I am trying to use the google classroom API to change the ownership of a class from one ownerId to another in my organisation. What is the code for the update Maskfield in order to only change the ownerId and nothing else?
To achieve your goal. You must utilize the Method: courses.patch endpoint. You can even practice by using the Try this API.
id refers to the course id.
updateMask refers to the attribute you want to modify.
Request body refers to the data you are going to pass to change it. Ex:
{
"ownerId": "email#domain"
}
Then only click EXECUTE and sign in into your account to be able to interact with the API.
Notice
For listing your courses and get their ids. You could use the Method: courses.list endpoint.
You can only transfer course ownership if the other user is a co-teacher.
EDIT
"error": { "code": 400, "message": "#UserInIllegalDomain Invitation
cannot be created for user in this domain", "status":
"FAILED_PRECONDITION"
Sorry, the error you are having after deleting a user in your organization who was a course's owner and then tried to change ownership to someone else it's a well-known bug as you can see in these two pages:
Failure when adding a teacher to an active course
Deletion of primary teacher from the domain orphans classrooms. You can hit the ☆ next to the issue number in the top left on this page as it lets Google know more people are encountering this and so it is more likely to be seen to faster.
If the original teacher's account is no longer active as it has been deleted from the domain then there is no way to change the ownership. The only way to change ownership of class is by logging in as the original teacher and changing ownership in Google classroom UI.
Follow this documentation-
https://support.google.com/edu/classroom/answer/7449476?hl=en
From the APIs you can do it by calling the API with the original teacher's token. But if the original teacher is no longer active then that token will also cease to work. There is a bug logged with Google for a similar issue (not exact same issue) where the original teacher is deleted from the domain-
https://issuetracker.google.com/issues/146050145
In the mean time the workaround for this scenario is to ask the school domain admin to rejuvenate the original teacher's account from the Google classroom Admin console User Mgmt area. Then impersonate that user by logging in with the account and temp password and carry out the steps as per the documentation to change ownership to new teacher. For workaround steps refer to this comment from google issue tracker for the related bug- https://issuetracker.google.com/issues/146050145#comment2
Related
My problem is that on my development system, I flushed all my users, and now I don't have the hyperwallet user's id. I could retrieve it from hyperwallet API and put in back in place. But what if I want to recreate the user's hyperwallet account?
The error is "DUPLICATE_EMAIL_REGISTRATION" and I couldn't find a single way of removing the user from hyperwallet.
This is the same for the transfer method which state "DUPLICATE_EXTERNAL_ACCOUNT_CREATION" but I do not have, nor in the API, nor in the sandbox interface, the possibility to remove transfer method.
How do you achieve this ? I'd like to not create a new sandbox account just to start from scratch because once in production, I won't be able to resolve this problem.
EDIT :
The whole documentation doesn't contain a single mention of the possibility to delete an account nor to create a new account with the same email.
Also users contains an attribute "Status" but the "Update user" section doesn't mention possibility to update the said status, and the "status transition" chapter only allow to change the "status" for bank accounts/prepaid card account/paypal account etc. But it doesn't seem possible to change de status of the user itself.
Sorry for the issue, we're actually in the process of rolling out this documentation.
There are 2 ways of solving this:
1) we can close existing accounts for you, so you are able to recreate them
2) we can provide you with a report of existing accounts, so you can backfill your system. Accounts in our system have your reference id (clientUserId) as well as ours (token).
Please contact our Developer Support (devsupport#hyperwallet.com) and please reference to me and add a reference to your question here. We'll be happy to assist you.
Thank you,
Willem
I'm using Getstream.IO to implement a Livestream type chat.
I see that in the Getstream.IO docs under Default Permission Policies a moderator is able to update and delete a message.
When I set a moderator on a channel and login, though, a moderator is only able to update their own messages. I need a moderator to be able to edit and delete another user's message.
I see that in the docs for Object Ownership Getstream.IO says, "If applicable, ownership of the entity is taken into account. This parameter allows you to grant users the ability to edit their own message while denying editing others’ messages. Permission policies are organized as list ordered by priority. A permission policy has the following fields ..."
How can I list existing permission policies or create a new permission policy using the python API?
At a higher level, using the server side python API or the client side API, is there a way to make it so that Moderator roles do not have the ownership of the entity taken into account?
UPDATE -
Using client.get_channel_type("livestream") I can see that channel_moderator has ability to UpdateMessage and DeleteMessage and owner is False as I expect:
Unfortunately, that is not the behavior I see when I log in as a user where I have performed channel.add_moderators([user_id]) for that user, which shows that the changed user has is_moderator set to True, but the user has the role of user. Do I also need to add a role to the user of channel_moderator? Is this documented anywhere?
UPDATE 2:
I see that in stream-chat-react, Message.canEditMessage and Message.canDeleteMessage are determined by this.isMyMessage(message) || this.isAdmin();, so it appears that unless one overrides the Message component, the moderators need to be Admin in order to edit a message they do not own.
UPDATE 3:
I can see that in the tests for channel_permissions in stream-chat-js that a moderator is indeed supposed to be able to edit and delete a message, just as the permissions matrix in the documentation specifies. I still cannot find a way to get stream-chat-react to allow moderators to update or delete a message, however; it's not easy to understand how best to override Message.canEditMessage, since MessageList.render() automatically constructs using the default Message class.
