I am building application that currently has a simple authorization requirments:
All users can view the data of all controllers.
Only Admin can create/edit the data.
The project use admin gem so no controllers in my application (although I can overide if needed)
I would like to add authorization for the generic requirement for all controllers:
class ApplicationController < Administrate::ApplicationController
before_filter :authenticate_admin
def authenticate_admin
authorize requested_resource # requested_form is the relevant object(e.g. Post #post)
end
end
but then I get the following:
unable to find scope NilClassPolicy::Scope for NilClass
app/policies/application_policy.rb:41:in scope' app/policies/application_policy.rb:15:inshow?'
app/controllers/admin/application_controller.rb:27:in `authenticate_admin'
Seems like it can't find the policy, what do you think?
I'm not sure you still need help with this particular question, but since I found it while doing research for a very similar issue I figured I would still put my two cents in, because I was able to figure out the reason I was receiving a similar exception.
I had mistakenly called authorize in my controller i.e.:
# customer_contoller.rb
def show
authorize #customer
end
However, I had not created a corresponding def show? method in customer_policy.rb. All I had to do was create the corresponding show? method and it worked!
So I would imagine that this exception is caused when there is a mismatch between calling authorize in the controller and the policies that you have setup. Specifically when you haven't created a policy for the action you are asking to authorize.
Hope that helps someone at least get moving in the right direction.
Related
I am looking at building a class implementing the IdentityServer IResourceStore interface. My goal is to serve IdentityResource and ApiResource collections as defined in a custom repository.
Ideally, I will receive requests for these resources and respond with the subset relevant to the query. In short: You only get what you ask for.
The GetAllResources()method makes me leery: Is IdentityServer actually requiring that I pull the entire set of my Identity and API resources from my repository and make this available? At this point I have no idea how large those collections will grow, or the cost of pulling them from the repository.
What are the consequences of simply responding with a null or empty lists of resources?
-S
It's used in the GetAllEnabledResourcesAsync method in the IResourceStoreExtensions class, which in turn is used by the DiscoveryEndpoint. So, if you don't implement this method the Discovery endpoint will not be able to display any scopes or claims.
By don't implement I mean return some empty lists or something, not throw a NotImplementedException or return null... That would break everything.
Can anyone who knows how to use the angularjs ngFacebook module help me to perform a facebook batch request? Is it possible to do it with this module?
What I need exactly is to get the user events from facebook, for that I have to do 4 different request:
$facebook.api('/me/events/attending').then(function(response) {//code here});
$facebook.api('/me/events/created').then(function(response) {//code here});
$facebook.api('/me/events/maybe').then(function(response) {//code here});
I think I could batch this request, I just don't know if it's possible to do using this module.
Also the most tricky part would be that, for each event returned I would need to get the owner, and with the owner.id to get his picture, right now what I do is:
$facebook.api('/me/events/attending?fields=owner').then(function(response) {
//And here I do a "for" into the events to request for each owner picture
});
Of course it doesn't seem the best way to do it, but I have searched a lot for the solution and I couldn't make anything work.
I think you should be able to request all user events, inluding the owner info:
GET /me/events?fields=id,name,owner{id,picture},rsvp_status
You can determine the "status" of the event to the user by the rsvp_status (attending, maybe, declined, no_reply) field.
See
https://developers.facebook.com/docs/graph-api/reference/v2.3/event#read
https://developers.facebook.com/docs/graph-api/reference/user/events/
https://developers.facebook.com/docs/graph-api/using-graph-api/v2.0#fieldexpansion
I'm not sure of the batch request protocol that Facebook uses but you could try this module.
https://github.com/jonsamwell/angular-http-batcher
If it doesn't support it add an issue and I'll looking into implementing it. Disclosure: I created this angular http batching library.
I'm new to app engine, python an web development in general. I have an issue that i don't know how to solve. I want to maintain in the server an tuple with values that the user select. I pass this values to the server in the parameters of the page.
But the problem is that this tuple is modified by all the users and I want that each user can have his own values. The users aren't identified.
