I'm looking at ways to secure the admin section of my (cakephp powered) Facebook application. To avoid duplicating functionality, I thought it'd be neat to allow access to people who have been flagged as developers in the app settings.
The question could then be: How do I determine whether a user of my Facebook application is a developer?
Alternatively: How do I obtain an array of developer user IDs for my Facebook app?
I tried looking for your answer myself, and the only thing I found that you could possibly do is to make a group private and invite-only to developers and then use the fb:if-is-group-member tag. http://wiki.developers.facebook.com/index.php/Fb:if-is-group-member
OK, so I found out how to do it by myself. Props to Samuel for giving me the idea.
Basically, the way to do it is to run an FQL query that establishes whether a user is an admin of the applications page (page_admin).
SELECT uid FROM page_admin WHERE uid = 286302657 AND page_id = 31290624157
In the PHP client, this returns an array for developers and an empty string for anyone else.
I decided to use the FQL rather than the API call because it is possible to preload the FQL to reduce calls to the Facebook servers.
Hope this is useful to somebody.
Related
I have created a web page with RoR and i am using auth system that i wrote. Now i would like to create an admin panel, where i can see the user info etc..
I am not sure but what i though is to add a column name to auth system like admin? giving a default name false. Then if the admin? is true admin panel opens instead of the web page login.
I wonder if i can use the same auth system so in order to login to page it logs in to admin panel.
But in the controller it will check if admin? is true for every user, i am not sure about the burden in terms of the system requirments as it will check every user.
And i know there are other gems for admin panel but its fine i can design it. I am just not sure which way is the efficient way.
The burden on the system will be negligible. It depends a little bit upon how your auth system is configured, but I am assuming that you give the user a token when he/she is properly logged in.
When the user first tries to sign in, you should check if they are an admin. At this point, if they are, then you can sign them in as an admin, also storing that information in the session. You should perform this check on the controller actions where they need to be an admin. It will not affect performance to any noticeable degree and is important for the security of your site.
Also, you may want to check out the CanCanCan gem, which is a fork of CanCan built by Ryan Bates, for an example of how this works. Unless you're building the application for educational purposes, I highly recommend the CanCanCan gem.
Hope this helps!
In addition to that, you may try Rails_Admin, which provides an easy-to-use interface for managing your data.
And I've considered to use this gem for my project, which is a huge database, so it seems to very helpful.
I have a cakePHP community. User are able to signup and login. I like to create a survey using SurveyMonkey.
Therefor I create the survey and make it available to my members using the direct URL. In my member database I have to save the information "did completed the survey = yes/no".
Is there any way to identify the user filling in the survey and write this information into the database?
SurveyMonkey has an API https://developer.surveymonkey.com/ , that let you collect info from your survey (completedf or not).
This is the only way i think, (if it s not include in your website).
I know that you can simply do this with Examinare Survey Tool. What you do first is that you use the API inside Examinare to add a recipient for all the users in the survey base.
Use the PHP Wrapper library in their developer site.
Loop it through and use the https://developer.examinare.com/php-wrapper-library/ and use the example code.
If you let people register with same email more than 1 time then save the ContactID into your database on the recipient.
Then to not create an email invite you use this : markrecipientstosurvey
The surveyID is available inside the Examinare account.
When you done this script part then make it as a cronjob for instance inside the crontab -e
I would run it every 30 minutes or 1 per hour.
Next part you create a page for the survey redirect where you use the function: listsurveysbyuser
to get the survey version and url
(there is a special link for the mobile user that even works for the normal mobile phone NOT only smartphones)
Now you just redirect them to the survey. If you want them to return to your site after then you use the redirect_url parameter that is added to the url or use the redirect inside your account. Ask support about that if you need :) They are fast... Never had to wait more than a couple of minutes.
When the person return then just check if they are marked as complete with the same api call: listsurveysbyuser
Looks much but it is very easy to implement and if you have any problems then just ask the support at support#examinare.com I have asked alot and never had them to say that it can not be done. Really nice!
EDIT:
I see that they just released a tutorial much better than my example:
https://developer.examinare.com/how-to-use-surveys-in-cakephp-with-very-little-development/
One option:
Use unique Custom Variables in the URL that is visited by each member of the community
For example, https://www.surveymonkey.com/s/your_survey?userid=$my_user_id
Note that you can create weblink or email collectors with the API (endpoints: create_flow or create_collector).
Then track the responses using the get_respondent_list or get_responses endpoints of the API.
Note: Please confirm with the Survey Monkey API team that the custom variables can be read via the API.
Another option:
Use the email collector (create_flow) API endpoint and send it to your members' email addresses.
I am somewhat new to programming, have some experience with VBA, but thats it. I am learning Filemaker at the moment and I am getting along quite nicely. I want to let FM automaticly enter certain appointments and reminders into my google calendar.
Now, I know that the calendar has an API, and I know that that API is the interface with which I can communicate with it. But I am lacking a step in my knowledge ladder, because the documentation is thoroughly confusing. I need to know what to use, in order to tell the calendar what to enter where. Is it like some compound url I construct? How do I login?
These are all questions that pop up. I don't expect you to answer those, but rather if you can point me to the right tutorials I can read to get this knowledge.
I hope I didn't burden you guys too much.
thx in advance
I'm one of the authors of Zulu, a product we built specifically to sync FileMaker to Google Calendar, using a bi-directional sync. You can also turn Zulu into your own CalDAV server if you want to go that route.
Good luck!
Don't take this wrong but you may be biting off too much. I have been programming for 30 years and it took me a couple of days to gather the information needed to interact with the Google APIs (the OAuth2 authentication can be really confusing at first).
