I am quite new to this Google app engine. I am learning things every day.
I am have a forum on google app engine.
But I want is to be having private or restricted parts.
Some features should be locked for certain google account users, which are in some sort of access control list.
I plain words I can say, only those user who are in list of access can see the forum rest will be redirect to the "contact to admin" page.
As I am new I wanna know that is it something possible.
if yes, how can I achieve it ?
Thanks,
Alok
If you are using the built-in Users API, you can check users.is_current_user_admin() as an access control mechanism. Administrators can be managed via the dashboard.
If you need more granular, application-specific authorization logic, generally you would create a User model in the datastore that references the built-in UserProperty and also holds a list of roles or whatever else you need to check authorization.
To follow up Drew's reply, I use a similar system in my app, so my server code has something like the following class definition (simplified here for clarity)
class myUser(db.Model):
user = db.UserProperty(required=True)
rights = db.StringProperty(required=True, choices=set(["public", "private"]))
created = db.DateTimeProperty(auto_now_add=True)
lastaccess = db.DateTimeProperty(auto_now=True)
and then I have code like this where I handle queries
def checkUserRights(user):
q = db.GqlQuery("SELECT * from myUser WHERE user = :1", user)
u = q.get()
if not u:
# create a new 'public access' user if we haven't seen this person before
u = myUser(user=user, rights="public")
# always update the user record after the source is fetched (updates the lastaccess field)
db.put( u )
return u.rights
rights = checkUser(users.get_current_user())
if isPrivateArea and rights == "private":
....
This way I create a user for EVERY visitor, and then I have an admin interface to change the rights of selected users - you may decide, for example, to not create a record for every visitor
def checkUserRights(user):
q = db.GqlQuery("SELECT * from myUser WHERE user = :1", user)
u = q.get()
if not u:
# grant default public rights to anyone...
return "public"
# always update the user record after the source is fetched (updates the lastaccess field)
db.put( u )
return u.rights
This is, of course, on a page where the app.yaml specifies "login: required"
Related
I have a Non-Salesforce Auth System which holds usernames and passwords for a few thousand users. I am willing to migrate these users to Salesforce and give access to these users to my Experience Cloud site. I am developing an apex REST Resource which will take username and password as arguments and create a user with that username and password with a community profile. I am planning to call this API from my Non-Salesforce system and migrate all these users. I am using Site.createExternalUser method in this API. I am getting the exception
Site.ExternalUserCreateException: [That operation is only allowed from within an active site.]
The reason I am using Site.createExternalUser is because I don't want to send the welcome email/reset password email to my users since they already have signed up successfully long ago.
I am open to any alternatives for achiving this.
Below is my code:
#RestResource(urlMapping='/createUser/*')
global with sharing class createUserRestResource {
#HttpPost
global static String doPost(){
Contact con=new Contact();
con.Firstname="First";
con.LastName= "Last";
con.Email="first.last#example.com";
con.AccountId='/Add an account Id here./';
insert con;
usr.Username= "usernameFromRequest#example.com";
usr.Alias= "alias123";
usr.Email= "first.last#example.com";
usr.FirstName= "First";
usr.IsActive= true;
usr.LastName= "Last";
usr.ProfileId='/Community User Profile Id/';
usr.EmailEncodingKey= 'ISO-8859-1';
usr.TimeZoneSidKey= 'America/Los_Angeles';
usr.LocaleSidKey= 'en_US';
usr.LanguageLocaleKey= 'en_US';
usr.ContactId = con.Id;
String userId = Site.createExternalUser(usr, con.AccountId, 'Password#1234', false);
return userId;
}
}
You can suppress sending emails out in whole org (Setup -> Deliverability) or in the Community config there will be way to not send welcome emails (your community -> Workspaces -> Administration -> Emails).
Without running on actual Site I don't think you can pull it off in one go. In theory it's simple, insert contact, then insert user. In practice depends which fields you set on the user. If it's Partner community you might be setting UserRoleId too and that's forbidden. See MIXED DML error. In Customer community you might be safe... until you decide to assign them some permission sets too.
You might need 2 separate endpoints, 1 to create contact, 1 to make user out of it. Or save the contact and then offload user creation to #future/Queueable/something else like that.
I have created a visualforce page for creating new user and through the controller class I am trying to insert the newly created user.
I am working on a developer org and has three licenses available for - Salesforce Platform - User License.
