I'm writing a Box App for enterprise use. The scenario is the application scans the user account, and changes the permission of certain file (which we believe it's sensitive) to 'disallow download'. Good thing is it can be done, however, when user logins, he/she can easily change the permission back to 'allow download' from webpage. Is there any way to prevent user changing the permission back? Any idea?
Lock unlock functionality is coming soon in the V2 API. Stay tuned for a blog post in the next week or so.
Related
Users of my web app have requested an "offline mode" that stores their work on the hard drive while an Internet connection is not available. They could be offline for anywhere from a few minutes to multiple weeks, so in order to prevent loss of their work, I'll need to be able to persist the data, even when under storage pressure (using IndexedDB without the proper permissions could result in data loss).
I read on Google Developers that the asynchronous navigator.storage.persist() method can be used to request the user's permission to store files, but that doesn't work on Chrome - the promise always returns false without prompting the user.
Then I read here that Chrome may decide not to show a permissions popout, but instead grant or deny persistent storage permission based on a precalculated decision. This appears to be based on the following:
The site is bookmarked (and the user has 5 or less bookmarks)
The site has high site engagement
The site has been added to home screen
The site has push notifications enabled
If any of the above are true, the permission is already granted, and if not it's automatically rejected. This means that in Chrome, there's no difference between navigator.storage.persist() and navigator.storage.persisted(), even though the first is supposed to be a permissions request and the second is supposed to be a permissions check.
I've already built in-app UI for requesting persistent storage permissions, so all I need is a sure-fire way to get the permissions popout to show in Chrome so the user can grant or deny that permission. Since I can't control the first three conditions, or reasonably ask the user to satisfy them, it seems like my only option is to ask for permission to show push notifications, which is unfortunate because that is not the permission I need and I have no interest in showing push notifications. A permissions request like that would likely confuse users.
Is there a more clear, user-friendly way to get permission to use persistent storage in Chrome?
If any of the above are true, the permission is already granted, and if not it's automatically rejected.
This is incorrect; the permission must still be requested. Until it is requested/granted the origin will still be treated as "best effort". The site must explicitly request the permission. You can observe this by calling persisted() prior to calling persist() on a site that has never requested the permission.
all I need is a sure-fire way to get the permissions popout to show in Chrome so the user can grant or deny that permission
Chrome does not have a permission popup for this permission, so there is no such way.
The preferred model is to not offer guarantees about offline capability until the permission is granted; that is, request the permission and only show any sort of "your data is absolutely definitely available offline" assurance once it has been granted.
As mentioned by Joshua Chrome does not have a permission popup for this permission.
What I did was manually enabled the push notification in the site settings for my website.
This was enough for Chrome to grant my website persistence storage permission.
First I apologize if I'm a dolt and am missing something obvious, but I've spent a few hours scouring documentation and am lost.
I'm trying to write a python script that will upload a bunch of images to a single user's Google Drive. The user already exists and will never change. I am not writing a web app and don't plan to use any user interface whatsoever. Everything will be done through code.
As best I can understand from the Google documentation, I have two choices:
1) Write a web app and register it to use the Drive DSK. This of course requires having urls and such for the web app.
2) Create a service account, which ties my "app" to a new service account email.
Neither of these options works for me. Is there any way to simply log in to a single user account and access their drive through python scripting?
There is a deprecated API called ClientLogin that would enable you to use the username and password for a login to access that Drive data.
But the basic idea is that you should be using something more secure -- from your users' point of view -- that allows them to authorize you without giving you their password.
For your use case it is possible that the user is you or someone you know and that you are accessing their account through a more personal kind of authorization. In that case, ClientLogin may be your best choice. If this is an application designed to be used by arbitrary users, the deprecation of ClientLogin is for a good reason and I would urge you to bite the bullet and choose one of the supported options.
