How to protect properties for different roles using loopback - node.js

I was just wondering how you would restrict property access to the $owner role only. For instance in my case I have a Joke which has an Author. The Author has User as base. I would like other "Authers" / Users to see who created the Joke, but they should not be able to see the Authers email, only if the Author is the $owner of the Joke itself it should be OK to show their email, just for the sake of this case.
Looking at the built-in User model you can see that they use the hidden feature to hide the password, but using that for their email will also hide their email for the $owner, which is not what I wanted
Let me know if something is not clear.
Thanks in advance

Register beforeRemote hook and check if current user is the $owner.
Joke.boforeRemote('findById', function(context, joke, next) {
// 1. find current user by id, using context.req.accessToken.userId
// 2. check if he is owner or not, by Role.isOwner
// 3. remove email from returned joke instance if user is not $owner
})
Note: it can be a bit complicated to cover all endpoints that return Jokes. But is there another way to do it?

To modify the output/results, you can use the afterRemote hook, as per the docs. The output/results are stored in ctx.result.
'findById' hooks into your GET requests when the call is like GET http://myModel/id. Use 'find' if you are not including the id in your request e.g. GET http://myModel. Just notice that in case of 'find', the returned instance(s) (joke(s)) is usually not just one so it is in an array of objects.
Joke.afterRemote('findById', function(ctx, joke, next) {
//your code
});
Get the id of current logged-in user: var currentUser = context.req.accessToken.userId
Compare the user id of the current logged-in user with that of the joke owner. If both are not the same (i.e. if (!(currentUser == joke.userId))), then:
before calling next(), remove the email attribute from returned joke instance. Because sometimes some ways don't work, here are a few:
delete ctx.result.email;
ctx.result.email = '';
loop through the attributes and transferring them to a new var, except the email, then save that new var the result: ctx.result = newVar;

You can create your own role resolver. See https://github.com/strongloop/loopback-example-access-control/blob/master/server/boot/role-resolver.js for an example. Just add your own logic once you determine the user.

Related

How to get information out of a list

So iam coding an discord bot and i want to get information out of an list that looks like this and this output is in "information = await guild.invites()"
[<Invite code='GZqCe8EF' guild=<Guild id=847546806937059338 name='Testing' shard_id=None chunked=False member_count=2> online=None members=None>, <Invite code='jQ2HeQfx' guild=<Guild id=847546806937059338 name='Testing' shard_id=None chunked=False member_count=2> online=None members=None>]
is it possible to get single things out like guild id or maybe 2 things like name and invite code and is it possible that u can output every line from it like the first invite code and the second one?
To output every invite code, you can use:
for invite in information:
print(invite.code) #invite.code returns the invite code, do whatever you want to do with it
# you can also add invite.guild.name to for the guild name etc
To output only from one invite:
print(information[0].code)
References
invite object with every possible paramenter after .
Yes it is possible, the invites() method returns list of Invite objects. To check what attributes does this object have look here.
to access an attribute you have to do this: InviteObject.{name of attribute}. Example:
for invite in information:
print(invite.guild.id)
It works the same for any discordpy object:
Look for the method that you are using in discordpy docs (In your case invites())
See what does it return (In your case list of Invite objects)
Search for the object (In your case Invite)

Get highest role of a member with mentions

How can I get the highest role name of a mentioned member? I tried something like this but it doesn't work. Thanks! :) btw this is a ban command and I need this bc my bot is crashing when someone is trying to ban a user with a higher rank than bot.
if(message.member.hasPermission('BAN_MEMBERS')){
const user = message.mentions.users.first()
console.log(user.roles.highest.name)
if(!user) return console.log("test1")
if(!args[2]) return console.log("test2")
const ddays = args[1]
What you could do is:
Getting a user's highest role:
Get the UserId from the Mention inside of the Message
Get the Cache from the RoleManager of the Guild in which the Message was sent in
(I don't know if the roles in RoleCache are sorted by position, so sort if needed)
Iterate through the roles in RoleCache and check if the UserId is contained inside a specific role
Get the position of the role
Getting the bot's highest role:
Repeat steps 2-5 for your bot (or integrate them within the previous iteration of the RoleCache)
Then compare both numbers and find out if the bot's "role number" is higher than the one of the user's.

DialogFlow conv.user.id Deprecated - any implications?

Similar to DialogFlow V2 user id? I am using the user ID from conv.user.id (dialogflow v2) to (anonymously) determine the user in my Dialogflow app. However, I get the log message:
conv.user.id is *DEPRECATED*: Use conv.user.storage to store data instead
Does this mean I will (soon) no longer have access to the user id? I understand I can store data in conv.user.storage, yet I need the id - not the storage.
Anyone thoughts on how to fail-safe this?
// Code snippet:
app.intent('Default Welcome Intent', conv => {
var userID = conv.user.id;
// do something
});
The anonymous user identity has been deprecated and will be officially removed starting 1 June 2019 (a year from now). So your code snippet will start failing then.
The fix depends on exactly how and why you're using the id, but for the most basic needs, you can do something like this:
Check to see if you've stored an id in the userStore. If you have - use this id.
If you haven't, generate an id (generating a UUID is a good method to do this), use this as your id, and store it in the userStore for future reference.
Code to do this might look something like this:
if ('userId' in conv.user.storage) {
userId = conv.user.storage.userId;
} else {
// generateUUID is your function to generate ids.
userId = generateUUID();
conv.user.storage.userId = userId
}
Alternately, you may wish to just plan to use Google Sign-In for the Assistant which will get you the Google UserID.
EDIT:
userId in condition should be quoted.

Kentico 10 - How do I update the username of an existing user?