I have created 4 users with this license in my org and only one of them is active.
Still I am facing the License Limit Exceeded Exception while I am trying to insert a new user with this license.
Can anyone please suggest a solution for this issue?
The code I am using is -
newUser = new User();
newUser.email = ApexPages.currentPage().getParameters().get('email');
String[] name = ApexPages.currentPage().getParameters().get('name').split(' ',2);
newUser.firstName = name[0];
newUser.lastName = name[1];
newUser.userName = newUser.email;
UserRole usrRole = [select id, name from UserRole where name = 'Customer'];
Profile prof = [select id, name from Profile where name = 'Customer Portal'];
newUser.UserRoleId = usrRole.id;
newUser.ProfileId = prof.id;
newUser.isActive = true;
try
{
insert newUser;
alertMsg = 'Successfully Created New User';
}
catch(System.DMLException e)
{
alertMsg = e.getMessage();
}
The screen shot of my company information is -
Option 1:
In the developer console, run this anonymous apex code snippet to get a count of active and inactive users:
system.debug([select isactive, count(Id) from User group by isactive]);
The outcome of the above SQL should be 3 inactive users and 1 active (as per your problem statement).
Option 2:
Make sure your controller class is not bulk inserting users beyond the # of open licenses.
Option 3:
Make sure your code is not trying to create user(s) using a profile that is tied to a license type that is all used up.
In addition to setting the profile, you also need to set the UserType (aka license type), otherwise it defaults to the Salesforce license, for which you have no spares, you need to add
something like newUser.userType = 'Platform' (you'll need to use describeSObject or a schema viewer tool to find the exact picklist value to use)
we are making a social network using GAE, and when we are going to create user's, we need to save contact's data about facebook, twitter, etc...
This extra contact data must be administrable by an administrator, so if the administrator adds "Whatsapp", to all users must appear a field "Whatsapp" optional, and if the administrator deletes the facebook data, all users' facebook info must be deleted.
What is the best option to save this data, considering the most efficient way, for example, for get the all user's facebook, for delete all user's twitter... by an administrator?
Thanks
There are many ways to solve this problem. One would be to have a config model, such as (assuming python) ...
class Config(db.Model):
""" singleton model """
twitter = db.BooleanProperty(default=False)
facebook = db.BooleanProperty(default=False)
whatsapp = db.BooleanProperty(default=False)
And separate fields on your profile model for each social username ...
class Profile(db.Model):
name = db.StringProperty() # users name
twitter = db.StringProperty() # store twitter username here
facebook = db.StringProperty() # store facebook username here
whatsapp = db.StringProperty() # store whatsapp username here
When you render the profile to the client, check the Config class to see what social fields have been enabled, and only render those fields.
To handle the deletion, you may need to write a cron job to iterate through all profiles and delete whatever data has been disabled on the config model.
Hope this helps
You should certainly store all entities that contain a User's specific data in the User's entity group. That enables you to retrieve and manipulate those entities using ancestor queries, which perform better than non-ancestor queries.
To make the detail entities part of a User's entity group, you simply have to create them with the parent parameter. For instance:
class TwitterData(db.Model):
twitter_name = db.StringProperty
def addTwitterData(user, twitter_name):
# User is an instance of users.User
new_twitter_entity = TwitterData(parent=user)
new_twitter_entity.twitter_name = twitter_name
new_twitter_entity.put()
Now, I can get User's data like this:
twitter_accounts = TwitterData.all().ancestor(user).fetch(1000)
Also, you can use a kindless ancestor query to get all of the entities in user's entity group:
all_networks = db.Query()
all_networks.ancestor(user).fetch(1000)
# Now, ancestor has all of user's Twitter, Facebook, Myspace accounts.
One of the strengths of this approach is that it allows your users to have more than one account on any of the various services.
If the data that you need to store for the different social sites varies too much to be served by a single, simple model, you can use Expando classes to store entities that store different types of data.
I'm creating an authentication system for a group of websites. The problem is that I have to use a pre-existing Database, which has a users table already full of entries, and that one user can have several accounts. Basically, a user has one account per website he has access to (it's not the best way to do this, but I can't change it). Each account is represented by an entry in the users table, with login, password, name... and the important field: website_id. This field tells the system what website that account has access to.
