Sharepoint 2010/SSRS 2008R2 Security Hole - security

We are using a Sharepoint Implementation for a customer portal. We are giving each client a site where they will have access to reports. We are using the same library of reports, each report takes a parameter that is a unique identifier for the client. The issue we are running into is that as long as you can authenticate to the system you can view the source on the page that has the report and by doing some googling you can figure out how to put together a query string to pull a report. By picking random id numbers you can pull up other clients reports.
Odds are clients will not do this, but there is always a chance and we are looking to close this hole.
Anyone else run into this? We have a some possible solutions but are hoping that there might be something simpler that we are missing.

Within SSRS you can access the User's ID: If you create an internal parameter set to this value (=User.UserID), your queries can check to see if that user has permissions to view the requested data. (i.e. create a table with the UniqueIDs that the user is allowed to access and join to that.)
Combine this with the unique ID parameter, and you should be covered.

If you set up item level permissions for each report you shouldn't have this issue.

Related

Email Attachments to SharePoint Document Library - Error

I have this weird problem when I try to use a simple default flow template to save email attachments to the company main SharePoint site: company.sharepoint.com (not subsite).
So I get started, by taking all the defaults of this flow, however, once i get to the point of providing the site address and document library path I get the error highlighted in red.
Where I get confused is that when I create a subsite like company.sharepoint.com/sites/testsite I enter the subsite address and the folder path automatically populates the folder structure for me to pick where I want to save such attachment.
I have given full owner permission to this test account with same results. So permission is not the problem.
My question is, could it be I'm using the wrong flow to save to a main SharePoint site? or this is something not allowed?
You could check the connector and recreate a new connection to SharePoint.
In many cases, an error code of 403 appears in a flow fail because of an authentication error. If you have this type of error, you can usually fix an authentication error by updating the connection, please make sure you have update the connection.
You could refer to this article.
Just in case anyone has a similar problem, the account to which you are creating a power automate flow must be a site collector to the root SharePoint site.

When I create an Azure AD user, the calendars "allowedOnlineMeetingProviders" is empty, how do I update this?

I need a users calendar to have the property "allowedOnlineMeetingProviders" contain "teamsForBusiness". I am not able to add the calendar via the create user call (graph api) so I had to subsequently update the existing calendar but it wont let me update the property (only name seems to update). Anyone know how I can programmatically set this property?
Its because its not expected workflow ~ Microsofts response:
Hope you are doing good.
Apologies for the delayed response, I have tried to gather more details on this behavior internally, but unfortunately since this is an existing behavior in the system i.e. by design we can say since the new user needs to have some kind of interaction with the MS teams initially.
Unfortunately, we aren't much help on this scenario from MS graph api standpoint.
We request you to provide your feedback/ideas/suggestion https://techcommunity.microsoft.com/t5/microsoft-365-developer-platform/idb-p/Microsoft365DeveloperPlatform
We regret not being helpful to you on this case since this is a known issue.
Kindly let us know if you have any queries.

How to track last login date for IBM Domino web user?

Does IBM Domino track the last login date for web users(UserName/Password and internet certificate)? I know the access logs contains this information but wanted to know if there may be something built into Domino (maybe in Address Book). Trying to come up with a method to disable web accounts that have not accessed a domino server in a specified time period.
Thanks,
Kev
The User Activity area in the Database Properties picks up from the log.nsf, which is where this information is stored. But, typically, the log.nsf will only have a few days' worth of information. When I've had this requirement before, I've manually captured it via a custom login page or an initUser function I've had in applications.
One of the easiest solutions is to trigger an action from a live web page that generates a database.nsf?openagent event.
like:
or
Ideally you've use the openagent to print a content type and a response, but if you don't browsers do pretty well with invalid responses from servers.
inside your "myagent" you will have the users name available to you to write it to a document.
Your next challenge will be in getting the agent to trigger, but, not too often, ideally only on login.
When a user uses a custom login form it submits the username/password and redirection url in POST method. You could change that to ...?openagent&nexturl=/blablabla.nsf
Your tiny little agent would run one and only one time upon login and update a document in a your custom logging database.
That's a developer's solution.
There are also admin solutions. The server does keep track of active web sessions, but, it does not drop them into the log.nsf like it does upon session ending for a notes session. I don't think it would be too much work from an admin standpoint to get that information there are a lot of event triggers available to you. It's just been way too long since I worked on any server that anyone cared about statistics.