Using a kentico 10 website with claims based authentication. We have the facility to update their email address in the external system. So what I want to do is update the user's email address and username by looking up based on the external userid from our sso platform.
var existingUser = UserInfoProvider.GetUsers().Where("ExternalGuid", QueryOperator.Equals, userId).FirstOrDefault();
if (existingUser.IsInSite(SiteContext.CurrentSiteName))
UserInfoProvider.RemoveUserFromSite(existingUser.UserName, SiteContext.CurrentSiteName);
loggingInUser = UserInfoProvider.GetUserInfo(existingUser.UserID);
loggingInUser.UserName = e.UserName;
UserInfoProvider.SetUserInfo(loggingInUser);
I'm getting the error:
The user with code name 'ac.aa#test.com' already exists.
This is happening on that SetUserInfo line. So I'm thinking there must be another way to update the username properly.
You need to do a few things:
Check if the user exists already:
UserInfo ui = UserInfoProvider.GetUserInfo(newUserName);
if (ui != null)
{
// user exists with new username so don't continue
}
Check if the username can be used as a username (no spaces, special characters, etc):
if (!ValidationHelper.IsUserName(newUserName))
{
// username cannot be used as a username
}
Check if the username is reserved or not:
if (UserInfoProvider.NameIsReserved(siteName, newUserName))
{
// reserved username so cannot use it
}
I'm willing to bet the username is reserved or not valid which is why it is not saving. The assignment you have done should work without issue.
It also looks like you're performing this update in a global handler so this could cause problems with a few things. So you may have to perform that username update later on or simply write a record to a custom table and then update it from there based on the event of creating those records in the custom table.
So I'd debug through your code and verify it is working properly by removing it from the global event handler, if it works, then it's an issue with having too many things happen at one time.
Try using SetValue(string columnName, value) method, I just tested this one and it worked fine:
UserInfo updateUser = UserInfoProvider.GetUserInfo("NewUser");
if (updateUser != null)
{
// Updates the user's properties
updateUser.SetValue("UserName", "NewUserName");
// Saves the changes to the database
UserInfoProvider.SetUserInfo(updateUser);
}
For some properties/columns, which are acting like "read only", you need to use the SetValue method like it was a custom field (API examples)

Returning a string from LINQ

For a school project we have to create an evaluation website that requires a login.
For the database connection I chose LINQ, because it's new and is supposed to be easier/better in use.
I managed to create a login check with the following:
public static Boolean Controle(int id, string wachtwoord)
{
DataClassesDataContext context = new DataClassesDataContext();
var loginGebruiker =
from p in dc.Gebruikers
where p.GebruikerID == id
where p.GebruikerWachtwoord == wachtwoord
select p;
return true;
}
Now I'm trying to create a "forgot password" option, where you enter your id and the password gets returned (later it would be emailed to you, don't know how I would do this either, suggestions?)
I tried with the following code:
public static string Forgot(int id)
{
var context = new DataClassesDataContext();
var wachtwoordLogin = (
from p in dc.Gebruikers
where p.GebruikerID == id
select p.GebruikerWachtwoord);
return wachtwoordLogin.ToString();
}
Code behind the button on the page:
lbl1.Text = Class1.Forgot(Convert.ToInt32(txt1.Text));
Now when I enter the an id of the first user (1), lbl1 becomes this:
SELECT [t0].[GebruikerWachtwoord] FROM
[dbo].[Gebruiker] AS [t0] WHERE
[t0].[GebruikerID] = #p0
I don't know how to solve this and I have been looking everywhere, I hope somebody can help me.
Thanks,
Thomas
LINQ uses delayed execution, so your 'wachtwoordLogin' is really just "how to get your data." Its not until you apply an operator that LINQ will actually attempt to retrieve your data.
Your first statement:
var loginGebruiker = (
from p in dc.Gebruikers
where p.GebruikerID == id
where p.GebruikerWachtwoord == wachtwoord
select p).FirstOrDefault()
if (loginGeruiker != null) {
//Valid login
} else {
// invalid
}
FirstOrDefault means, take the first item in the list, or return none.
In you other case you need the same thing:
user = wachtwoordLogin.FirstOrDefault();
Further reading: MSDN 101 LINQ Samples
For your question about emailing a forgotten password, have you ever thought about implementing the golden questions algorithm instead? Its simplified, and does the same thing.
Basically, at the time of registering just get them to answer some questions, and if they can verify them, allow them to reset the password.
you enter your id and the password gets returned
What, then, is the point of having a password if anybody who knows a username can see it? I know this isn't what you're asking, but for someone getting started in programming I feel a duty to point this out. What you're creating here is essentially a completely broken login model. Nobody should ever use a system like this.
You should never ever display a password. Not on the screen, not in an email, never.
Passwords, if they even need to be stored at all (CodingHorror has had a couple of good posts on this lately, advocating things like OpenID), should be stored in hashed form and essentially unable to be retrieved. When a user logs in, similarly hash the password they provide (immediately upon reaching the application code, before transporting it anywhere else in the system) and compare that to the stored hashed version.
If the user asks for his password, you don't have it. You can't give it to him. This is for his protection. Instead of providing the user with his password, if it's forgotten then you provide the user with a means to reset his password (sending an email to the address on file with a temporarily available URL, a set of "security questions" to verify his identity, etc.) so that he can enter a new one to overwrite the old one. But you shouldn't be able to "show" the user his password because even you as the administrator of the system shouldn't be able to see it in any usable form.
wachwoordLogin will be an IQueryable so you can get this by using FirstOrDefault() which will return null if not found:
(from p in dc.Gebruikers
where p.GebruikerID == id
select p.GebruikerWachtwoord).FirstOrDefault();

Resources