UPDATE 4:
I was able to get a user added as a moderator to be able to edit and delete posts, but only after making that user a global admin. I have users that I want to be moderators in a channel but not have the abilities of an admin. I've cross-posted an issue to stream-chat-react: Allow Moderators to Edit and Delete Messages Without Being Admin.
The background
I added an employee to a Google Project in Developer Console a while back. For reasons unclear to me now, I added him as an Owner.
I was then relegated to Editor role. He left the company and his GSuite account was deleted.
We have used the service credentials for the project throughout many client accounts so recreating the project isn't an option
We have recreated his email account, but there seems to be no way of resending an invite from the Google Project.
The project belongs to no organisation (again, my mistake!)
The problem
I need to become the owner of the project again so I can remove him. How can I achieve this?
Thanks in advance for your help!
Your best bet it to restore the GSuite account and assign it a new password and then use it directly. Outside of recovering the account there are no alternatives other than contacting GCP Support. To speed up the process provide as much documentation as possible to show that the previous owner no longer exists.
Not being in your organization may be a real hassle. Do they use the same associated billing accounts?
Imagine how this looks for GCP, a member on a project wants to be owner and they can't contact the original owner to get confirmation. If they make you the owner they are then responsible if you remove the original owner who did not actually want to make you an owner. They will likely link you to the account recover page, with a statement that they're not able to do it. Best of luck!
I am new to REST APIs, I am actually not looking for any workarounds, I just need to clear my concept because I know I am missing some very important information which can easily solve my problem.
For E.g I made a small website, let's say using angular.js, where I will list some information or some items.
Consider it as an open website for now, everyone is getting same list. Anyone can come to the page and see the list of items. Simple.
Lets say the URL to this list is
https://www.example.com/api/list/v1
Result returned
1. abc
2. cde
3. efg
4. hij
Perfect!
Now my site got traffic, and I decided to implement user thing on my website, so that every user can only see his own information.
So I changed the rest api url to this:
https://www.example.com/api/list/v1/12345
where 12345 is userid.
The user with the user id came on the website, logged in, and browsed the list, by chance he went to the source of the page, and he found the url to list information.
He copied the url and started to use different user id's, he might get lucky any time.
I am not talking about implementing any type of security up til now, there must be several ways to secure it.
My main concern is that isn't it a large security hole, or we can call it an invitation, for injections?
So I just want to clear my understanding, where I am wrong?
Thanks
This is not some security loophole. This is the way it is supposed to work.
Let's put aside the case of APIs. Consider the simple example::
I have a url: www.example.com/jobs/
This will list all the jobs on my website. No authentication or permission of any sort is required to access this data. I am providing it to every user that visits my website. Now I need a way to figure out if the user visiting my website wants to filter the jobs available on my website. So I provide this option in url kwargs. This will look something like::
www.example.com/jobs/java/
So, now the list will contain the data only for Java jobs. Plain and simple.
Now some day I decide that I will let only the registered users to view Java Jobs. So, I introduce a new check in my View that lets you access the java jobs only if you are logged into my website. Otherwise it redirects you to the login page. Depending on the requirement, you put restrictions on the data being sent to the user.
Same is the case with APIs. If you allow the data to be available to any user that uses the API, there is a flaw with your design and not with the concept of APIs. APIs are just the implementation of your logic.
If you don't want a user with id 12345 to access the data of a user with id 123, you have got to restrict the permissions on the API code. You have got to handle themselves. The API will respond to your code.
Hope this clears out everything.
We are building a CRM type app although this would apply to any application where there are "members" and "staff" e.g. a shopping site, dating site, facebook etc.
In our app, users can change their password the usual way, by resetting it with email confirmation. Users can also have more than one email address associated with their account.
What we are trying to work out is how to prevent staff using the system taking over the accounts. We want staff to be able to edit the email address (because someone may phone in and request a change); the issue then is they can simply change the email to one they control - and request a password re-set as a user.
Are there any recommended best practices for this?
You could require the user to also authenticate the action by other means, such as when the email address is changed the user is sent a confirmation code via text message that they must input somewhere.
Another means would be to only allow access to the account if certain information is inputted correctly. This could be address information or DOB. It is unlikely that this information could be guessed from something like a name or account number.
1) Add one of those silly security questions like "What is your favorite color?" and store the answer, encrypted, in the database. Staff could edit the email to their heart's content, but if they didn't know the answer to the secret question the system wouldn't let them change the password. If you have concerns about staff trustworthiness, then you need to introduce something outside their control that serves as a final gateway before you can change the user account.
I imagine a simple implementation would simply check to see if the user reset their password. If so, on login, it challenges them with the security question to "authenticate" them before allowing them to proceed.
2) Logging, monitoring, and auditing. Record which staff accounts accessed the email address change form, what address(es) they changed, what they changed them too, and when they changed them. Also record the connection information of the people accessing the accounts. If your logs show one IP address accessing 4-5 completely disparate accounts, you might need to look into that. (Yes, I know you can use proxies etc. to mask this. Not perfect but it'd weed out the chaff pretty fast).
3) Hire trustworthy people! #2 should really only need to be used as a "check" against abuse instead of the end all be all to stop it.