I'd like to grant users User Points when their added content of the content type 'Content', which is unpublished by default, is published. I tried this with the Rules module: - Event: After saving new content - Elements: * Content is of type: Content * Content is published - Actions: Grant points to a user
So, when a user adds 'Content' content, they don't get any User Points and their content is unpublished. My idea was that they'd be granted the points after I - as moderator - had published their content. But apparently, they don't get points after I've done that with the rule I set up. What did I do wrong and how can I solve this?
Please check the flag module as my friend told to
STEP1- make a flag module named(Publish node and grant points to user)
and after that make a event in
STEP2- Configuration--> workflow-->rules--> and make an event over there selecting the flag you just made i.e.,(A node has been flagged, under "add points on publish article flag")
after that set action as ( Grant points to a user) Data Selector:flagged-node:author
Points:5
Point Category value:(Select your category)
operation value: flagged-node:author
automatically approved
and you are done now..
when the user post the article it will be unpublished and when admin make it published when the user will click on flag this iten the points will be granted to user.
You could create flag and give flag name as Publish node
and grant points to user
Then add new rule with event A node has been flagged, under
"Publish node and grant points to user"
For actions publish this node and grant points to user use
this data selector: flagged-node:author
Related
I am using Delphi 10.3 and IPWorks LDAP component. I can modify most attributes without any issues, such as unicodePwd, givenName, and mail. However, for the userAccountControl attribute of a user, I am unable to set ADS_UF_PASSWD_CANT_CHANGE, of course after successfully binding as an administrator with secure connection and supplying correct DN, because if the connection is not secure, it is impossible to modify the password:
const
ADS_UF_NORMAL_ACCOUNT = 512;
ADS_UF_DONT_EXPIRE_PASSWD = 65536;
ADS_UF_PASSWD_CANT_CHANGE = 64;
ADS_UF_LOCKOUT = 16;
ipaLDAP1.DN := searchResultDN;
ipaLDAP1.AttrCount := 1;
ipaLDAP1.AttrType[0] := 'userAccountControl';
ipaLDAP1.AttrValue[0] := IntToStr(ADS_UF_NORMAL_ACCOUNT + ADS_UF_DONT_EXPIRE_PASSWD + ADS_UF_LOCKOUT + ADS_UF_PASSWD_CANT_CHANGE);
ipaLDAP1.AttrModOp[0] := amoReplace;
ipaLDAP1.Modify();
It is strange that I can not modify ADS_UF_PASSWD_CANT_CHANGE. It doesn't take effect on the user. When I check the user, this attribute is still unchecked. I don't understand why.
userAccountControl is a bitmask, so you should be using the or operator to combine flags, not the + operator.
But, more importantly, according to How to use the UserAccountControl flags to manipulate user account properties:
PASSWD_CANT_CHANGE
Note: You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the "Property flag descriptions" section.
Where the "Property flag descriptions" section says:
PASSWD_CANT_CHANGE - The user cannot change the password. This is a permission on the user's object. For information about how to programmatically set this permission, visit the following Web site:
Modifying User Cannot Change Password (LDAP Provider)
That page, in turn, says:
The ability of a user to change their own password is a permission that can be grant or denied. To deny this permission, set two ACEs in the security descriptor discretionary access control list (DACL) of the user object with the ADS_ACETYPE_ACCESS_DENIED_OBJECT ace type. One ACE denies the permission to the user and another ACE denies the permission to the Everyone group. Both ACEs are object-specific deny ACEs that specify the GUID of the extended permission for changing passwords. To grant this permission, set the same ACEs with the ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ace type.
The following procedure describes how to modify or add ACEs for this permission.
To modify or add the ACEs for this permission
Bind to the user object.
Obtain the IADsSecurityDescriptor object from the ntSecurityDescriptor property of the user object.
Obtain an IADsAccessControlList interface for the security descriptor from the IADsSecurityDescriptor.DiscretionaryAcl property.
Enumerate the ACEs for the object and search for the ACEs that have the change password GUID ({AB721A53-1E2F-11D0-9819-00AA0040529B}) for the IADsAccessControlEntry.ObjectType property and "Everyone" or "NT AUTHORITY\SELF" for the IADsAccessControlEntry.Trustee property.
Note: The "Everyone" and "NT AUTHORITY\SELF" strings are localized based on the language of the first domain controller in the domain. Because of this, the strings should not be used directly. The account names should be obtained at run time by calling the LookupAccountSid function with the SID for "Everyone" ("S-1-1-0") and "NT AUTHORITY\SELF" ("S-1-5-10") well-known security principals. The GetSidAccountName, GetSidAccountName_Everyone, and GetSidAccountName_Self C++ example functions shown in Reading User Cannot Change Password (LDAP Provider) demonstrate how to do this.