Liferay database table work flow?

I am new to Liferay. Now I need to create the flow chart which has the Liferay table work flow in following scenarios,
1) What are the list of table will reflect/update if we create the site admin?
2) What are the list of table will reflect/update if we create the site?
I tried by opening database tables and noticed that USER_, CONTACT_ will reflect, But I need list of all the related tables which will reflect when we create the site and siteadmin? I am using Liferay 6.2 version.
Thanks in advance.
When you want to know the internals of any system it is always best to check the relevant source-code. So in this case you can check the source-code for those classes which are used for CRUD operations on User and Site.
1) What are the list of table will reflect/update if we create the site admin?
Site-administrator is a Role, which can be applied to a User created in Liferay.
So if you want all the tables that are created from User-creation till User is assigned the Site-administrator role for a particular site, there here are some which I can recollect:
User_ (Obvious)
Contact_ (not so obvious :-) )
Group_ (Users are also created as a record in this table since Users have public and private pages)
Address (if you add an address)
Phone (if you add a Phone)
Users_Roles (Power user role is assigned by default)
UserGroupRole (user and site-role relationship, Site-administrator is a Site-role)
Users_Groups (user and site relationship)
For others you should refer the source-code for UserLocalServiceImpl, RoleLocalServiceImpl and GroupLocalServiceImpl, check the relevant methods prefixed add, update etc.
The corresponding service.xml for these module would reveal the database tables being used.
2) What are the list of table will reflect/update if we create the site?
Sites are nothing but Groups in Liferay. So its obvious Group_ table is playing a big role.
Other tables also depend upon what configuration you are doing while creating a Site.
Then there would be other tables like Layout when you start creating pages for a Site.
I would strongly encourage to go ahead and explore the source code for the classes and you would understand the flow - when and what tables are affected.
Here is some convention which might help you traverse the source-code, almost every *LocalServiceImpl is associated with a *Model like UserLocalServiceImpl with UserModel and almost every *Model has a corresponding database table with the same name.
Also the name of the functionality would in most cases hints at what service classes are being used to connect to database, like adding a User would hint at using UserLocalServiceImpl.
Hope I have understood your question and have been able to give some proper direction.
If you want to know this because you also want to write to these tables: Don't go there! You should purely use the API to change the data that Liferay stores. Otherwise you will run into disasters some time in the future - promised.
For just getting the SQL commands that Liferay actually uses, configure portal-ext.properties and change this default value:
hibernate.show_sql=false
Then go to "Server Administration/Log Levels" and add a new category "org.hibernate.SQL", configure it to the level DEBUG. Then the results show up in the logs. Note that this log configuration is transient and will be reverted on next server start. If you want the setting to be persistent, you'll need to go into Liferay's log4j configuration files.
Remember: You don't want to write to the tables ever. Promise!

How to view standard objects in salesforce online?

there are many standard objects e.g. AccountcontactRole, LetterHead, Approval etc. which can be retrieved using Salesforce APIs. What is the way to see these objects in Salesforce environment in browser?
Very roughly speaking - easiest cheat is to simply put the Id in the URL. So if your Salesforce instance is https://na1.salesforce.com then adding /001.... (any valid Account Id) will take you to this account. Similarly /016... will take you to "this" Letterhead record.
Some data is easily accessible to users - for example AccountContactRole should be available as related list under Account. If it isn't - probably the administrator removed it from page layout because the company decided to use only the straightforward Account - Contact relationship.
Some data like Letterheads, EmailTemplates, Approval processes is visible in the setup area (not all users have the "View Setup and Configuration" permission in their Profiles!)
*Share records (like AccountShare) would be visible after you click the Sharing button on the page layout (if it's not visible - again, check with Admin).
If you're using API to fetch the data, you probably can also use "describe" calls to fetch info which objects are available, what fields are present in the tables... Sometimes the "Frontdoor URLs" property is set (although I confess I'm not sure how to get it, http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_Schema_DescribeSObjectResult_instance_methods.htm doesn't mention it).
Also - if you haven't noticed yet - all Accounts start with "001". Try to guess where "/001" and "/001/o" links would lead.

Resources