I have a static file that I don't want to be publicly available. Is there a way to limit access with app.yaml so that it can only be loaded by its own domain?
web2py based solutions are also welcomed as I'm using it on top of GAE.
Thanks!
You can limit access to it with 'login: required' to require login with a Google account, or 'login: admin' to restrict it to admins only. If you're only concerned about abuse, you probably want to look into the DOS API instead.
I assume you want to use web2py authentication for this. You have to follow a few simple rules. 1) files in app/static are public files. 2) files that you want to subject to authentication go in app/private. Then create you own web2py action to server the content of private/
#auth.requires()
def private():
import os
file = os.path.join(request.folder, 'private', request.args(0))
return response.stream(open(file,'rb'))
If you want to use the role based access control you need to store the filename in a database table and auth.add_permission to the group to the record.
You get faster responses and more competent responses if you ask questions to the web2py mailing list.
Related
I have Yii2 application where users can upload and share files of different types. Once a file is uploaded, it could be downloaded only by certain other users and there are a whole bunch of checks that go behind this process.
My problem is that the files are stored on the server and if someone has the link directly to the file then they can easily be downloaded without going through any kind of authorization or security checks. How can I prevent this?
P.S. It could be any kind of solution, not one related to Yii2.
The following approach comes to my mind.
Store the files at a location in file system that is not made publicly accessible by a web server.
Make them available by reading them from file system and sending them to browser when the user retrieves the URL that also does the security checks. A redirect to another URL that does not do security checks has to be avoided.
If you give more details about a more specific problem or question people can give you more specific information.
I have two applications in my workspace, APP 1 and APP 2.
In my case, user will log in to APP 1. from there, i put a menu(or a link) to APP 2. however APP 2 requires authentication. So it will take me to a login page. i would like to eliminate that and get the current user's credentials on APP 1 and login to APP 2.
i'm looking for a simple straightforward method (but need to consider security) to login to APP 2.
what i could think of is apex_collection..i could store credentials n use it to create a login process for APP 2. however apex_collection is session based. eventhough i've set session for APP 2, it still wont read values from my apex_collection.
Does anyone have a suggestion or a solution?
All you need to do is use the same authentication scheme in both applications and set the cookie name attribute to the same value in both authentication schemes like this:
APEX will then use the same session across the two applications and the user will not have to log in again when they navigate from one to the other, provided of course that you pass the SESSION_ID in the URL.
A Few Comments on Default APEX Workspace Authentication Security
It may also be helpful to expand on an explanation of why the solution posted by #TonyAndrews works.
For any Apex Apps within the same workspace, if they use the default "APEX Application Authentication" method, they will consult the same authentication user list... so USER1 and its password is a valid login for any of the "neighboring" applications...
This may be a concern if you are hosting different clients or users that should not be intermingling with the other applications. You can also define user GROUPS in the same place as you set up each workspace user. Each application can have its own security filter that permits access by membership of BOTH user/password authentication AND membership in the appropriate access group.
Sharing workspaces may also be a problem because of the unique user name restriction of a single workspace. You can get around that by:
Defining different name-spaces for each application:
Email addresses are good: "someuser#sampledomain.com"
An app id prefix such as: SHOP_EDNA, SHOP_GARRETT, TC_KAREN, TC_MARLOWE, MY_BORIS etc.
Different name styles: first name only, first name + last initial, etc.
To keep things simple, you can always just spin up a brand new workspace: a warning however is that common user names like `ADMIN` are NOT the same between separate workspaces. There shouldn't be much concern however because apps or workspace users may have the same or different schema access privileges to the database back end.
A Word of Caution to Administrators and Developers:
When you go live with an application or multiple applications on a user-facing system, keep in mind the deployment destination (i.e., the workspace) and what else is sharing that workspace. There are some real situations where apps are not intended to be shared or accessed by other "inside" users. Be sure to read up and understand the security constraints and methods of using Default Apex Authentication security so that it's more than luck that protects your own production/live deployed applications.
