorization code flow you can also add delegated permission to your app and check if new access code contains required role (keep in mind that some permissions might be available only in one of the categories - however, Users.Read.All is available in both).
Source
I am building a site on Liferay 7. By default, all the authenticated users inherit the Guest permissions (anonymous users).
There is even a label in the permissions section:
"Under the current configuration, all users automatically inherit permissions from the Guest role."
Why do I need this?
I would like to display X content only for anonymous users and when the user logs in, then I would like to display different content.
This is how my content permissions for anonymous users are configured:
Although I agree with people that say this is not the best path, yes you can do it - just to address the question at hands.
Set this to true if resources should assume that all users have the Guest role. Set this to false if resources will not assume that all users have the Guest role and, thus, do not automatically inherit permissions that belong to the Guest role.
Setting this property to false may require users to grant permissions to roles like Site Member and User.
Defaults:
permissions.check.guest.enabled=true
Why do I need this?
Permissions are not the catch-all for showing different content. If a guest is not allowed to see something, but needs to log in - that's fine. It's authenticated content, and you'll need to sign in.
If an authenticated user has no permission to see certain content, but just needs to log out in order to see it: What kind of permission is that? Let me answer that for you: It's not permission. It's rather targeted content and while it might be mimicked with permissions, this mimicry is nothing more than mimicry.
One way to implement such a requirement is through structured Web Content (you sound as if you want to show different Web Content articles). The template has access to the full API and can check if the current user is signed in or not - and show different content based on this fact.
If you want to achieve role permission using code level as like in xxxlocalserviceImpl class.You can use below code for allow permission for the guest user.
In case of document and media allow permission to guest and registerUser in Liferay 7 using rest webservice you can use this code for allow permission to upload and download the document using this code.
ResourcePermissionLocalServiceUtil.setResourcePermissions(companyId,
DLFileEntry.class.getName(), ResourceConstants.SCOPE_INDIVIDUAL,
String.valueOf(dlFileEntry.getFileEntryId()), guestRole.getRoleId(),
new String[] { ActionKeys.VIEW });
To answer your question - you can not configure that per specific asset! By default an authenticated user can not have less permissions than an unauthenticated one. You can change that behavior for all assets using permissions.check.guest.enabled=false as #Victor correctly pointed out!
I've requested to "Verify company" over a month ago so that I can get permissions on my developer account to access my own camera data. Apparently verification is still pending because I still can't add this permission to my developer account.
Is nest development still supported? The #nest twitter account referred me specifically to this tag on Slack for nest API questions when I inquired what needed to be done to get verification approved.
The answer to this issue is to request verification, REMOVE the current Camera permission, then add back the "Camera + images" permission. There can only be one permission at a time despite this not really being documented and apparently permission to add it is granted once you request verification, but this is not documented either. I was able to find something that led me to the answer over on nestdevelopers.io
"Verify company" is only for using the Resource Use API. As noted above, you can only have one camera permission at a time, so depending on your camera needs, only select the one that is most appropriate.
I have a Java application that I need to support. I'd like it to collect user information, such as system information: OS and hardware for easier diagnostics and support. Are there any security & privacy regulations I need to follow? Do I specifically need consent from the user to do this?
I do not know your country and any local regulations, but it is always better accepted to have a privacy policy if you collect sensitive data. You might inform the user upon the first start, for example. You can also explicitly ask the user for a consent and collect only if the user agrees to do it. Informed consent is a nice policy which both informs the user and also asks for a permission. You can then stack the results and release them (if you which and e.g. include it in the policy) stating users provided their consent.