How can I create regular, non-admin users in CouchDB?
First you put the user in _users database. The ID of the document must be org.couchdb.user:username, e.g.
With CouchDB 1.2.0 or later use this:
{
"_id": "org.couchdb.user:dbreader",
"name": "dbreader",
"type": "user",
"roles": [],
"password": "plaintext_password"
}
CouchDB will hash & salt the password for you on the server side and save the values in the fields password_sha and salt (see below).
With CouchDB < 1.2.0 the user document needs to look like this:
{
"_id": "org.couchdb.user:dbreader",
"name": "dbreader",
"type": "user",
"roles": [],
"salt": "54935938852dd34f92c672ab31e397cedaf0946d",
"password_sha": "42253ea4461a604f967813aaff90b139d7018806"
}
Note that CouchDB 1.3.0 and later will use PBKDF2 instead of aha & salt for hashing the password.
Then you can create per database authentication by creating document with id _security in specific database which is not versioned, e.g.
{
"admins": {
"names": ["dbadmin"],
"roles": ["editor"]
},
"readers": {
"names": ["dbreader"],
"roles": ["reader"]
}
}
This means that there are 2 users in _users besides the admin dbadmin and dbreader. That should do in case you are too lazy to read the document that has already been suggested.
The CouchDB documentation has a short article about the security features of CouchDB, and it includes a section on how to create a new user.
I think you have to put a web framework in front to do this the way many sites do. Couchdb admin roles do not work on a record by record basis, so if you create a reader who can read the profiles or account table they can read record.
Related
I am creating a simple bot using Azure LUIS and this is my first one. I made some decent progress after doing some research and also now integrated with Slack as channel to test it.
The bot functionality is working fine, but I am looking to identify the user. So that I can personalize the bot conversation and also to pull the user specific information from his profile table.
Is there anyway, that I can get a UID or any reference ID of the slack user and so I can store that in my user table along with user profile?
So next time, when the user greets the bot, the bot can say "Hello, John." instead of justing say "Hello."
Thanks!
Yes. You can use the channelData object to get the ApiToken, and user values. For example, in C#, you could use turnContext.Activity.ChannelData to get those values in JSON:
{{
"SlackMessage": {
"token": "............",
"team_id": "<TEAM ID>",
"event": {
"type": "message",
"text": "thanks",
"user": "<USER WHO MESSAGED>",
"channel": "............",
"channel_type": "channel"
},
"type": "event_callback",
"event_id": ""............",
"event_time": 1553119134,
"authed_users": [
"............",
"<USER WHO MESSAGED>"
]
},
"ApiToken": "<ACTUAL TOKEN HERE>"
}}
Then, using those two pieces of information, you can then retrieve info from Slack.
https://slack.com/api/users.info?token=<ACTUAL TOKEN HERE>&user=<USER WHO MESSAGED>&pretty=1
And get a response that has the info you need:
{
"ok": true,
"user": {
"id": "<USER WHO MESSAGED>",
"team_id": "<TEAM ID>",
"real_name": "Dana V",
Ideally, you would would probably want to have bot user state setup and check that first, then if not there, then make the API call to Slack, then store in state. Therefore further requests don't need to go to Slack, but will just pull from the state store.
Basically, you could/should do this in the onTurn event. First, create your user state storage such as here.
Then you could check for that value and write to it if not populated. This example on simple prompts, might be helpful. You won't need to prompt for your user's name, as this example does, but does read/write username from state. You could still use dialogs, but you won't need them for the name prompting as you are doing that dynamically.
You can see here where username is being set and here where it is being retrieved. In this case, it is in the dialogs, but again; you would/could just do in the turn context (using logic to get and if not there, set).
I found the solution by priting the whole session object, which is having all the required informaiton. This could be same as mentioned by Dana above, but after debugging, this follwing made simple without making any changes.
var slackID = session.message.address.user.id
With above, I am able to identify the user.
Thanks.
I have created users with GetStream (using client.user(user.id).getOrCreate({});) and getting those users full details in the Feeds. Could I get the same User details in the following API too?.
currently, I get the
user:ID as target_id
only.
"results": [
{
"feed_id": "timeline:d9fa73e8-9cd7-4ac1-aa4b-fe148971e1f0",
"target_id": "user:6bb0fb62-ed9a-4966-b713-774f1d7aa3e5",
"created_at": "2019-03-06T06:36:36.97424846Z",
"updated_at": "2019-03-06T06:36:36.97424846Z"
},
{
"feed_id": "timeline:d9fa73e8-9cd7-4ac1-aa4b-fe148971e1f0",
"target_id": "user:admin",
"created_at": "2019-03-05T13:49:13.52832166Z",
"updated_at": "2019-03-05T13:49:13.52832166Z"
}
]
Is there any chance to get the user full details in following and followers APIs too??
Unfortunately there is no way to do it, although we are aware of this limitation and we have this task in our backlog.
For now, the recommended approach is to request the user data from your own backend
I don't want normal users to be able to create Databases.
In the Futon Screen /_utils, when logged in as a plain user, everything functions as expected. Only Admins can create Databases.