My sugestion would be to look at importing calendars into Google Calendars using either CSV (https://support.google.com/calendar/answer/45656) or ICS (https://support.google.com/calendar/answer/45656) format. You should be able to generate those formats with a little bit of Filemaker scripting.
But since you asked:
You need the OAUTH2 offline access, with a refresh token you would
store somewhere.
You will use the refresh token to get an auth token
You will make requests using HTTPS GETS or POSTS (see the Calendar
API explorer), with the auth token in the Authorization header.
Since there is no Google Calendar API for FileMaker :-), you would
have to know some details of the HTTP protocol to send a properly
formatted request, you will be working at a lower level than you
would be if using a Python, Java or .NET library.
You will get back
JSON responses which you will have to parse.
There are a couple of ways you can try to do this quickly:
Use Zapier (http://zpr.io/VhK - affiliate link) to create a webhook, then use a hidden webviewer in FileMaker to create the event. Try this as an example: http://zpr.io/fqg7
Use a plug-in, like this one https://www.feedzon.com/products/fmgcal/. I've never used that particular one before, but it looks fairly straightforward.
If you want to go whole-hog, it is also possible to use scripts in FileMaker to write to the Google Calendar API, but it's a lot more work. The plugin is probably the easiest route to go.
If you don't want to use a plugin, I would recommend starting with a Zapier webhook, as it greatly simplifies the work needed to hook into the Google Calendar API.
I would like to use Oauth 2 for an application in Google App Engine with Java, but I dont find any good example of that use, I would be very thankful if somebody could help me please, it is something frustrating dont find good examples, thnak you.
My 2c is avoid oauth2 libraries. Of course opinions may vary, but for me they provide very leaky abstractions, so you end up being dragged into understanding oauth by the back door. For me at least, taking an hour to read the the two pages that tell you all you need to know, and carefully avoiding all the others, will get you where you want to be.
In simple terms, the steps are :-
Call the auth URL with your app/client ID and the scopes you require. Include the "email" scope.
Google will walk the user through login, and (if the first time through) authorisation dialogues
Eventually the browser will redirect back to your oauthcallback url, and pass you an auth code
Call google to convert the auth code to a refresh token. This will also return the user's google ID and an access token.
Store the user ID in your session so you can identify the user subsequently
Persist the refresh token alongside the google user id in a database
On subsequent visits...
If you have the google user id in the your session, you can retrieve the refresh token from your database and use it to generate access tokens as you need them.
If you do NOT have the google user id in your session, go through the steps above. This time, google will NOT prompt the user for authorisation (since it's already authorised), and the refresh token will be blank (since you already have one stored).
Everything you need to know is within the oauth playground page. If you click through the buttons, you will see that it is following the steps I outlined above.
You then need to deal with the possible error situations, eg
user declines permission
user withdraws permission
google expired the refresh token (happens a lot) so you need to re-auth
timeouts
The two pages you need to read are :-
https://developers.google.com/accounts/docs/OAuth2WebServer and the oauth playground at https://developers.google.com/oauthplayground/
Trust me, as long as you know how to form a URL, store a refresh token (it's just a string) and parse a JSON response, then everything you need is on those pages. Except ...
all the documentation skips over the need to preserve the user ID in your session so you know who it is that is accessing your app. If you're on AppEngine, you may be confused by the appengine sample code which uses a separate appengine login. Ignore it. You will be using oauth to authenticate the user so the appengine stuff doesn't apply and is somewhat confusing.
It's actually much simpler than some of the documentation would lead you to believe, and like I said, imho the leaky libraries don't help.
I'm trying to do exactly the same thing and I agree - it is extremely hard to find a good example of this.
I did find this youtube video however and I think it would help: https://www.youtube.com/watch?v=tVIIgcIqoPw.
Its from Google and it is called Getting Started with Google APIs. The last segment of the video deals with authentication.
There are several OAuth 2 client and server libraries for Java listed on this page: http://oauth.net/2/
Here's quick-start documentation for using Apache Otlu: https://cwiki.apache.org/confluence/display/OLTU/OAuth+2.0+Client+Quickstart
If you're accessing a Google API (as a client), you can use the Google client library for Java, which does OAuth as well as API set-up: https://code.google.com/p/google-api-java-client/
I have been struggling all day with an issue. I am sure there must be some easy solution that lots have already implemented as it looks to me as a basic setup.
I am building an app with GWT and appengine using requestfactory. This app has some "pages" (they are actually MVP views) that everybody should have access to. It's like the home page and a couple of views where the service we provide is described. Then if you want to use the service you have to login (with google accounts and all that). Only being logged in you have access to the rest of the views (pages) in the app. The question is, how to handle this?, the fact that some pages and some requestfactory calls are public and some other have to be available to those that have logged in?
I have already discarded the auth-constraints tags in web.xml because they work with all or nothing.
The next alternative was to use servlet filters (as the expenses demo does). That could work, but only if the "open" or not secured pages didn't need to access any data from appengine datastore (and I don't want to close that door, maybe in the future I want to show status or number of users, etc etc). The reason for this is that with request factory you only have one servlet so if you put a filter you shut down all comunication with appengine if the user is not logged in.
I was thinking of implementing this filter, with requesfactory for all the stuff once the user is logged in and also implement some RPC services for the data i might want to display in the "home or information pages" that i might need to retrieve from the datastore. However it looks a bit overkill for me.
Another alternative is to implement a check that the user is logged in all the request factory service methods that i want to protect. But that doesn't look to elegant either...
Anyone had the same problem? any ideas?
I'd appreciate any help on this.
Thanks,
You say that the auth constraints are "all or nothing", but that's not true - they're per-url. See here for details. Also, your connection of servlet filters and datastore access is a non-sequitir - the two have nothing to do with each other.