Asana Remove User - asana-api

I always get
Call restricted to workspace admins when using remove user api. Is there any way to work around and remove user from api.
Also when I add someone using addUser api they are added as Guest is there any way to make them member?

There is no way to work around having to be an admin to POST to /workspaces/workspace-id/removeUser. This is by design as it could cause security issues if everyone was capable of deleting users in a workspace.
When adding a user with the API, they will be added as a member if the new user's email address matches the domain of the workspace. If it doesn't match, they will be added as a guest.

Related

How to link logged users to their data, retrieve and update them in MySQL table

This is the my web-app "User Settings" page.
I have simplified it to a minimum to better highlight the problem.
To authenticate users I use Auth0, I wanted to use the sub claim user_id to identify the users inside my MySQL database for update and retrieve user's info. Unfortunately the user_id is different for each provider, for example, if the same user with the same e-mail logs-in via Auth0 he gets a user_id if he does it via google he gets another one.
I thought about using email to link logged user to his info.
The problem is in my API. Before the change it was "localhost: 8080 / api / users /: id"
each time it created a new id and in any case it was impossible to recover the data of the single user. Now that I have replaced "id" with "email" my API has also changed in "localhost: 8080 / api / users /: johnsmith#xxx.com".
Before:
After:
In a few words, the request url on the client side has also changed.
I would like to make sure that the GET and PUT requests are made based on the e-mail of the logged user without going to modify the whole back-end.
Sounds like something is wrong with how you authenticate users. If you have multiple ways to authenticate a user, those methods need to be in a one to many relation with the user. For example each user has a list of auth-methods, and whenever an authentication is made you check your table of authentication methods and find the one user it maps to.
Im not sure if you are doing this yourself or if the framework you are using is handling that, but it sounds like you need to change the model to allow many Auth methods for a single account.
Also you could use email, but that is also an "old" way of uniquely identifying users almost every single person has multiple active email accounts nowadays, so you should also have a one-to-many relation for users to emails. What if the user has different email accounts for their Facebook and Google accounts?
See account linking here: https://auth0.com/docs/users/user-account-linking
It is dangerous to trust that the external providers are truthful about what email belongs to who. What if I open a new account using someone else's email on one of the providers? Then I can log into that users account in your application, which is a pretty big security risk.

Docusign consent issue with 2nd user, is duplicate of 1st working

Running into a bit of an odd issue. I assume it may be a setting somewhere?
Using the API integration for embedded forms. We have two brands, so I've made two users with the same roles. Their job is to be the sender for any embedded form for their respective brand. Their roles are both set as sender from the user settings tab.
support#brand.com
support#other-brand.com
Each user is in 2 groups, developers and their respective brand. Simply being part of developers will allow them to be assigned as the sender of any API templates. It's worth noting, these two users are identical to one another in setup, only difference being support email.
Using user 1, there are no issues, and everything works as intended. Using user 2 however, I get the error "consent required" when trying to get a JWT token?
I've gone through all and any settings I could find, but nothing seems to do what I need. Both users belong to the organization, so I'm simple confused.
Any help and direction is much appreciated.
The answer was I needed to claim the #brand URL the 2nd user was under, which had not been claimed via the application admin interface.
Consent is per user, you would need the second user to log in and navigate to the URL For consent.
If you are using the developer/sandbox/demo environment (not production) the URL you would want to set looks like this:
https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=<your IK>&redirect_uri=<some URL you defined for the IK>
Remember to define the redirect_uri in the Apps and Keys page in the settings page where you created the Integraiton Key and you should be good.

How to know if user can edit/delete user in MS Graph API

I have a single page app that uses the Microsoft Graph API to manage users.
We use only delegated permissions.
I would like to hide the Delete User button if the user does not have permissions to delete users.
But it doesn't seem there is a way for the app to know until we try to delete.
So is there any way to know if the user can do this action?
I'm kind of on the side of no, you cannot know in advance.
But I am wondering if I am just missing something.
I ended up doing a memberOf query to Microsoft Graph API, which returns all the user's groups and directory roles. I check if they have User Administrator or Global Administrator role, and decide on that if they can edit and delete users.
It's a little suboptimal since we fetch groups too, but this is done only once after login. I tried filtering on roleTemplateId, displayName and #odata.type field but that is not supported.
If the memberOf query fails, I assume they cannot edit or delete users either.

UnauthorizedAccessException for limited permissions user via REST API

not sure if this is the right place to post dev question so please point me to the right place if its not...
I have a customer that gave a user permission to one specific list.
for example:
https://[tenant].sharepoint.com/sites/qa/permissions/lists/tasks
The user cannot browse to the site:
https://[tenant].sharepoint.com/sites/qa/permissions
But he can get to the list with no problems.
When we try to get the list items using REST api, that user gets "UnauthorizedAccessException" error.
Rest API url we tried:
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')/items
Users with at least read permissions on the site /sites/qa/permissions have no problems getting to both these API endpoints.
Is there a different way to make the REST API work for users with permissions to just one list?
Is there a limitation of the REST API and it does not support that?
Thanks!
(I posted this on technet as well, and will update here if I get an answer there)
You can deactivate the site collection feature Limited-access user permission lockdown mode.
When this feature is activated, users with "Limited access" as permissions have reduced permissions which prevent them from accessing the list item/documents properties. This will cause the Unauthorized Exception error while accessing SharePoint artefacts.
So, go to your Site Settings > Site collection features
And Deactivate the Limited-access user permission lockdown mode feature.
After that, refresh and check.
More details - Enable or disable site collection features

Deployd: How to implement dpd-passport and securely authenticate

Let me start by saying I really like Deployd. I want to use it in production, but I want to incorporate OAuth and social logins, so I installed the dpd-passport module. It works great, except for two little (big) problems:
When a user signs in via an OAuth provider (e.g. Facebook, Twitter, Github) a new user record is created...but if the same user clears their cookies or uses a different browser to log in, a new user record is created.
If I do something clever (read: hacky) and assign users with social logins an ID based on the socialAccount and socialAccountId (something unique but constant for each social account), someone could use the standard method of user creation to spoof a user by making a POST request to the /users endpoint if they knew that user's socialAccount and socialAccountId.
My question is: How can I A) prevent #1 from occurring, or B) disable the standard method of user creation without also preventing OAuth user creation?
Has anyone ever successfully used Deployd and dpd-passport in production? If so, I want to speak with you...
Thanks in advance!
First of all, I think you haven't added the custom fields per the docs.
https://www.npmjs.com/package/dpd-passport#requirements
I hadn't either, and observed the new user feature (because it couldn't lookup the response from the auth service to find the user from before). Adding these fields fixed it.
Also, there is a google group here:
https://groups.google.com/forum/#!forum/deployd-users
Hope that helps.

Resources