In older version of ejabberd and strophe, the user needs to send room/nickname in 'from'. But in the updated version of ejabberd, what needs to set in from attribute of presence element?
I sent from="123#conf.com/John" where 'John' is the nickname. I received many stanzas, but some of them are without a nickname. Instead, it has ID in number. Is there any reference for that number?
Is there any mechanism/config to get presence specific to a particular chat room in which the user is involved?
As specified in https://xmpp.org/extensions/xep-0045.html#enter the FROM attribute of PRESENCE element must be the user full jid, and the TO must be the room/nickname.
Real example:
<presence id='42:841254'
from='user1#localhost/resource1'
to='room1#muc.localhost/mynickname'>
</presence>
Related
I need to train watson assistant on the following utterance, what is the order status of Bob/Jane or some name.
I tried with #sys-person but it does not recognize all names.
I defined an intent like this
what is order status of #name
and created entity #name as \b[A-Za-z0-9]\b
This is a good use for contextual entities. You can read up on those here:
Contextual Entities with IBM Watson Assistant
All about entities: Contextual entities with Watson Assistanthttps://medium.com/ibm-watson/all-about-entities-contextual-entities-with-watson-assistant-part-2-7697d2b73db0)
The idea is that you don't need your bot to know all possible names in advance, but instead it can recognize a name based on the context within an intent.
To set this up, you'd go to your order status intent and add some training examples such as:
what is the order status of Name
what is the order status of Another Name
what is the order status of Yet Another Name
(These examples can have any kind of name, whether fake or real.)
And then you'll annotate each of those to associate the name with the #name entity, by double-clicking on the name portion of the training examples (i.e. Name, Another Name, Yet Another Name) to bring up the entity selection UI and specifying your #name entity.
After Watson finishes training, you can test it in the "Try it out" window. Enter something like "what is the order status of Charles Flint" or "what is the order status of Thomas Watson" and you should see your #name entity matched. From there, you can access the name specified by the user with #name.value.
Hi JohnDon't wish to dismiss your entity pattern, however from experience I have seen its almost impossible to determine a complete list of people names. I use both #sys-person and my own #names entity which contains over 6,000 common names, and we are still adding missing values to the list. We also have a #bad_names list which contains names that match common words like; summer, cherry, star, cj, etc. By using both your intent or #sys-person or #names, etc in your condition you have a good chance to catch a high percent of the users messages.
I have web app (laravel 5.3, mysql) where users can comment any entity in project (almost every page contains something like chat)
I want to add possibility to mention other users inside message via '#' symbol ("Hello, #John, see here", for example).
When this message is posted to chat user named John must get notification about new message (via email, if he is offline).
Every message is connected to some page (/object/45, for example), so when email is sent user will know the page where he was mentioned.
The question is how to store this inside database?
message field has type text
In this example row would contain this data "Hello, #John, see here" (without quotes).
Problem is that there can be many users with name "John" so I can not not do simple:
select email from users where username = 'John' -- email is used as login
Also username can be something like #John Malkovich, so I have to parse string to find out, if "John" or "John Malkovich" was mentioned.
What is unique - user id.
So how to store this inside database?
Possible solution:
Hello, [user=34], see here - field in database
Parse string before displaying to web browser and replace this string with
Hello, #John, see here
but, obviously, no one can paste literal text '[user=123]' inside message, because it would be interpreted as userid.
P.S. Inside one message many users can be mentioned.
Maybe you could create something like <span value="user34">John Malkovich</span> and parse the value?
Or <span data-user-id="user34">John Malkovich</span> is probably better semantically.
Have absolutely no experience in this kind of stuff though, so don't take me too seriously ;)
So as the title says I'm curious, can user change the ID of an element through browser? I have a list of inputs - checkboxes, when you click on one of them ajax takes ID of that element and uses it to get data from database, so basically what I'm thinking is that if it is somehow possible to change the ID of the element my database wouldn't be secured. If that's possible, how I should protect it?