The big problem is that some users with more than one account have the exact same login/password information for all of them. For example, one user has 3 accounts:
account1: login = charly / pwd = 1234 / name = Charles ... website_id = 1
account2: login = charly / pwd = 1234 / name = Charles ... website_id = 2
account3: login = charly / pwd = 1234 / name = Charles ... website_id = 3
So if he goes to the website that has id = 2 and uses those credentials, he's granted access. If he goes to the website that has id = 4, he's denied access.
My problem is that since CakePHP does the login automatically, when a user tries to login, CakePHP checks only the first entry in the Database that matches the login/password submited in the form. So if a user is currently in the website with website_id = 3 and tries to login, Cake finds the first entry (account1), compares its website_id (1 in this case) to the current website's id (3), and since they're different, the access is not granted, but it should. _Please note that the comparison of the website_id vs the account's website_id is already being made manually in the login() function_.
This how the login() function looks like now:
function login() {
$userInfo = $this->Auth->user();
if ( isset($userInfo) ) {
if ($userInfo['User']['website_id'] == $this->website_id) {
//Users gets access to a website that he has an account for
}
else {
//User is denied access because his account is not registered for the current website
$this->Session->destroy();
$this->Session->setFlash(__('You don't have access to this website', true));
$this->redirect($this->Auth->logout());
}
}
}
What I would like is to be able to manually authorize the access to the current website by using the login/password submitted by the user to manually search in the users table, and if I find a match in one of the user accounts, grant the access, or otherwise deny access. To sum up, avoid all the automagic of Auth's component.
If the Auth component's login method fails, control is transferred back to the custom login action (e.g. UsersController::login()). I've used this to authenticate using either username or email address, but it could be easily adapted for this purpose. Same idea, different criteria. I offered what I think is a reasonably thorough response (with code) to a similar question. It may help you as well.
the company I work for has 2 Active Directory forests. One forest is called us where I log on in the morning with my profile (us\maflorin) and another forest is called (mail.us) which is dedicated to Exchange.
I have created an asp.net application that runs on SharePoint and gets the SPContext.Current.Web.CurrentUser.LoginName which is the us domain login name. (us\maflorin for example for me). I would like to get from the us credentials the corresponding object on the Exchange forest in order to write changes to the global address list (GAL) for user that opened the page after a line manager approval process.
I wrote the following working code to get the Exchange object, but it uses two ldap queries to find the object:
private Dictionary<string,AdRecod> FindExchangeAdProperties(string samAccountName,string description)
{
Dictionary<string,AdRecod> properties = null;
if (!string.IsNullOrEmpty(samAccountName))
{
properties = GetUserProperties(#"(&(objectCategory=person)(mailNickname=" +
samAccountName + "))");
if (properties != null) return properties;
}
if ((description == "") || (description == "0"))
throw new Exception("No matching Description, couldn't find correct Exchange AD object");
properties = GetUserProperties(#"(&(objectCategory=person)(description=" +
description + "))");
return properties;
}
Is it possible to get the exchange object with a single ldap query directly from the us samAccountName?
The mailNickname attribute on the exchange forest does not always match the sAMAccountName on the us forest. If it does not match, I use the second ldap query to see if a record is return by querying on the description field. The description field is many times the same for both forests but sometimes an administrator changed it.
Is it possible to find the corresponding Exchange Active Directory object for the us domain credentials more easily? How does Outlook find from the us credentials the corresponding mailbox / Ad object ? I was looking at the AD schema with adsiedit but could not find a clear field that is used to link the two forest objects together.
Furthermore I was looking into the Autodiscover service of the exchange web services managed api (mailbox dn attribute) but you need to pass into the GetUserSettings method an SMTP address and this field is not populated on the us domain.
Many thanks,
Mathias
I was able to find an answer to this question with a better approach than the one above which depends on the company's naming convention.
On the exchange forest I run a LDAP query with the DirectorySearcher class to obtain the attribute msExchMasterAccountSid.
The following code then provides the correct sam on the forest we use to logon:
var sid = directoryEntry.Properties["msExchMasterAccountSid"].Value as byte[];
// no mailbox
if (sid == null) continue;
var sidString = new SecurityIdentifier(sid, 0).ToString();
var samAccountName = "";
using (var context = new PrincipalContext(ContextType.Domain, "US"))
{
var principal = UserPrincipal.FindByIdentity(context, IdentityType.Sid, sidString);
if (principal == null) continue;
samAccountName = principal.SamAccountName;
}