looking for some help or a blog post really regarding using the auth bundle with RavenDB..
using the HelloWorld example: http://ravendb.net/tutorials/hello-world
i'm trying to disable the user from querying for orders.. i've tried different auth roles approaches but i can't get the damn thing to work.
at present i've:
* created a authorization user
* created a authorization role
Id: Authorization/Roles/Orders
{
"Permissions": [
{
"Operation": "order/1",
"Tags": [
"Orders"
],
"Allow": false,
"Priority": 1
}
]
}
ID: Authorization/Users/ayende
{
"Name": "Ayende Rahien",
"Roles": [
"Authorization/Roles/Orders"
]
}
just can't get my head around how to filter out the orders from queries.
for example, querying orders/1 will return an order of 1 prior to applying the permission.
after using:
session.SecureFor("Authorization/Users/ayende", "orders/1");
I would expect orders to return no orders..
do i have this concept totally wrong or just configured my permission's wrong?
thanks
You can use the IsAllowed method to check whatever or not you can access a document or now, but also to check why you can / can't access a document.
Have you applied your permission to the document then invoked SaveChanges? Maybe if you post your code it would easier to tell what's happening.
Related
I would like to share document by link in sharepoint from microsoft graph code. Default behaviour is that every person who has link can see this file. I want to make this link working just for specific people.
So my code look like this:
Permission permission = await _graphClient.Sites[_options.SiteId]
.Drives[driveId]
.Items[itemId]
.CreateLink("view", "organization")
.Request()
.PostAsync();
This create share link for all people in organization. Now I would like to grant permissions (https://learn.microsoft.com/en-us/graph/api/permission-grant?view=graph-rest-1.0&tabs=csharp)
await graphClient.Shares["{sharedDriveItem-id}"].Permission
.Grant(roles,recipients)
.Request()
.PostAsync();
But I have no idea what should be in place "{sharedDriveItem-id}". When I put there itemId it doesn't work. Also if I put there permission.link.webUrl it also doesn't work.
What am I doing wrong?
From this documentation.
Once you create the shared link the response object returns an id, that's what you should use in place of the {sharedDriveItem-id}. See a similar response object below.
HTTP/1.1 201 Created
Content-Type: application/json
{
"id": "123ABC", // this is the sharedDriveItem-id
"roles": ["write"],
"link": {
"type": "view",
"scope": "anonymous",
"webUrl": "https://1drv.ms/A6913278E564460AA616C71B28AD6EB6",
"application": {
"id": "1234",
"displayName": "Sample Application"
},
},
"hasPassword": true
}
Okey, I found solution. There are few steps:
As sharedDriveItem-id I used encoded webUrl following by this instruction https://learn.microsoft.com/en-us/graph/api/shares-get?view=graph-rest-1.0&tabs=http
When I was creating link (https://learn.microsoft.com/en-us/graph/api/driveitem-createlink?view=graph-rest-1.0&tabs=http) in place scope i put "users"- there is no option like that in documentation but without that it doesn't work
I added Prefer in header https://learn.microsoft.com/en-us/graph/api/driveitem-createlink?view=graph-rest-1.0&tabs=http
I was using clientSecret/clientId authorization so I had to add azure app access to Sites.Manage.All and Sites.FullControl.All in Graph Api Permissions
Everything works If you using Microsoftg.Graph nuget in newest version (4.3 right now if I remember correctly)
I have written an application compliant to the SCIM standard (https://www.rfc-editor.org/rfc/rfc7644), but integrating with Azure I can see that it fails to update a user if it is disabled, the request that Azure send is the following:
PATCH /Users/:id
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "Replace",
"path": "active",
"value": "False"
}
]
}
The SCIM protocol "sais" that the attribute active accept boolean values (https://www.rfc-editor.org/rfc/rfc7643#section-4.1.1), so following the PATCH protocol (https://www.rfc-editor.org/rfc/rfc6902#section-4.3) I expect a boolean value not a string with a boolean written inside it, so the expected request is the following:
PATCH /Users/:id
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "Replace",
"path": "active",
"value": false
}
]
}
So the problem is that the given value "False" should be false.
Is this a bug of Azure or am I missing something? If it is a bug, should I try to parse the string and eventually extract a boolean? But if I do that I'm going to be out of standard. How did you manage this problem?
I also spent a lot of time trying to figure out if Azure was being compliant with the SCIM spec and the answer is that they are not.
The default values that they send for PATCH requests are indeed strings, not booleans as the User JSON schema defines.
You can override the values that get send/mapped into the SCIM schema by:
Go into your provisioning app
Mappings > Synchronize Azure Active Directory Users to customappsso (the name here might be different in your directory)
Find Switch([IsSoftDeleted], "False", "True", "True", "False")
Replace with Switch([IsSoftDeleted], , false, true, true, false) (note the additional comma.)
Hit OK and SAVE
NOTE that after saving it will still see quotes around the booleans, but the PATCH request will be sent correctly.
See screenshots for reference
The default Azure implementation of SCIM isn't fully compliant with the required SCIM schema.
I found I was able to use the default NOT([IsSoftDeleted]) by using Microsoft's workaround which does aim to be SCIM compliant for PATCH operations (returns booleans rather than strings for the 'active' attribute).
This is achieved by appending the URL parameter ?aadOptscim062020 after the tenant url input.
I have created users with GetStream (using client.user(user.id).getOrCreate({});) and getting those users full details in the Feeds. Could I get the same User details in the following API too?.
currently, I get the
user:ID as target_id
only.
