I want to be able to make it so a registered user can only be logged into the DNN site from one device/browser at any one time.
I understand that the DNN core doesn't support sessions but does have a a users online table which is checked by the scheduler, however i have been unable to find anything available to use this method.
The main purpose is to stop a paid user from sharing their login details with multiple people and thereby diluting the potential revenue to the site. I would think this was not a unique use case and someone must have dealt with this previously.
Open to any and all ideas including commercial modules.
I suppose that you could create a custom login module, and reject logins from a user who appear as active in the UsersOnline table.
I haven't looked around to see what methods are available, but the old usersonline module should provide some hints.
Related
I am new to Salesforce, but am an experienced developer. I am provided a link to a Salesforce report, which mostly has the right filters (query). I would like to use an REST API to pull that information as CSV or JSON so that I can do further processing on it.
Here are my questions:
Do I need special permissions to make API calls? What are they?
Do I need to create an "app" with client-key & secret? Does my admin need to grant me permission for this too?
There are a lot of REST APIs from Salesforce, which one do I need to get the info from the report? Analytics?
How do I authenticate in code?
You'd have to work with the System Administrator on the security pieces. Anybody who knows how the company works, can all users see everything, is there Single Sign-On in place, how likely is the report to change...
You will need an user account to pull the data. You need to decide if it'll be some "system account" (you know username and password and have them stored in your app) or can it run for any user in this org. It might not matter much but reports are "fun". If there will be data visibility issues 6 months from now, you'll be asked to make sure the report shows only French data to French users etc... you can make it in report filters or have multiple reports - or you can just use current users access and then it's the sysadmin that has to set the sharing rules right. (would you ever think about packaging what you did and reusing in another SF instance? Making a mobile app out of it? Things like that, they may sound stupid now but will help you decide on best path)
The user (whether it'll be system account or human) needs Profile permissions like "API Enabled" + whatever else you'd need normally ("Run Reports" etc). If you're leaning towards doing it with system user - you might want to look at Password Policies and maybe set password to Never Expires. Now this is bit dangerous so there would be other things you might want to read up about: "API only user" (can't login to website), maybe even locking down the account so it can login only from certain IP ranges or at certain times when the job's supposed to be scheduled...
Connected App and OAUth2 stuff - it's a good idea to create one, yes. Technically you don't have to, you could use SOAP API to call login, get session id... But it's bit weak, OAuth2 would give you more control over security. If you have sandboxes - there's little-known trick. You can make connected app in production (or even totally unrelated Developer Edition) and use client id & secret from it to login to sandboxes. If you create app in sandbox and you refresh it - keys stop working.
(back to security piece - in connected app you can let any user allow/deny access or sysadmin would allow only say these 3 users to connect, "pre-authorize". Could be handy)
Login - there are few REST API ways to login. Depends on your decision. if you have 1 dedicated user you'll probably go with "web server flow". I've added example https://stackoverflow.com/a/56034159/313628 if you don't have a ready SF connection library in your programming language.
If you'll let users login with their own credentials there will be typical OAuth "dance" of going to the target page (Google login, LinkedIn, Twitter...) and back to your app on success. This even works if client has Single Sign-On enabled. Or you could let people type in their username and pass into your app but that's not a great solution.
Pull the actual report already
Once you have session id. Official way would be to use Reporting API, for example https://developer.salesforce.com/docs/atlas.en-us.api_analytics.meta/api_analytics/sforce_analytics_rest_api_get_reportdata.htm
A quick & dirty and officially not supported thing is to mimic what happens when user clicks the report export in UI. Craft a GET request with right cookie and you're golden. See https://stackoverflow.com/a/57745683/313628. No idea if this will work if you went with dedicated account and "API access only" permission.
I have created a web page with RoR and i am using auth system that i wrote. Now i would like to create an admin panel, where i can see the user info etc..
I am not sure but what i though is to add a column name to auth system like admin? giving a default name false. Then if the admin? is true admin panel opens instead of the web page login.
I wonder if i can use the same auth system so in order to login to page it logs in to admin panel.
But in the controller it will check if admin? is true for every user, i am not sure about the burden in terms of the system requirments as it will check every user.
And i know there are other gems for admin panel but its fine i can design it. I am just not sure which way is the efficient way.
The burden on the system will be negligible. It depends a little bit upon how your auth system is configured, but I am assuming that you give the user a token when he/she is properly logged in.
