i setup rules to limit user access like this:
.write": "auth != null && !root.child('blockedUsers').hasChild(auth.uid)",
The problem is, i dont know how to use it on the client side. I am assuming this is duplicate question, but i cant find anything on actual usage of the limited user access.
When user tries to create comment for example, i get an error that permission is denied. Thats desired result, problem is how do i check for the user write permission on the client ?
I was hoping for something like user.canWrite or something along those lines. All i am doing right now is just check if user was authenticated, which he was and there is no mention of read/write access rules in the user object as far as i can tell.
if (this.props.user) {
firebase.database().ref(`comments/${key}/rating`)
.transaction(
(value) => (value += rateValue)
)}
Thanks for any help.
By writing you rule you are setting an authorization to authenticated users to write to the specific node of your database.
Therefore, in the client, you only need to insure that your user is authenticated. This should be done through Firebase Authentication. See the doc for the web here: https://firebase.google.com/docs/auth/web/start
In case the user cannot write to this specific node (either because he/she is not authenticated or because his/her uid is listed under the blockedUsers) he/she will receive an error in the front-end.
Update following our comments below:
If you want to be able "to modify the client UI based on the user's role or access level" you should use another mechanism for setting up the authorization: Custom Claims. See the doc here: https://firebase.google.com/docs/auth/admin/custom-claims.
In this case, in the security rule, you would not check if there is a record under the 'blockedUsers' node but you would check the Claims attached to the token, as explained in the documentation.
Related
I am using jira-client npm module to make API calls on my jira instance, I want to check that if the user has a valid credentials before doing anything else, depending on that I would either:
Tell the user that they don't have a valid username or token.
or Let the user use the project functionalities
is that possible? I am able to make calls and with invalid credentials I will got response with a special message, but I want to know if there is a specific call for checking username and token.
Using normal fetch we can use
https://myJiraInstance/rest/auth/1/session
but for jira-client module it seems there is no way, however we can use findproject method in this way we can make sure that the user has a valid credentials as well as have access to the project itself.
If there any other solution I would be happy to have it.
I don't know if my question is inside the proximity of what I should be asking on stack overflow but if so...
Why do we need to write security rules in 'Firebase "Rules"' when I can literally just go into my client code and say:
db.collection("users").get().then(res=> {
res.docs.map(user => {
if (user.data().uid !== auth.currentUser.uid) {
// do something I'm about to put in this code snippet
}
})
})
Like, can someone just get in my client-side code and write whatever they want and that's why we need to write code in the security rules within the Firebase console?
It also confuses me why we need Firebase functions when we can simply do the logic on the client-side although I can understand some stuff needs to be done server-side.
But just for the scope of this question, can someone explain to me clearly why we can't just write our security inside of our code to make things work?
Hopefully I was thorough with the info. Thanks.
Firebase also has a REST API which allows anyone to make requests to your Firebase services directly without any of your code in play.
So even if reverse engineering and modifying the code was impossible, there's the REST API.
You must not trust client applications (especially web apps) and always validate the incoming data and ensure only authorized users can modify it.
How would they get the information needed to make API calls to my database though? And wouldn't they need a key?
If you check the Firebase config, it contains an API key which is used to identify your Firebase project only and there's no risk involved in that being visible.
Now that anyone on the internet knows address of your database, they can use it with REST API if you don't have any security rules setup.
Do note that after running the db.collection("users").get() query, all the documents have been fetched already (and data should be visible in network tab) from Firestore and then you are just looping over all the documents to find one that matches the current user's UID.
This query without security rules is insecure (unless listing users is a feature of your application):
db.collection("users").get().then(res => {
const user res.docs.find(user => user.data().uid === auth.currentUser.uid)
})
Instead you should use queries or access user specific documents and have security rules as shown below to ensure a user can read/write their own data only:
db.collection("users").doc(auth.currentUser.uid).get().then(res => {
console.log("user:", res.data())
})
// Security rules
match /users/{userId} {
allow read, write: if request.auth.uid === userId;
}
I have a job script that is executed every 5 minutes by the scheduler. This script search for specific Workitems and change them. The script is working well if I execute it manually because then I am the "current User" and have enough permissions to write in the svn. BUT if the scheduler execute it the current user is: "polarion" and he did not have write acces to the svn which is a bit strange but ok.
The error is:
Caused by: com.polarion.platform.service.repository.driver.DriverException: Sorry, you do not have access to the Subversion Repository. Please contact your Polarion or Subversion administrator if you need access.
at com.polarion.platform.repository.driver.svn.internal.JavaSvnDriver.handleSVNException(JavaSvnDriver.java:1732)
at com.polarion.platform.repository.driver.svn.internal.JavaSvnDriver.endActivityImpl(JavaSvnDriver.java:1564)
at com.polarion.platform.repository.driver.svn.internal.JavaSvnDriver.endActivity(JavaSvnDriver.java:1496)
at com.polarion.platform.internal.service.repository.Connection.commit(Connection.java:736)
... 42 more
Caused by: org.tmatesoft.svn.core.SVNAuthenticationException: svn: E170001: CHECKOUT of '/repo/!svn/ver/54/Sandbox/7023/.polarion/tracker/workitems/100-199/7023-193/workitem.xml': 403 Forbidden (http://localhost)
at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:68)
I can´t find the user "polarion" in the user Management so I could not give him more rights.
Is it possible to execute the write access from a other user or something similar?
the user "polarion" is used internally for reading information from Polarion's SVN Repository. It usually not writing ("committing") into the repository as this is usually done under the useraccount of the logged-in user.
