I have a role with this permission:
path-prefix[/mydb] and (method[PUT] or method[POST] or method[GET])
I'm trying to create a collection in this database following this doc: https://restheart.org/docs/mgmt/dbs-collections/
So, I wrote using postman this:
method: PUT
url: https://myhost.mydomain/mydb/newcollection
User and password are ok. The user has this role. GET works.
But the PUT return 403 (not 401, 403).
RestHeart (v6).
Any tips to solve this?
Solved.
The version 6 changed somethings in security. Now some permissions have to be set explicitly, in this case, to allow management requests:
"mongo": {
"allowWriteMode": false,
"allowManagementRequests": true,
"allowBulkPatch": false,
"allowBulkDelete": false
}
More in: https://restheart.org/docs/upgrade-to-v6/
Related
I am using ng2-smart-table, I am trying to do server-side pagination & sorting. I am not able to get how to do it? Once I click on page number it should go to the backend. What function/method/event I have to use, when clicked on page or sort it should go to the function which calls API.
Also I want to add a anchor link to one column, how to do that?
If you provide me some example that will be helpful.
Please help me with the solution. Thanks
You need to configure ServerDataSource with the names of the parameters your server uses for each purpose, after that you can deal with them in the server side.
this.dataSource = new ServerDataSource(this.http, {
endPoint: environment.SERVICE + `your_route`,
dataKey: 'Data',
pagerPageKey: 'offset',
pagerLimitKey: 'limit',
filterFieldKey: 'query',
sortFieldKey: 'sortby',
sortDirKey: 'order',
totalKey: 'Total',
});
I'm really stuck with getting the User image from a lookup list using AJAX with SharePoint 2013.
Ok so im getting my data from a Sp list called 'Comments', and im selecting a SP generated field called 'Created By' however on my SP its actually called 'Author'. This field only shows an ID so ive expanded it with OData to get the 'Author' details.
So what im trying to do is set up a custom comment section. So im taking data from the 'Author / Created By' column and outputting that on top of the persons comment. This all works fine!
$.ajax({
url: _spPageContextInfo.webAbsoluteUrl + "/DigiBlog/_api/web/lists/getbyTitle('Comments')/items?$select=Comment,Likes,BlogId,Created,Author/ID,Author/FirstName,Author/LastName,Author/Title&$expand=Author/Id",
type: "GET",
headers: {
'accept': 'application/json;odata=verbose'
},
success: function (data) {
for (var i = 0; i < data.d.results.length; i++) {
var item = data.d.results[i];
self.blogComments.push(item);
//item.FirstName = item.FirstName.toLowerCase();
//console.log(item);
}
console.log("Comment User Info Called");
},
error: function () {
console.log("Comment User Info Error");
}
});
What i want is the picture Url from that user, so i can output an image of that person next to each comment. My Sharepoint is part of big organisation so theres a tonne of restrictions in place, one of which means i can't view the list of users so i can't see what fields i can actually use. Ive seen people use 'Picture' value in the select field, however when i try that the Ajax fails.
url: _spPageContextInfo.webAbsoluteUrl + "/DigiBlog/_api/web/lists/getbyTitle('Comments')/items?$select=Comment,Likes,BlogId,Created,Author/ID,Author/FirstName,Author/LastName,Author/Title&$expand=Author/Id",
All im looking for is the Author Img URl, ive tried Author/[Picture, PictureUrl, PictureUri, Image, ImageUri... and so on]. Ive spent 2 days on this and im not getting anywhere fast!
I either want a way to get the Picture Url or a way to show all the avaiable fields of 'Author' using console so i can find the relevant field i need to select.
Can anyone help? Thanks in advance!
It seems that we could not get picture url directly.
Firstly,you could get user name.
/_api/web/lists/getbytitle('Comments')/items(1)?$select=Owner/Name&$expand=Owner
Secondly,you could use this rest api to get picture url.
/_api/SP.UserProfiles.PeopleManager/GetPropertiesFor(accountName=#v)?#v='domain\username'&$select=PictureUrl
The different versions of rest api versions are introduced here.
Tip:The username obtained in the first step may need to be processed as in the example.
My app has permissions User.ReadBasic.All.
However, when I try to read person in same organization, I only can get name and address info.
