I want to connect Django to a database that the user will set in the main page.
The user will have to precise the engine (with a combobox), the database, login, password etc in a form, and I want to proceed the connection with the submit.
So far, I tried to set "DATABASES = {}" in settings.py, but it returns an error.
Have you got any clue about how to do it?
You have to connect your app to a database.
There is no way that I know of to change the database connection dynamically.
The only things I can think of are a bit convoluted:
If you want to change your back-end database:
I would suggest having a separate setting file for the database (I will call it dbsettings.py) that you will include in the settings file.
At the submit, you would lunch a script that will change the dbsettings.py file, and restart the django server (with a CLI call for example)
If the database is user specific, configure and fire up another django instance, and have the two instances communicate (you could use celery for messaging or django commands)
I (and other people) may come up with better solutions if we had a little more details
Related
My job has tasked me to create a login page with username, password, reset password, sign in and sign up. When you login you are sent to a landing page. All should be done with react but i have to use filemaker server as a backend that stores usernames and passwords in a database. I've never used filemaker before and i don't know where to start. Any advise will be appreciated
Use Filemaker Data Api:
https://help.claris.com/en/data-api-guide/
Login call to get the token
Make a POST request to
{yourServerUrl}/fmi/data/version/databases/{database-name}/layouts/{layout-name}/records
to write the new record into the database.
Assuming your company is on a recent version of FileMaker (version 16 or later, I believe) then FileMaker Server has a feature called the Data API that publishes all FM data in a more standard-manner than going through the trials of ODBC or the PHP API.
The requirements are essentially just clicking the checkbox in the Server Admin control panel:
That feature has tiered pricing associated with it, but it includes a base amount of requests as part of having a server license and most likely you will find it to be the best avenue. If, for some reason, you can't use the Data API, going in via the PHP API which produces a more verbose XML output and is tied to fields visible on layouts is another avenue.
I am new to Salesforce, but am an experienced developer. I am provided a link to a Salesforce report, which mostly has the right filters (query). I would like to use an REST API to pull that information as CSV or JSON so that I can do further processing on it.
Here are my questions:
Do I need special permissions to make API calls? What are they?
Do I need to create an "app" with client-key & secret? Does my admin need to grant me permission for this too?
There are a lot of REST APIs from Salesforce, which one do I need to get the info from the report? Analytics?
How do I authenticate in code?
You'd have to work with the System Administrator on the security pieces. Anybody who knows how the company works, can all users see everything, is there Single Sign-On in place, how likely is the report to change...
You will need an user account to pull the data. You need to decide if it'll be some "system account" (you know username and password and have them stored in your app) or can it run for any user in this org. It might not matter much but reports are "fun". If there will be data visibility issues 6 months from now, you'll be asked to make sure the report shows only French data to French users etc... you can make it in report filters or have multiple reports - or you can just use current users access and then it's the sysadmin that has to set the sharing rules right. (would you ever think about packaging what you did and reusing in another SF instance? Making a mobile app out of it? Things like that, they may sound stupid now but will help you decide on best path)
The user (whether it'll be system account or human) needs Profile permissions like "API Enabled" + whatever else you'd need normally ("Run Reports" etc). If you're leaning towards doing it with system user - you might want to look at Password Policies and maybe set password to Never Expires. Now this is bit dangerous so there would be other things you might want to read up about: "API only user" (can't login to website), maybe even locking down the account so it can login only from certain IP ranges or at certain times when the job's supposed to be scheduled...
Connected App and OAUth2 stuff - it's a good idea to create one, yes. Technically you don't have to, you could use SOAP API to call login, get session id... But it's bit weak, OAuth2 would give you more control over security. If you have sandboxes - there's little-known trick. You can make connected app in production (or even totally unrelated Developer Edition) and use client id & secret from it to login to sandboxes. If you create app in sandbox and you refresh it - keys stop working.
(back to security piece - in connected app you can let any user allow/deny access or sysadmin would allow only say these 3 users to connect, "pre-authorize". Could be handy)
Login - there are few REST API ways to login. Depends on your decision. if you have 1 dedicated user you'll probably go with "web server flow". I've added example https://stackoverflow.com/a/56034159/313628 if you don't have a ready SF connection library in your programming language.
If you'll let users login with their own credentials there will be typical OAuth "dance" of going to the target page (Google login, LinkedIn, Twitter...) and back to your app on success. This even works if client has Single Sign-On enabled. Or you could let people type in their username and pass into your app but that's not a great solution.