There are two solutions to your problem:
The quick and easy fix: modify the svn access file, so that polarion user has write access to the repository. This is quite easy doable from Polarion itself with the build-in access editor under administration->user management->access management. This is potentially unsafe as the password of the polarion user is in cleartext in a config file on the server so anybody with access to the server can modify the SVN-Repository.
use the ISecurityService.doAsUser(..) function to perform your action as a different user. Usually you can put the credentials into the Polarion Vault to retrieve them without exposing usernames and passwords.
Here is an example:
subject = securityService.loginUserFromVault(vaultKey, vaultKey);
retVal = securityService.doAsUser(subject, new PrivilegedAction<Object>() {
public Object run() {
Object ret = null;
try {
ret = doAction();
return ret;
}
}
});
Needless to say the second method is the safer way to work, but it is more work as well :)
There are two sides, Admin and Users. I am using the same database in firebase for both Users and Admin. It means that Users that are registered in my firebase authentication, can login to Admin webpage. How do i allow only specific admin's email to login into the Admin page.
For example:
Admin has an email of admin#admin.com
User has various email like 123#gmail.com, 222#gmail.com and etc.
What i want is only to allow admin#admin.com to be able to login into the Admin page but restrict login for User emails to login to the Admin page.
Using a Javascript, a simple solution would be to split the email String on the #, which will return you an Array of substrings and compare the second part which is the domain. Then, you could condition the rest of your code to work only if the criteria is true.
An example would be:
const allowedEmailDomain = 'admin.com';
const email = 'test#admin.com';
if (email.split('#')[1] === allowedEmailDomain) {
// do something, we accept this email
} else {
// return an error or do nothing
}
I make the assumption that, on the back-end side, your application is correctly secured, i.e. you have security rules in your database that only allow the users with an "admin" profile/role to read or write "admin" data in the database.
If this is not the case you MUST set correct security rules, since securing your Firebase instance only from a front-end perspective is not sufficient, as it is not very difficult to reverse engineer your app code and write some JavaScript code that will interact with your back-end. For that you could use Custom Claims.
So, with this assumption, it means that you need to adapt your front end in such a way the admin screens are only seen by the admin users.
One of the best answer is again to use Custom Claims, as explained here https://firebase.google.com/docs/auth/admin/custom-claims#access_custom_claims_on_the_client (Section "Access custom claims on the client") and in this official Firebase video: https://firebase.google.com/docs/auth/admin/custom-claims#access_custom_claims_on_the_client
Note that trying to block a user based on his email domain may not be a good solution as it is easy, in few lines of JavaScript code, to register to your Firebase project as a user with a mail like whatever#admin.com or with any other email (using createUserWithEmailAndPassword)
Just block every other domain as #admin.com.
$allowed_domains = array("admin.com");
$email_domain = array_pop(explode("#", $email));
if(!in_array($email_domain, $allowed_domains)) {
// Not an authorised email
}
It's simply. Make an array for allowed domains, explode by #, get the last element of the array and check if it exists in the allowed domains array.
I'm building a Slack integration that is intended to modify some text and then post it to a Slack channel as though the user who triggered the command had said it.
e.g. /makeFace disapproval
#Ben 3:45pm
ಠ_ಠ
I ask for the client permission scope, which adds the chat:write:user permission. But when I hit the chat.postMessage endpoint, it only seems to allow you to post as the user who added the integration because the token it returns seems to be individuated for that user.
I know that giphy, for instance, sends its gif messages as though you are the originator, but I can't find out how they manage it. Is there any documentation for sending messages as other members of the team?
There are 2 ways to achieve this:
A. Overwriting username and icon
When you send a message with chat.postMessage it is possible to set a user name with the property username. The message will then appear as being send by that user (same for icon with icon_url).
However, this is not meant to impersonate real users, so even if you use the same username and icon as the real user the message will have the app tag, so that they can be distinguished from a real user.
Here is an example how it looks like (from a gamer Slack about flying and killing space ships):
But depending on what your requirements are that might work for you.
If you want to use it make sure to also set the as_user property to false (yes, really) and it will not work with a bot token, only with a user token.
See here for more details on how it works.
This also works for the legacy version of Incoming Webhooks, not with the current version of incoming webhooks though. (You can still get the legacy version, see this answer)
B. Having the user's token
Another approach is to always use the token from the respective user for sending the message. In combination with as_user = true messages sent by your app will look exactly as if they would come from the respective user (no APP tag).
To make that happen your app would need to collect tokens from all users on your workspace and store them for later use. This can be done by asking every user to install your app (called adding a "configuration") through the Oauth process (same you use to install your app to a workspace), which allows your app to collect and store those tokens for later use.
Update: This doesn't work. It impersonates the user who installed the app, so it merely seems to work... until another user tries to use it (and they end up impersonating you).
Go to your App's management page. Select "OAuth & Permissions".
Add the chat.write OAuth Scope to your app as a User Token Scope, not a Bot Token scope.
Take note of your User OAuth Token at the top of this page (not your But User OAuth Token).
Call chat.postMessage with
username = user id of the user you'd like to post on behalf of
token = the token from step 3. above
The resulting post will be 100% impersonated. Not just the name and icon as mentioned in other answers, but it'll 100% function as if it came from the user.
I hope this will help those who are still facing this issue.
First give the chat:write and chat:write.customize scope to your bot. The scope chat:write.customize Send messages as #your_slack_app with a customized username and avatar
From "OAuth & Permissions" settings get the bot OAuth token or even bot access token (both will work).
Then set the arguments like the following.
username to specify the username for the published message.
icon_url to specify a URL to an image to use as the profile photo alongside the message.
icon_emoji to specify an emoji (using colon shortcodes, eg. :white_check_mark:) to use as the profile photo alongside the message.
You can visit the docs from here