The correct solution is to separate the authorization phase from the access phase. The authorization process needs to be run one time only, and can be done from a simple web site. The result of this is a refresh token which is analogous to a username/password. You will need to be aware of the security implications. Make sure you only grant drive.file scope to minimise the impact of a security breach.
Since you are uploading images, you might also want to look at the picassa api.
If I specify access_type=offline in the auth url and a user attempts to auth a second time I get a box that says it is asking for offline access.
I would have expected it to be already authorised and so not require additional permissions
Any ideas?
Edit:
A bit more info. The first time around it makes no mention to the user of needing offline access. I would have thought the offline permission to be mentioned in the original auth anyway.
Edit 2:
Some more info on my use case. It is possible in our system for a person to have two accounts but then use the same google drive account. This means that we have no way of knowing that user has already authorized with google and so have to present the authorization again for the second user.
The first time around (for user 1) you are told that the app is asking for :
View and manage Google Drive files that you have opened or created
with this app
View and manage the files and documents in your Google
Drive
The second time around (for user 2) you are told the app is asking to:
Have offline access
This seems wrong to me.
As an aside:
The whole "have offline access" statement is very confusing for a user and also quite misleading. Most people assume this means the app can read the contents of your pc. In fact it means that the app can authenticate with your account with out you being there (i.e. using a refresh token).
My users store some data on my website that they might like to backup on another site, for example dropbox or google docs.
Is there a way for me to save their data into their accounts but (here it comes...) without knowing their password? Like Paypal, where only Paypal sees your password, except more complicated because the user needs to ok that data be copied into their account?
Or does anyone have any clever ideas about this? They could, of course, just copy it to their desktop and drag it in from there. But maybe a nice way to do this??
Or just use the Saver: https://www.dropbox.com/developers/dropins/saver
No auth required. The user just logs in (if not already) and chooses a location, and the file gets saved into their Dropbox.
That is basically what OAuth2 does.
User accesses Google Drive/Dropbox website and log in to grant you access.
Then, you will get special access code which you can use to save data without you knowing user's password.
Here are some links you might find useful:
https://developers.google.com/accounts/docs/OAuth2
https://www.dropbox.com/developers/blog/45/using-oauth-20-with-the-core-api
How can i disable or delete an user in mediawiki?
I can delete the records from the db but i am not sure if this would affect anything else in the wiki.
Any suggestions would be welcome
Thanks
Prady
1. This solutions is available out of the box for MediaWiki 1.16+
The user and all the contributed content will remain but they will not be able to log in any more.
There are two steps that need to be done:
First block the user using the link in Special Pages.
Blocking can be performed against user id or IP address to prevent them from editing the wiki.
They will still be able to log in and view content.
Then in LocalSettings.php add $wgBlockDisablesLogin=true; ($wgBlockDisablesLogin).
Now upon logging in the user will be greeted with Login error. This user is blocked. Login not allowed..
2. This solutions requires an extension that works with MediaWiki 1.29+
If you want to completely remove access to a user, e.g. on a simple private wiki, it's not possible to simply delete the account (unless no edits have been made); you can block it, but the user will still be able to read pages. However, using User Merge and Delete extension you can merge the account in another one and delete the former; the original account will then "disappear".
Also:
If you want to preserve history readability (i.e., to have edits from the user to be still shown under his name), you can create a new account e.g. with username "OriginalUserName (deactivated)" and then merge "OriginalUserName" into the former, or even use Renameuser extension.
I suppose if you wanted to revive the user later on you would need to repeat this process but this time you would merge OriginalUserName (deactivated) into OriginalUserName.
See Preventing Access page in the MediaWiki manual.
There's a special page that Admin users can see, /Special:BlockIP. Block them there.
You can also get to it from the Special Pages page, /Special:SpecialPages.
you could also reset the password of the user via
/Special:PasswordReset
note: I would not recommend deleting data via scripts in the DB. there are various functionalities for rolling back unwanted user edits, merging contribution from one user to another, etc.