Modify the IADsAccessControlEntry.AceType property of the ACEs that were found to ADS_ACETYPE_ACCESS_DENIED_OBJECT if the user cannot change their password or ADS_ACETYPE_ACCESS_ALLOWED_OBJECT if the user can change their password.
If the "Everyone" ACE is not found, create a new IADsAccessControlEntry object that contains the property values shown in the table below and add the new entry to the ACL with the IADsAccessControlList.AddAce method.
If the "NT AUTHORITY\SELF" ACE is not found, create a new IADsAccessControlEntry object with the same property values shown in the table below except the Trustee property contains the account name for SID "S-1-5-10" ("NT AUTHORITY\SELF"). Add the entry to the ACL with the IADsAccessControlList.AddAce method.
To update the ntSecurityDescriptor property of the object, call the IADs.Put method with the same IADsSecurityDescriptor obtained in Step 2.
Commit the local changes to the server with the IADs.SetInfo method.
If either of the ACEs were created, you must reorder the ACL so that the ACEs are in the correct order. To do this, call the GetNamedSecurityInfo function with the LDAP ADsPath of the object and then the SetNamedSecurityInfo function with the same DACL. This reordering will occur automatically when the ACEs are added.
The following table lists the IADsAccessControlEntry object property values.
AccessMask
ADS_RIGHT_DS_CONTROL_ACCESS
AceType
ADS_ACETYPE_ACCESS_DENIED_OBJECT if the user cannot change their password or ADS_ACETYPE_ACCESS_ALLOWED_OBJECT if the user can change their password.
AceFlags
0
Flags
ADS_FLAG_OBJECT_TYPE_PRESENT
ObjectType
"{AB721A53-1E2F-11D0-9819-00AA0040529B}" which is the change password GUID in string form.
InheritedObjectType
Not used
Trustee
Account name for SID "S-1-1-0" (Everyone).
There is a fairly lengthy code example provided on the same page.
I am trying to add another email address to a User.
PATCH https://graph.microsoft.com/v1.0/users/user#domain.de
Body:
{
"givenName":"Meier",
"surname":"Meeier",
"otherMails":["emaissssl#domain.de"]
}
Response: Success - Statuscode 204
The result is givenName changed to Meier, surname changed to Meeier, but the email doesn't get added to otherMails[].
A related question is, can I change the primary address of the User?
Edit: I get the same behavior, if i also include the current address:
{
"givenName": "Meier",
"surname": "Meeier",
"otherMails": ["user#domain.de", "emaissssl#domain.de"]
}
You need spesific permissions in AAD to update otherMails. From the documentation:
Updating another user's businessPhones, mobilePhone, or otherMails property is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader, and Reports Reader. For more details, see Helpdesk (Password) Administrator in Azure AD available roles. This is the case for apps granted either the User.ReadWrite.All or Directory.ReadWrite.All delegated or application permissions.
The wording is a little poor but basically, if the User record you are updating is an Administrator or assigned any of the mentioned roles (Directory Readers, Guest Inviter, Message Center Reader, or Reports Reader), it will ignore the change request.
As for changing the primary email address, that isn't possible. The primary email address is automatically constructed based on the mailNickname and the default domain for the tenant (mailNickname#default.dom).
I have a custom button that explicitly needs to sort a hard coded recipient with a specific DocuSign role and Sort Order and at the same time load in all contact roles from the related opportunity.
The code below brings in all contact roles (good) but the role of the 'Any Recipient' (which is not a (Salesforce contact role) is defined as 'Customer' (bad) when it should be defined as 'Legal'.
In the (Salesforce) DocuSign Admin | Envelopes settings the roles are defined as 'Customer' and 'Legal' where customer is the first entry and legal is the second. It appears that the sorting of the recipients is based on the the first entry in DocuSign roles because when I make the first entry 'Legal' and second entry 'Customer' I get the anticipated results.
CRL='Email~frasuy#email.com;FirstName~Any;LastName~Signer;Role~Signer 2;RoutingOrder~2,LoadDefaultContacts~1';
When using the code below with the DocuSign role entries of Customer (1st) and Legal (2nd) the mappings are working but none of the contact roles are added (bad) as recipients just the entry defined in CRL (good) with the correct DocuSign role - Legal. The LoadDefaultContacts~1 is not respected since none are brought in as recipients.