Okay, So I get the idea that it wouldn't be secured, If I'd use this way:
<?php
$mysqli = new mysqli("host", "user", "password", "database");
$usuario = $mysqli->real_escape_string($_POST["usuario"]);
$clave = $mysqli->real_escape_string($_POST["clave"]);
$sql=' SELECT * FROM usuarios
WHERE username="'.$usuario.'"
AND pass="'.$clave.'"
';
$mysqli->query($sql);
$mysqli->close();
?>
would it be enough, or there aren't actually safe enough way to protect data?
You are correct that this would be a security hole. The ID attributes could indeed be changed via the browser console.
Yes, they can change it or just make while request faked and you won't tell the difference. Rule of thumb here is NEVER trust any data that comes from user. It means - always validate, sanitize data on server-side, and always assume data that comes in request are there to fool/trick/hack you.
Yes. The user can do anything they like to the DOM once it is in their browser.
They can also execute any JS they like there.
You're worrying about the problem in the wrong place though. Your control ends at the edge of the webserver. Clients can make any HTTP request they like to it and include any id value they want. You need to address security there and not in the browser.
If you want to secure your database then you need to either allow no HTTP request to lead to the secret data being released / changed or you need to write server side rules that limit which HTTP requests can change them.
Typically this would involve Knowing Who The Request Comes From (Authentication) and Knowing Who Can Access Which IDs (Authorization).
A simple approach would be to keep a database that has a users table (including hashed passwords), a "things" table, and an ownership table (which has a column of user ids and a column of thing ids). If the request doesn't include a username and password you can cross reference from the thing id across the ownership table - return an error message instead of what was asked for.
Using the Box 1.0 REST API, I am trying to work with the functions in SOAP UI.
The API doc for get_managed_users with user_id=12345 (internal id retrieved with get_user_id call correctly) is returning all the users. The docs say that would be the case if you do not specify a user_id value. But my full command is: (Token and API key changed to protect the clueless)
https://www.box.com/api/1.0/rest?user_id=27360&auth_token=blahbalhblah1234&action=get_managed_users&api_key=someKeyYouShouldNotSee
Now I could work with the complete result list, but that won't scale as we get thousands of users into the system.
I can make a call with edit_managed_user, using the same user_id value and the change is reflected in the UI, and in the next get_managed_users call. Thus I do have the correct user_id value, I would so assume.
I tried testuser#gmail.com as the user_id value as well, and get the entire list back. This leads me to believe that somehow I am sending user_id wrong, but I just do not see it.
Any hints? Why, with what seems like a valid user_id value is it acting like it is absent or incorrect?
Most likely you have either called this method with an invalid user_id, or one that is not in your set of managed users. Can you double check that the user comes back in your list of already managed users?
How can I suggest a list of alternate usernames in case user has selected an invalid or existing username?
The suggestions must be somewhat related. Do I need to use a dictionary of possible usernames?
It depends entirely on what you consider "related". It's hard to define such a meaning for usernames, as they often aren't normal English words. You might wish to create a unique username by appending a random stream of numbers, or by changing some of the letters to numbers ('e' to '3' etc). If you will update your question with what you mean by 'relevant' I will try and tackle that specific issue.
Bad idea. Giving away related usernames allows a skillful attacker to deduce which usernames are in use.
IE if I try and register 'RandomUser' and the system suggests using on of:
RandomUser1
RandomUser2
RandomUser3
RandomUser5
Then I can reasonably surmise that RandomUser4 is a valid username.
Look a this:
http://www.onesoft.dk/post/2007/07/ASPNET-AJAX-username-availability-with-suggestions.aspx
Its build using Ajax & JSON. I'm sure you will be able to adapt it to your technology.
Just add more info to the user name that the user seleced. If you colected also info like birthday, you can add to it the year:
user -> user1985
Or if you're getting a first name:
user -> jose_user
Don't use "automatic" information, because it would make it easy for attackers to deduce valid user names.