I've been looking for how to solve it, and I found some answers here in stackoverflow, but major part of them are more than 2 years old, and I think that I need to use the library gaeutilities, but not sure about it, and If Google have an “official” solution to maintain session variables with python in app engine.
I defined the var “categoria” as a class variable,
class returnElements(webapp2.RequestHandler):
categoria = []
def get(self):
…...
cat = str(self.request.get("cat"))
self.categoria.append(cat)
…...
app = webapp2.WSGIApplication([
('/returnElements', returnElements),
…....
and here the url
http://localhost:13080/returnElements?cat=Sudaderas
It works fine, but just with one user at time :-(
By the way Im new to stackoverflow, sorry in advance if the question isn't accurate or solved in another thread.
In any web app, you must never store user-specific data in module or class-level variables as they will be shared by all users.
If you need to persist data for a user, save it in the datastore! That's what it's for. There are various implementations of user-specific sessions, such as the gaeutilities library which you link to. That library has full documentation which you should read.
The Problem
The SharePoint adapter for Breeze expects a model with a SharePoint list name and then attempts by default to access _api/web/lists/getbytitle('<DefaultResourceName>') and I have not found a way to over ride that. The problem with this behavior is that if a user who is not a site collection admin accesses the User Information List using the web/lists/ end point they will receive a 404 error. Instead, for whatever reason, regular users must access the same exact information via _api/Web/SiteUserInfoList/items.
The Question
What would be the best way to add functionality to the Breeze SharePoint adapter to get user details or a list of site users? In my existing solution I have merely changed my data context object to use $http and the _api/Web/SiteUserInfoList/itemsend point but I'd like to still be able to use Breeze's amazing filtering ability but it's not clear to me the best path to begin adding this functionality to the adapter.
With breeze you can configure specific AJAX requests using a request interceptor.
The example below changes the timeout but you could just as easily change the url.
var ajaxAdapter = breeze.config.getAdapterInstance('ajax');
ajaxAdapter.requestInterceptor = function (requestInfo) {
requestInfo.config.timeout = 5000;
// todo: examine the requestInfo.config object and change the url as-needed
}
here's the relevant code in the breeze source
I'm programming an application with google app engine, with django 1.1 (no django pacth or others), well as you know is impossible use django login and session features so I download
Gae utility and use Session Object (http://gaeutilities.appspot.com/) but some time this object create 2 sessions instead 1 session ... here's code
def index(request):
aSWrap = SWrap(SWrap.createSession())
....
def login(request):
aSWrap = SWrap(SWrap.createSession())
....
class SWrap(object):
#classmethod
def createSession():
return Session(cookie_name='my_cookie',session_expire_time=7200)
and for setting session no expiration or really long expiration...enter code here
Thanks
Judging by the code, you're calling createsession twice within the same request. That will cause problems with David's library as well.
Also, gaeutilties session included a config file where you can modify all the default values as you like.
https://github.com/joerussbowman/gaeutilities/blob/master/appengine_utilities/settings_default.py
gaeutilities session also has security features lacking in gae-sessions. I'm afraid David didn't attempt to answer you question, rather just suggested you use his library which under your current implementation would have the exact same problem. You need to be sure you only initiate the session once per http request no matter what session library you're using.
I'm moving gaeutilities session to a decorator in order to address this issue as well and provide better performance. You can watch the master branch on Github for updates. https://github.com/joerussbowman/gaeutilities
I suggest using a different sessions library. Check out this comparison of the available sessions libraries for GAE.
I'd recommend gae-sessions - it presents an API almost identical to the library you are currently using, but it is much faster and shouldn't give you headaches like the bug you've encountered above.
Disclaimer: I wrote gae-sessions, but I'm not the only one who would recommend it. Here is a recent thread discussing sessions on the google group for GAE python.
What are you trying to do with SWrap(SWrap.createSession())? It looks like the result of SWrap.createSession() is passed to the SWrap() constructor. Have you omitted part of the definition of SWrap?
Perhaps this is more what you are wanting:
def index(request):
mysession = SWrap.createSession()
....
def login(request):
mysession = SWrap.createSession()
....
class SWrap(object):
#staticmethod
def createSession():
return Session(cookie_name='my_cookie',session_expire_time=7200)