CRL='Email~frasuy#email.com;FirstName~Any;LastName~Signer;Role~Signer 2;RoutingOrder~2,LoadDefaultContacts~1';
CCRM='Signer 1~Customer;Signer 2~Legal';
CCTM='Signer 1~Signer;Signer 2~Signer';
How do I bring in all contact roles but explicitly define the DocuSign role for the CRL recipient?
Keep in mind the CCRM parameter is used to map a Salesforce role to a DocuSign Role. In this scenario, a "ContactRole to DocuSign Template Role".
Your current button logic is saying "Only pull contacts with the contact role of Signer 1 and Signer 2".
CCRM is typically irrelevant if you're not using DocuSign Server Templates. To answer your question:
1. You would need to reference all the Contact Roles within CCRM
and CCTM
2. All DocuSign roles must be different because you can't merge two
contacts with the same role
My example below references all the Salesforce default contact roles:
CES='Stackoverflow Example';
CRL='FirstName~Any;LastName~Signer;Email~{!URLENCODE("frasuy#email.com")};RoutingOrder~2;Role~Signer 2,LoadDefaultContacts~1';
CCRM='Decision Maker~Customer;Signer 2~Legal;Business User~Customer2;Economic Buyer~Customer3;Economic Decision Maker~Customer4;Evaluator~Customer5;Executive Sponsor~Customer6;Influencer~Customer7;Technical Buyer~Customer8;Other~Customer9';
CCTM='Decision Maker~Signer;Signer 2~Signer;Business User~Signer;Economic Buyer~Signer;Economic Decision Maker~Signer;Evaluator~Signer;Executive Sponsor~Signer;Influencer~Signer;Technical Buyer~Signer;Other~Signer';
I use Drupal 7 and I would like to prevent the edition of some nodes for specific user roles when the node has a specific workflow status.
For instance, if the node has the workflow status "validated", the user having the role "contributor" is not able to edit it but the user with the role "validator" well.
If the workflow status is "to validate", both user roles can edit it.
Is it possible to implement this kind of process with the modules "Rules" and "Workflow"?
You probably want to use hook_node_access($node, $op, $account). Create this hook in one of your modules. To potentially deny access on edit first add a check for $op == "update" then add your validation logic. To deny access return NODE_ACCESS_DENY otherwise return nothing or NODE_ACCESS_IGNORE.
A simple example would be as follows:
function MYMODULE_node_access($node, $op, $account) {
if (($op == "update") && ($node->type == "node_type_to_check")) {
// Add your extra validation checks here
// ...and if you then want to block access return the following
return NODE_ACCESS_DENY;
}
}
You will find more information about hook_node_access() in the Drupal 7 API docs.
WARNING: If you are logged in as the admin user (user 1) then you will be able to edit the node regardless of your hook_node_access() rules, so make sure that you test this with a "normal" user.
I am quite new to this Google app engine. I am learning things every day.
I am have a forum on google app engine.
But I want is to be having private or restricted parts.
Some features should be locked for certain google account users, which are in some sort of access control list.
I plain words I can say, only those user who are in list of access can see the forum rest will be redirect to the "contact to admin" page.
As I am new I wanna know that is it something possible.
if yes, how can I achieve it ?
Thanks,
Alok
If you are using the built-in Users API, you can check users.is_current_user_admin() as an access control mechanism. Administrators can be managed via the dashboard.
If you need more granular, application-specific authorization logic, generally you would create a User model in the datastore that references the built-in UserProperty and also holds a list of roles or whatever else you need to check authorization.
To follow up Drew's reply, I use a similar system in my app, so my server code has something like the following class definition (simplified here for clarity)
class myUser(db.Model):
user = db.UserProperty(required=True)
rights = db.StringProperty(required=True, choices=set(["public", "private"]))
created = db.DateTimeProperty(auto_now_add=True)
lastaccess = db.DateTimeProperty(auto_now=True)
and then I have code like this where I handle queries
def checkUserRights(user):
q = db.GqlQuery("SELECT * from myUser WHERE user = :1", user)
u = q.get()
if not u:
# create a new 'public access' user if we haven't seen this person before
u = myUser(user=user, rights="public")
# always update the user record after the source is fetched (updates the lastaccess field)
db.put( u )
return u.rights
rights = checkUser(users.get_current_user())
if isPrivateArea and rights == "private":
....
This way I create a user for EVERY visitor, and then I have an admin interface to change the rights of selected users - you may decide, for example, to not create a record for every visitor
def checkUserRights(user):
q = db.GqlQuery("SELECT * from myUser WHERE user = :1", user)
u = q.get()
if not u:
# grant default public rights to anyone...
return "public"
# always update the user record after the source is fetched (updates the lastaccess field)
db.put( u )
return u.rights
This is, of course, on a page where the app.yaml specifies "login: required"