I do have the similar requirement, linking from one application page to another.
Tried the above mentioned solution, but still asking to login to second application. My Apex ver is 5.0.3 and trying in same workspace.
Created new authentication schemes for each app with same cookie name and set them as current authentication. Scheme type are Application express accounts.
Setting the link as below from first app page to second.
href="http://servername:port/apex/f?p=224:2:&APP_SESSION"
Could anyone provide a solution, please?
Just an update on this.
I am currently using v21.2 and this is how I do it:
In both applications, go to Shared Components > Authentication Schemes > (Select your Auth Scheme);
Scroll down to Session Sharing and select 'Workspace Sharing';
In one of the applications (source), create a link (as a Navigation Bar List entry, for example) like f?p=173:1:&SESSION., where 173 is the target application ID and 1 is the target page.
After some research, I've found out that this feature (Session Sharing Type) is available since v18 of APEX.
I'd like to create visualforce page that inserts a record into salesforce account object. However, I expect some of the page users won't have salesforce accounts. Can they still access it? If not, what are the alternatives that can be used to visualforce page in this case? (Please don't consider Web to Lead Forms).
Thanks,
Yes, it's possible. Go read about Salesforce Sites. For a start:
http://wiki.developerforce.com/page/Websites
http://wiki.developerforce.com/page/An_Introduction_to_Force.com_Sites
(of course it's also possible to write that page in say Java/.NET/PHP and use integration via SOAP or REST to talk to Salesforce... but these 2 main links will keep the whole solution within SF so no need to need to learn new language, have extra maintenance effort etc)
Sites are VF pages that expose a bit of your company's data without need to log in. You can use them to input data too, just remember that in theory anybody could learn the link and spam you (not too different from web2lead, inbound email handlers etc). You specify security in a way similar to Profiles, the records will have "Created By = {site name} Guest User".
I don't think there's anything out of the box to restrict visibility, they're open to whole world. So if you would want something similar to login IP ranges (so only sales reps from your office's network can enter data) - you might have to write some logic in the controller.
So I'm just starting to play with CakePHP and was wondering if the following was possible:
A single install of Cake, with a super admin login. Then, admins that have access to specified "sub sites", and the ability to create/edit content and users on those sub sites. Finally, the ability to map domain names (not subdomains, but unique domains) to the routes; so instead of mysite.com/subsite/posts/1 it would just be newdomain.com/posts/1
Essentially, I'm looking to replicate the experience of using Wordpress Multi-user (with domain mapping).
Is this possible? If so, what should I be looking into?
Sure. You can even use the same set of code and just configure certain domains to point to the code. Then in the code base, tie a domain ID to each user and the content so it knows where it belongs. You can have admin users belong to all domains. Then when you add regular users, you can specify what domain they belong to.
You could establish the domain checking in the Config/bootstrap.php and then set the configuration for the domain like so:
Configure::write('domain_id', 'someDomainSpecificID');
Then you only have to maintain one set of code and one database from many domains.
If the domains have to be physically separate, you could set up one location for the ADMIN users (single database) and run everything against that.
There are many ways you could architect it, it just depends on what your specific needs are. It sounds like a cool project though.
I'm looking towards writing some applications with C and CGI, and now that I've implemented basic functions like URI encode/decode, HTML entities encode/decode, query/cookie parser, etc. I need to manage sessions. How should I do this? For example, how does PHP manage sessions?
Store the UserID and SessionID in a cookie, then store all other data on the server in a database. Do not encode user and session in the url as this leads to session-hijacking even if the user only wants to show some friend a link.
As HTTP is stateless, you have to maintain an id that can track your session. The two main ways are to use cookies to store the id or to embed the id in the URL, usually doing URL rewriting.
You can have a look at WT which is a web toolkit written in C++. see also this SO question for a list of c++ web framework. you will probably find how they handle sessions.
my2c