Pull the actual report already
Once you have session id. Official way would be to use Reporting API, for example https://developer.salesforce.com/docs/atlas.en-us.api_analytics.meta/api_analytics/sforce_analytics_rest_api_get_reportdata.htm
A quick & dirty and officially not supported thing is to mimic what happens when user clicks the report export in UI. Craft a GET request with right cookie and you're golden. See https://stackoverflow.com/a/57745683/313628. No idea if this will work if you went with dedicated account and "API access only" permission.
For my Next Project (web + electron + ionic),
I want to use angularjs but don't want to use nodejs and for database.
I am thinking about pouchdb or google-firebase.
Now security is an issue for my database. like i have to connect with my database using angular because i will not use nodejs.
So i have to put my username and password on connection.
will my username and password secure ?
I am thinking that anyone who press Ctrl+u or from dev tool can see my user access.
Any suggestions ?
try angularfire2 library for firebase using this library no needed nodejs or any backend server. it's directly communicate with firebase.here is library
https://github.com/angular/angularfire2
I am afraid that you can't do that, you need some server side application to connect with the database in a secure way.
There is some gold rules you must always follow:
There is no security from the client side.
Never trust on information that comes from the client, even if you think it's validated.
For the security purpose, you can go with firebase auth
these are many secure login methods like
-FirebaseUI
-Password-Based
-Facebook
-Google.. etc
reference link- https://firebase.google.com/docs/auth/web/start
If you are planning to use firebase for the huge database then one thing keep in mind firebase is not designed for the huge database it's limited.You can't compare firebase to SQL n MySQL etc databases. Firebase specifically designed for small databases.
If you grant write access for your chat clients by one hardcoded credentials (really easily get known) - you are on very dangerous side: one can quickly fill your DB with tons of garbage. There is no harm to hardcode read credentials (in order to separate access to different server DBs, i.e.) but for write ones you definitely need registration, which means Node or something. It will handle new users creation and give you ability to block unwanted client behaviour, just in case.
I can print
System.Security.Principal.WindowsIdentity.GetCurrent().Name is #System.Security.Principal.WindowsIdentity.GetCurrent().Name
in a razor (.cshtml) file, however, I do not know how to print the app pool or verify that it is indeed accessing the database to login to it (as the login currently fails, that portion is an even tougher question).
This may require creating a string in the controller action trying to access the database, e.g. near something like:
db.myTable // etc
Thanks in advance.
The name you are returning in the code sample is the windows user id that the app pool is using (look in the app pool properties to see what windows username it is using).
This user name, complete with domain name, needs to have access to the db.
You may like to create your own windows user just for the app pool to use something other than local service as it may not be a good idea to give any local service access to your database.
As Will says in his comment, sql profiler should be able to help you find out what's happening if you are not sure.
I am using Entity Framework and have the same model on many databases and servers. I want to set my connection string at runtime based on the logged in user. I am currently overriding CreateObjectContext() in my DomainService and setting the connection string there. This works great, but I'm concerned with the lack of security. For example, in my DomainService, I have an invoke method called SetConnectionString() where I pass in the connections string each time I need a new Entity. This is being done from the DomainContext (client side). Since I am using SQL Integrated Security, I am concerned that someone could manipulate the connection string on the clinet and get access to a database that they are not authorized to use.
What is the most secure way to dynamically set the connection string for the domain entity I want to use at runtime?
I do have the database name and server settings in a database that I could look up from the DomainService if I passed in my project id or some other piece of information, but I am then right back to the same issue - someone could easily spoof this info.
Ideas??
-Scott
Hopefully my answer is relevant as the same security issues are faced by flash developers...
The only way to make this really secure ("this" being database connections from your client side code) is to make each user only have read-only access to their data in the database.
As you are realizing, there is no way to stop the user from monitoring/modifying data that you are sending back to the server. Even if you encrypt the communication, the user still has access to the code and in the case of flash, source code due to trivial decompilation.
I am not a DB developer, but I do security audits of stuff like you are asking often, so the following advice could be wrong, but I just googled, and it seems like maybe you could use views to restrict users (sets of credentials) to specific information.
If not, this article seems relevant to what you want:
http://technet.microsoft.com/en-us/library/cc966395.aspx
What about using the ASP.NET membership framework? Tie the user login with a Login call in the framework to make sure the user an authorized user. Add a "RequiresAuthentication" attribute to each of the functions you want to protect in your domain service.
Here are more details on using ASP.NET membership with Silverlight: WCF RIA Services - Authentication, Roles, and Profiles