But when I sync my pouchDB with couchDB, plain users can also create (replicate?) Database. I want the adding of new Databases only to be restricted to Admin users.
Also I just noticed that existing DB also get edited even when user is restricted.
How can I fix this?
var remoteCouch = http://testuser:testuser#{domain}.iriscouch.com/testdb;
PouchDB.debug.disable();
if (remoteCouch) {
sync();
} else {
console.log("No remote server.");
}
function sync() {
var opts = {live: true};
db.replicate.to(remoteCouch, opts, syncError);
db.replicate.from(remoteCouch, opts, syncError);
}
EDIT
Testuser is also not in /_config/admins
Testuser:
{
"_id": "org.couchdb.user:testuser",
"_rev": "1-7d28b3388a62cfca103cbe3642549bee",
"password_scheme": "pbkdf2",
"iterations": 10,
"type": "user",
"name": "testuser",
"roles": [
"testuser"
],
"derived_key": "2181a44141d6d6aa2061bb2c5c057451acc6461e",
"salt": "2184888b099f37605feca0a22e5b6bb9"
}
Is your CouchDB in admin party mode? If it's not, then only admins should be able to create databases, whether it's via Futon or PouchDB.
PouchDB isn't doing anything special; you can simulate what PouchDB is doing by using curl:
curl -X PUT http://someuser:somepassword#path.to.couchdb.com:5984/somedatabase
Are you sure your testuser isn't an admin? If the user that you give to PouchDB is an admin, then yes, users will be able to create their own databases.
More info on authentication can be found here: https://github.com/nolanlawson/pouchdb-authentication#couchdb-authentication-recipes
It's easy to determine if a User is a member of a Team if you know the id:
GET /teams/:id/members/:user
But how can one easily determine the ID of the special "Owners" team that every Organization has?
As far as I can tell, the only way is to retrieve a full list of all Teams (which I assume may be multiple pages?) and walk through them until you find one with the name "Owners".
This is doable of course, but it's uncharacteristically inconvenient for GitHub's otherwise fantastic API. ;)
For what it's worth, I've tried the following (with no luck):
GET /orgs/:organization/teams?name=Owners # Lists all teams
GET /orgs/:organization/owners # 404
Just to be clear, I've made sure to use a token associated with the user that owns the organization in question, so there shouldn't be any authorization issues.
There is currently no easy way to check if a user is in the owners team. Thanks for the cool feature suggestion, though! ;)
A hacky workaround would involve performing a non-destructive operation which only owners are allowed to do. If the operation succeeds - the authenticated user is an owner.
For example, you could try editing the organization's settings by sending an empty JSON hash:
$ curl -v -X PATCH -d '{}' https://api.github.com/orgs/:org?access_token=TOKEN
If this returns a 200 status code, the user is an owner. A 404 status code signals otherwise.
Hopefully we can provide a more elegant solution in the future.
As an alternative, quicker solution, you can use the memberships API to get details about the authenticated user's membership to each organization they belong to.
The request is simply GET /user/memberships/orgs?state=active, and the response looks like this:
[
{
"state": "active",
"role": "admin",
"organization": {
"login": "octocat",
"id": 1,
},
"user": {
"login": "defunkt",
"id": 3,
"gravatar_id": "",
"type": "User",
"site_admin": false
}
},
{
"state": "active",
"role": "member",
"organization": {
"login": "invitocat",
"id": 2,
},
"user": {
"login": "defunkt",
"id": 3,
"gravatar_id": "",
"type": "User",
"site_admin": false
}
}
]
The important field to note is role; we only want "role": "admin".
I'm not sure that this guarantees that the user is a member of Owners, but it does indicate that they have administrative powers of the organization.
Simply determine if they are part of the team named "owners" for that org https://developer.github.com/v3/orgs/teams/#list-team-members
Owners are a special team for GitHub with only owners.
See https://github.com/orgs/YOURORG/teams/owners
looking for some help or a blog post really regarding using the auth bundle with RavenDB..
using the HelloWorld example: http://ravendb.net/tutorials/hello-world
i'm trying to disable the user from querying for orders.. i've tried different auth roles approaches but i can't get the damn thing to work.
at present i've:
* created a authorization user
* created a authorization role
Id: Authorization/Roles/Orders
{
"Permissions": [
{
"Operation": "order/1",
"Tags": [
"Orders"
],
"Allow": false,
"Priority": 1
}
]
}
ID: Authorization/Users/ayende
{
"Name": "Ayende Rahien",
"Roles": [
"Authorization/Roles/Orders"
]
}
just can't get my head around how to filter out the orders from queries.
for example, querying orders/1 will return an order of 1 prior to applying the permission.
after using:
session.SecureFor("Authorization/Users/ayende", "orders/1");
I would expect orders to return no orders..
do i have this concept totally wrong or just configured my permission's wrong?
thanks
You can use the IsAllowed method to check whatever or not you can access a document or now, but also to check why you can / can't access a document.
Have you applied your permission to the document then invoked SaveChanges? Maybe if you post your code it would easier to tell what's happening.