Here's a snippet from the authorization doc in Solr.
Permissions with collection and path values matching the request specifically (not a wildcard match)
Permissions with collection matching the request specifically, and a path value of *
Permissions with collection matching the request specifically, and a path value of null
Permissions with path matching the request specifically, and a collection value of *
Permissions with both collection and path values of *.
Permissions with a collection value of * and a path value of null
This is the relevant part of my security.json file:
"permissions":[
{
"name": "read",
"role": "dev"
},
{
"name": "tp-read",
"collection": "techproducts",
"role": "admin",
"path": "/select"
},
{
"name": "all",
"role": "admin"
}
]
"user-role":{
"admin-user":"admin",
"dev-user":"dev"
}
}
I have two collections: techproducts and techproducts2.
From the first point in the snippet, I expect that if dev-user runs a select query curl --user dev-user:dev-passwd -X GET "http://localhost:8983/solr/techproducts/select?q=*", it should return 403 (as both collection and path values match exactly), but it returns results. What am I understanding wrong?
Related
I am trying to create a calendar event with extended data using Microsoft Graph API.(actually, I am trying to converting the existing open extension to schema extension since I couldn't filter the non-id extended value of the open extension.)
Before my try, I have already created my schema extension successfully and creating a calendar event with the schema extension responses an error code "BadRequest" and message "Requests must contain extension changes exclusively".
I tried to do this by following the doc.
POST https://graph.microsoft.com/v1.0/me/calendars/{calendar-group-id}/events
{
"subject": "schema extension test",
"body": {
"contentType": "HTML",
"content": "schema extension test"
},
"start": {
"dateTime": "2021-01-22T12:00:00",
"timeZone": "Eastern Standard Time"
},
"end": {
"dateTime": "2021-01-23T14:00:00",
"timeZone": "Eastern Standard Time"
},
"attendees": [],
"extendedData": {
"courseId": "11",
"materialId": "22",
"courseType": "video"
}
}
response:
{
"error": {
"code": "BadRequest",
"message": "Requests must contain extension changes exclusively.",
"innerError": {
...
}
}
}
Without extendedData, creating the event responses success, and after creating the event, if I patch the event with only extendedData, it responses an error "A type named 'Microsoft.OutlookServices.OpenTypeExtension' could not be resolved by the model. When a model is available, each type name must resolve to a valid type".
PATCH https://graph.microsoft.com/v1.0/me/calendars/{calendar-group-id}/events/{event-id}
{
"extendedData": {
"courseId": "11",
"materialId": "22",
"courseType": "video"
}
}
response:
{
"error": {
"code": "RequestBodyRead",
"message": "A type named 'Microsoft.OutlookServices.OpenTypeExtension' could not be resolved by the model. When a model is available, each type name must resolve to a valid type.",
"innerError": {
...
}
}
}
I was able to succeed when I used Graph API explorer with signed in user by consent Calendars.Read permission.
But if I try the same thing in postman, it doesn't work.
I already have granted all calendar permissions including delegated and application permissions in Azure.
This is because your schema extension name is not extendedData.
When you use POST https://graph.microsoft.com/v1.0/schemaExtensions to create an extension for Event type, the real name will be prefixed.
Like this:
And based on this known issue of Microsoft Graph:
You cannot specify a schema extension in the same operation as
creating an instance of contact, event, message, or post. You must
first create the resource instance and then do a PATCH to that
instance to add a schema extension and custom data.
So we need to create the event first and then update it.
When updating the event, we need to specify the real extension name:
I am attempting to use the Create Contacts endpoint for Microsoft Graph API (Doc is here: https://learn.microsoft.com/en-us/graph/api/user-post-contacts?view=graph-rest-1.0&tabs=http) to register new contact for my user. I created body as described in API documentation but getting the error below:
{
"error": {
"code": "Request_BadRequest",
"message": "A value without a type name was found and no expected type is available. When the model is specified, each value in the payload must have a type which can be either specified in the payload, explicitly by the caller or implicitly inferred from the parent value.",
"innerError": {
"request-id": "daf78520-50e6-444b-97a2-779762b3e6ed",
"date": "2020-01-23T14:20:18"
}
}
}
Requests used:
1. POST https://graph.microsoft.com/v1.0/{{tenant_id}}/contacts;
2. POST https://graph.microsoft.com/v1.0/me/contacts;
Request body example:
{
"givenName": "Yulia",
"surname": "Lukianenko",
"emailAddresses": [
{
"address": "yulia#lukianenko.onmicrosoft.com",
"name": "Yulia Lukianenko"
}
],
"businessPhones": [
"+1 732 555 0102"
]
}
Did somebody meet such kind of issue? How you resolved it?
Thank you in advance for your help!
POST request is incorrect here.
It should be :
https://graph.microsoft.com/v1.0/me/contacts
Also you need to make sure "Contacts.ReadWrite" permission is granted to the app registered in AAD.
P.S: I used the same JSON in your example using graphExplorer and contact was created successfully.