"results": [
{
"feed_id": "timeline:d9fa73e8-9cd7-4ac1-aa4b-fe148971e1f0",
"target_id": "user:6bb0fb62-ed9a-4966-b713-774f1d7aa3e5",
"created_at": "2019-03-06T06:36:36.97424846Z",
"updated_at": "2019-03-06T06:36:36.97424846Z"
},
{
"feed_id": "timeline:d9fa73e8-9cd7-4ac1-aa4b-fe148971e1f0",
"target_id": "user:admin",
"created_at": "2019-03-05T13:49:13.52832166Z",
"updated_at": "2019-03-05T13:49:13.52832166Z"
}
]
Is there any chance to get the user full details in following and followers APIs too??
Unfortunately there is no way to do it, although we are aware of this limitation and we have this task in our backlog.
For now, the recommended approach is to request the user data from your own backend
I got a nodeJS lambda function which returns database data and I'd like to filter that data based on the user. I created a custom authorizer lambda function which gets the user for a JWT token, but I couldn't find a way to pass data from the authorizer function to the database function, except for principalId (user.id).
What possibilities do I have here? Do I need to setup cognito? Or is there another possibility?
While reading documentation I found out something different from what the accepted answer suggests. Maybe it's new, but now output can include not only a principalId, but also a "context", which is an object. Sample:
{
"principalId": "xxxxxxxx", // The principal user identification associated with the token send by the client.
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow|Deny",
"Resource": "arn:aws:execute-api:<regionId>:<accountId>:<appId>/<stage>/<httpVerb>/[<resource>/<httpVerb>/[...]]"
}
]
},
"context": {
"key": "value",
"numKey": 1,
"boolKey": true
}
}
More from official documentation here. Much better aproach. :)
It seems you have a couple of options.
1) You can place all the information about the user you need into the principal id that is set in the custom authorizer function. So maybe you could serialize the user as json or if you need just a couple of ids then concatenate them together with special character like: principalId: "userId|organizationId". I believe that there is some caching that API Gateway does around that principal id that is returned so I wouldn't make it anything that could be highly dynamic. You could also turn off caching for authorization as well, but that would slow down that endpoint as a result.
2) Just pass the user id and do the user lookup again to get all the information in the function that does the database call. If you're using DynamoDB it will be fast supposedly.
And Cognito seems nice but I don't think it will help you solve the particular problem that you're having now. If it was me though I would choose option 2.
One possible way is to encode the data object to base64 string from authorizer lambda function and decode it down the line.
var principalId = new Buffer(JSON.stringify({
id: 5,
name: "John"
})).toString('base64');
var policy = require('./policy.json');
var policyConfig = {
"principalId": principalId,
"policyDocument": policy
};
context.succeed(policyConfig);
Decoding can be done in two places, one place is the request template section. This can be done by writing a transformation in velocity scripts as shown below
{
"requestTemplate": {
"application/json": {
"principal": "$util.urlEncode($util.base64Decode($context.authorizer.principalId))"
}
}
}
Other option is to decode inside the endpoint lambda function with the nodejs Base64 decoding. Check the following link for more information.
stack overflow answer for base64 decode
It's easy to determine if a User is a member of a Team if you know the id:
GET /teams/:id/members/:user
But how can one easily determine the ID of the special "Owners" team that every Organization has?
As far as I can tell, the only way is to retrieve a full list of all Teams (which I assume may be multiple pages?) and walk through them until you find one with the name "Owners".
This is doable of course, but it's uncharacteristically inconvenient for GitHub's otherwise fantastic API. ;)
For what it's worth, I've tried the following (with no luck):
GET /orgs/:organization/teams?name=Owners # Lists all teams
GET /orgs/:organization/owners # 404
Just to be clear, I've made sure to use a token associated with the user that owns the organization in question, so there shouldn't be any authorization issues.
There is currently no easy way to check if a user is in the owners team. Thanks for the cool feature suggestion, though! ;)
A hacky workaround would involve performing a non-destructive operation which only owners are allowed to do. If the operation succeeds - the authenticated user is an owner.
For example, you could try editing the organization's settings by sending an empty JSON hash:
$ curl -v -X PATCH -d '{}' https://api.github.com/orgs/:org?access_token=TOKEN
If this returns a 200 status code, the user is an owner. A 404 status code signals otherwise.
Hopefully we can provide a more elegant solution in the future.
As an alternative, quicker solution, you can use the memberships API to get details about the authenticated user's membership to each organization they belong to.
The request is simply GET /user/memberships/orgs?state=active, and the response looks like this:
[
{
"state": "active",
"role": "admin",
"organization": {
"login": "octocat",
"id": 1,
},
"user": {
"login": "defunkt",
"id": 3,
"gravatar_id": "",
"type": "User",
"site_admin": false
}
},
{
"state": "active",
"role": "member",
"organization": {
"login": "invitocat",
"id": 2,
},
"user": {
"login": "defunkt",
"id": 3,
"gravatar_id": "",
"type": "User",
"site_admin": false
}
}
]
The important field to note is role; we only want "role": "admin".
I'm not sure that this guarantees that the user is a member of Owners, but it does indicate that they have administrative powers of the organization.
Simply determine if they are part of the team named "owners" for that org https://developer.github.com/v3/orgs/teams/#list-team-members
Owners are a special team for GitHub with only owners.
See https://github.com/orgs/YOURORG/teams/owners