When the user first tries to sign in, you should check if they are an admin. At this point, if they are, then you can sign them in as an admin, also storing that information in the session. You should perform this check on the controller actions where they need to be an admin. It will not affect performance to any noticeable degree and is important for the security of your site.
Also, you may want to check out the CanCanCan gem, which is a fork of CanCan built by Ryan Bates, for an example of how this works. Unless you're building the application for educational purposes, I highly recommend the CanCanCan gem.
Hope this helps!
In addition to that, you may try Rails_Admin, which provides an easy-to-use interface for managing your data.
And I've considered to use this gem for my project, which is a huge database, so it seems to very helpful.
I'd like to create visualforce page that inserts a record into salesforce account object. However, I expect some of the page users won't have salesforce accounts. Can they still access it? If not, what are the alternatives that can be used to visualforce page in this case? (Please don't consider Web to Lead Forms).
Thanks,
Yes, it's possible. Go read about Salesforce Sites. For a start:
http://wiki.developerforce.com/page/Websites
http://wiki.developerforce.com/page/An_Introduction_to_Force.com_Sites
(of course it's also possible to write that page in say Java/.NET/PHP and use integration via SOAP or REST to talk to Salesforce... but these 2 main links will keep the whole solution within SF so no need to need to learn new language, have extra maintenance effort etc)
Sites are VF pages that expose a bit of your company's data without need to log in. You can use them to input data too, just remember that in theory anybody could learn the link and spam you (not too different from web2lead, inbound email handlers etc). You specify security in a way similar to Profiles, the records will have "Created By = {site name} Guest User".
I don't think there's anything out of the box to restrict visibility, they're open to whole world. So if you would want something similar to login IP ranges (so only sales reps from your office's network can enter data) - you might have to write some logic in the controller.
your server must track purchases and allow user to restore purchased subscriptions to all iOS devices owned by a single user
I also need to track purchases and allow user to restore purchased subscriptions to all iOS devices owned by a single user. However, I am not aware of any mechanism that will allow me to identify all iOS devices owned by a single user from the app. I am not even aware of any mechanism for identifying the AppleID used by the user from the app. So how am I supposed to do this?
If you are using auto-renewable subscription you can just use the restore feature of store kit. If you're using non-renewable you must allow users to share their subscription across their devices. There are several ways to accomplish this. If you own a server, you can generate a key with a purchase. Associate a number with this key that indicates how many times a user has restored to another device (say, 5). When a user then enters this key on another device, you decrease this number. You would thus have to add a "Share" button in your app that would give the user this key. And you would need an "Unlock" button where the user can enter this code. If you are interested I could also find a method for you that doesn't require a server (but this is less secure).
Hope this helps.
EDIT:
sorry, just noticed you're talking about auto renewable:
http://developer.apple.com/library/ios/#documentation/StoreKit/Reference/SKPaymentQueue_Class/Reference/Reference.html
restoreCompletedTransactions is what you're after
I have a website that I've integrated with a popular forum software (phpBB).
I have it setup so users that login to the main site automatically are logged in to the forum software as well. I do this by authenticating through the forum's API at the very same time.
When someone registers for the site, an entry goes in to the main site database and an entry goes in to the forum user database (using the forum API).
The primary id of the forum user table is stored in a column in the main site user DB. This is saved at the time of registration: the registration process first creates a forum user, then passes back the ID in to the query that creates the user in the main site.
When a user logs in, if they authenticate with the main site, that ID is pulled and passed in to the forum login API to login the correct person.
However, a weird thing seems to happen randomly: one in every 30 or 40 people that registers ends up with a forum user id that is not their own in the main site user table. I know how to look for these problems and fix them on case by case basis and have scripts in place to do so, but that seems like more of a bandaid, not a fix.
Is this a common problem when linking data like this, or does this seem like something more specific with the software? Because of the randomness of this issue its been hard to debug.
I would suspect Session Management. Are you intentionally or unintentionally reusing session ids?
I've done something similar with vbulletin, by directly using the forum's mysql database to autheticate the main site, and other sites (they're all on the same machine)...
In your case, I would add the site-specific fields that are not in phpBB database in the site's db, and link it to phpbb by user_id... It could be one form on the main sites that inserts into the two databases (some in the main site db, others in phpBB db - with some more privileges fields), I'd use my own non-standard captcha like generating a distorted image "what is x+y" with x and y as random numbers and + may be replaced by other operations, or an image of "type the word ORANGE", or "type your username again"
I would disable the default phpBB registration... there are so many bots that know how to use it...
This would guarantee you have one source for the info, and you fill all the info at once.