My application was designed to add a user to my Azure AD B2C using Azure AD Graph API. I also handled the case where I'd be calling the add user graph API with an email ID that already exists in AD. I was looking for the error message in the response body to handle this. Has there been any change w.r.t the response message?
POST
https://graph.windows.net/{tenant}/users?api-version=1.6
Request Body :
{
"accountEnabled": true,
"signInNames": [
{
"type": "EmailAddress",
"value": "TestGraphApiCreatedUser#TestGraphApiCreatedUser.com"
}],
"displayName": "TestGraphApiCreatedUser",
"mailNickname": "TestGraphApiCreatedUser",
"passwordProfile" : {
"forceChangePasswordNextLogin": false,
"password": "vhkjds#fceu456VCHU"
},
"creationType": "LocalAccount",
"passwordPolicies": "DisablePasswordExpiration"
}
If a user already exists with the given email address, the error I was getting earlier was
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "Another object with the same value for property signInName already exists."
}
}
}
Now, for the same flow, I'm getting below error :
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "Another object with the same value for property userPrincipalName already exists."
}
}
}
Is there any difference between the two error messages. Since there isn't any error code, I had hard coded the whole error message. Now that there is a slight change in the message, I've to update my code. How can I handle this in a better way?
I didn't check to confirm if they changed the error message, but it wouldn't surprise me at all if they did. The userPrincipalName may be coming from the underlying AAD, maybe MS changed the B2C implementation and now it exposes an error message from there?
In your particular case, a better option may be to check if the email address exists in B2C just before calling the API to create the new user. It's an extra API call, but it shouldn't matter much unless you're creating many users at a time, e.g. in a batch. You'll still have to handle the user creation call failure, but if it happens you could just return a generic error message.
When I call the Gmail API I get the following back (just an excerpt obviously since the body is massive:
{
...
payload: {
...
parts: [
{
"partId": "1",
"mimeType": "text/html",
"filename": "",
"headers": [
{
"name": "Content-Type",
"value": "text/html; charset=\"UTF-8\""
},
{
"name": "Content-Transfer-Encoding",
"value": "quoted-printable"
}
],
"body": {
"size": 4696,
"data": "PCFET0NUWVBFIGh0bWw-PGh0bWwgbGFuZz1lbj48....
I have just included the relevant parts. You will see that the html body part has the email encoded as base64Url, but toe content transfer encoding clearly says quoted-printable. I run it through a base64url decoder and it gives the correct data. But the header explicitly says it is quoted-printable
What am I missing?
The plain body part is this, which seems perfectly correct.
"headers": [
...
{
"name": "Content-Transfer-Encoding",
"value": "base64"
} ],
"body": {
"size": 601,
"data": "R29vZ2xlIEFQSXMgRXhwbG9yZXIgd2FzIGdyYW5
When you request a Message resource, the Gmail API can deliver message data in one of four formats that you can set via a query string (see documentation).
Below is a description of each format option, taken from the official docs:
"full": Returns the full email message data with body content parsed in the payload field; the raw field is not used.
(default)
"metadata": Returns only email message ID, labels, and email headers.
"minimal": Returns only email message ID and labels; does not return the email headers, body, or payload.
"raw": Returns the full email message data with body content in the raw field as a base64url encoded string; the payload field is
not used.
"full" is the default option where the body content is parsed and automatically stored as a base64 encoded string in the data property.
Keep in mind that the Message resource object is provided as a convenience to interact with the RFC5322 payload and it always provides its data payload in base64 regardless of the value on the Content-Transfer-Encoding header.
If you want to wrangle with the raw IMF(Internet Message Format - RFC5322) text, then set the format to "raw" in your query string. You'll have to base64 decode the raw string to get the IMF data. It will look exactly as you expect, but you'll have to write your own parser to manage its contents.
I am trying to create a "LocalAccount" in a B2C domain via the Azure AD Graph API.
To do this I registered an app (via Azure Active Directory -> App registrations (legacy)) and add all permissions for "Windows Azure Active Directory".
The request to create the user is
add_user_json = {
"accountEnabled": True,
"creationType": "LocalAccount",
"signInNames": [{
"type": "emailAddress",
"value": "test#email.com"
},
{
"type": "emailAddress",
"value": "test2#email.com"
}],
"displayName": user_id,
"mailNickname": user_id,
"passwordProfile": {
"password": "aPassword",
"forceChangePasswordNextLogin": "true"
},
"passwordPolicies": "DisablePasswordExpiration"
}
and the endpoint "https://graph.windows.net/{tenant}.onmicrosoft.com/users?api-version=1.6" (I tried "https://graph.windows.net/myorganization/users?api-version=1.6", too).
The error I get is "One or more properties contains invalid values."
Furthermore, if I create a new user via the sign up flow it is possible to create a local account.
Does anybody have an idea what I did wrong?
The "One or more properties contains invalid values." error is occurring because a user object can't have more than one signInName entry of the same type.
There's a really good utility here with the code to help you.
Look at the create example there
One obvious one is:
"forceChangePasswordNextLogin": "true"
This needs to be "false".