GET https://graph.microsoft.com/v1.0/users/someone#example.com
{
businessPhones: [],
displayName: 'Jack Johns',
givenName: 'Jack',
id: '42d4f951-709d-4c13-81da-ab93afbdcda2'
jobTitle: null, // <- here should have value
mail: 'jack#example.com',
mobilePhone: null, // <- here should have value
officeLocation: null, // <- here should have value
preferredLanguage: null, // <- here should have value
surname: 'Johns',
userPrincipalName: 'jack#example.com',
}
After reading Microsoft Graph permissions reference, it seems I need User.Read.All, but it need admin permission.
However, when I use the token got from Graph Explorer's tokenPlease() in console. The GET can return all info correctly. Does that mean Graph Explorer gives me even admin permissions? If that, that is a security issue. (I am sure I am not admin in the organization)
What is the correct permission to read the rest of profile info without admin permission?
Please see https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#user-permissions. Please read what each of the permissions actually allows. User.ReadBasic.All, as the name suggests, only provides reading a limited set of user profile properties. All other properties are returned as null.
Hope this helps,
I have a problem when creating new application in Horizon(Identity manager GE).
Im logged in as idm user and when creating application, on the first step when i specify name, description, callback and url and press next i get following error:
Error: No Role found with id: 106 (HTTP 404)
Error: Unable to register the application.
What might be the problem?
The mistake was in the Horizons local_settings.py file.
instead of attributes FIWARE_PURCHASER_ROLE_ID and FIWARE_PROVIDER_ROLE_ID pointing to corresponding row ids of table role_fiware like this:
FIWARE_PURCHASER_ROLE_ID = '5786623590bc4f3ab01c61733a13ee6d'
FIWARE_PROVIDER_ROLE_ID = '4806909eb4b646c7a1f11ad9f9ed53ed'
attributes were :
FIWARE_PURCHASER_ROLE_ID = '106'
FIWARE_PROVIDER_ROLE_ID = '191'
I guess that is default configuration for sqlite db.
So if using mysql db just insert correct ids in this file for these attributes from table role_fiware.
I have a small app where users create things that are assigned to them.
There are multiple users but all the things are in the same table.
I show the things belonging to a user by retrieving all the things with that user's id but nothing would prevent a user to see another user's things by manually typing the thing's ID in the URL.
Also when a user wants to create a new thing, I have a validation rule set to unique but obviously if someone else has a thing with the same name, that's not going to work.
Is there a way in my Eloquent Model to specify that all interactions should only be allowed for things belonging to the logged in user?
This would mean that when a user tries to go to /thing/edit and that he doesn't own that thing he would get an error message.
The best way to do this would be to check that a "thing" belongs to a user in the controller for the "thing".
For example, in the controller, you could do this:
// Assumes that the controller receives $thing_id from the route.
$thing = Things::find($thing_id); // Or how ever you retrieve the requested thing.
// Assumes that you have a 'user_id' column in your "things" table.
if( $thing->user_id == Auth::user()->id ) {
//Thing belongs to the user, display thing.
} else {
// Thing does not belong to the current user, display error.
}
The same could also be accomplished using relational tables.
// Get the thing based on current user, and a thing id
// from somewhere, possibly passed through route.
// This assumes that the controller receives $thing_id from the route.
$thing = Users::find(Auth::user()->id)->things()->where('id', '=', $thing_id)->first();
if( $thing ) {
// Display Thing
} else {
// Display access denied error.
}
The 3rd Option:
// Same as the second option, but with firstOrFail().
$thing = Users::find(Auth::user()->id)->things()->where('id', '=', $thing_id)->firstOrFail();
// No if statement is needed, as the app will throw a 404 error
// (or exception if errors are on)
Correct me if I am wrong, I am still a novice with laravel myself. But I believe this is what you are looking to do. I can't help all that much more without seeing the code for your "thing", the "thing" route, or the "thing" controller or how your "thing" model is setup using eloquent (if you use eloquent).
I think the functionality you're looking for can be achieved using Authority (this package is based off of the rails CanCan gem by Ryan Bates): https://github.com/machuga/authority-l4.
First, you'll need to define your authority rules (see the examples in the docs) and then you can add filters to specific routes that have an id in them (edit, show, destroy) and inside the filter you can check your authority permissions to determine if the current user should be able to access the resource in question.