I'm new to Piranha CMS and just trying to get my head around it. I'm using the MVC implementation and I need to do the following:
I need to extend the User with a property that stores an account number.
I need a page that is only accessible once the user logs in
On this page, I need to call a REST API on another server, using the account number a parameter, to retrieve a list of documents that the user has stored on this server.
When the user clicks the document, it will be downloaded as a PDF using the REST API once again
I just need general guidance on how to do this. How do I store the account number against the user (and manage this) and do I need to create a new Region that will show the list of documents from the remote server. Is there an example of creating a new Region anywhere and maybe returning a list from SQL that I can adapt?
Any help gratefully received.
Thanks in advance
Mike
The easiest way is to implement an extension with your custom fields that you attach to the user where you store this information.
When editing a page, go in under "settings" and select which groups should have access to your page. For this purpose I suggest creating a new group for site users that are not admins.
This should be easily implemented in either the controller or model for your page. When the user is logged in "User.Identity.Name" is the user id. Get the user, load the extensions & use the account number.
See number three.
Regards
Related
I have one account in docusign which has 3 users for it. We have a requirement of retrieving templates of users for that account. The Template:List API is retrieving all the templates of the account. There is also one path parameter named user_id but it is not retrieving the templates of particular user account instead it is retrieving all templates.
Is there any way through Rest API we will retrieve list of templates of user account?
If there Please provide the Rest API details or link.
From my own testing, it appears you're right. This could be a bug, I'm not sure and I'll follow up but this may take time.
Two possible workaround.
Make the API call in the context of the user that you wish you get templates. Basically, you'll need to obtain an accessToken for the API for that user. With JWT that is very simple, just use the userID when you ask for the token (but you do have to get consent).
Filter the list of templates you get. The list does include information about the owner of the template (again, userID) but you'll get all of them and have to do the work to find the ones you want.
(Update 5/26/2020: confirmed with engineering this is a bug. It is tracked under TT-3290).
(Update 6/23/2020: bug was resolved, will be deployed shortly)
I've found piranha.core cms this week and it looks great and very extendable.
I need CMS in a site that will need user registration for a fundraiser event for a charity. This would be for donators as well as volunteers raising money.
But I also want some users to be able to create news post, etc.
This project would require volunteers to be able to edit content on a profile page and for dontators to track their donations.
I'd like the accounts of my registrants, volunteers and content creators to be the same accounts.
The Piranha.core example uses 'Piranha Identity With Seed', which in turn uses asp.net identity as I've seen in the UserController.
So here's what I'd like to do :
Register users,
Create a page for a volunteer when a volunteer registers,
Assign rights to the volunteer to be able to edit/publish only their own page.
So I think I could register a user using the Asp.net Identity UserManager, copy a template page using the PageEditService, but the question is: can I limit the rights of a user to just being able to edit the user's profile page? (maybe not even all content on the page)
Cheers,
Jurjen
The manager permissions are function based so that user groups can be assigned the rights to perform different actions on different types of entities. There is no support at the moment to limit access to specific pages to specific users.
My advice is to create the edit view in the front-end application as it is extremely easy to load & update pages with the existing Api, and this will probably give you more freedom in regards to what you want the users to be able to edit on the page.
For connecting the created pages with their users you could either:
Add a StringField to the PageType containing the user id, or
Add you own database table in your own DbContext connecting the user & page.
I would also consider using Posts for your volunteers instead of Pages. This way you could use the built in functionality for creating a Volunteer archive where volunteers could be categorized and tagged for easier searching. It will also make sure the sitemap stays uncluttered and focused.
Best regards
I want to have app which has some default route and controller (Let's say Login page). I can register this at the Configure method but after the user successfully logs in I want to fetch the pages related to the user and register them so he can have access to it. Is there a way to achieve that?
As long as I read that's impossible but who knows, I'm new to ASP NET Core?
Based on the wording, this sounds like a security question. You only want users to have access to certain pages. If that's the case then I would look at something like role-based authorization.
If the question is more about showing the user a list of resources they can access, then the most obvious solution I can think of is to store that information in a relational database. When the user logs in, select the relevant pages / resources by user ID.
In any case, changing the registered routes is not the correct approach.
I have created 3 api, one with
owner=apicreator
visibility=public
and the others two with
owner=admin
visibility="restricted by role".
Once I opened the store home page the only api visible is the one created with apicreator, then when I logged in as admin I can see the other two apis (final count of 3).
Is it possible to show all the api (doesn't matter by the owner or creator) in the store home page, without login?
Is there any configuration change to apply or any change in the jaggery code(I don't want to change the visibility)?
Thank you in advance
Claudio
Is it possible to show all the api (doesn't matter by the owner or
creator) in the store home page, without login?
If an API's visibility is based on roles, how do you expect API Store to show it to public?
Once a user logged in to the API Store only, we can identify their roles and based on that, API will be visible to him
I am new to REST APIs, I am actually not looking for any workarounds, I just need to clear my concept because I know I am missing some very important information which can easily solve my problem.
For E.g I made a small website, let's say using angular.js, where I will list some information or some items.
Consider it as an open website for now, everyone is getting same list. Anyone can come to the page and see the list of items. Simple.
Lets say the URL to this list is
https://www.example.com/api/list/v1
Result returned
1. abc
2. cde
3. efg
4. hij
Perfect!
Now my site got traffic, and I decided to implement user thing on my website, so that every user can only see his own information.
So I changed the rest api url to this:
https://www.example.com/api/list/v1/12345
where 12345 is userid.
The user with the user id came on the website, logged in, and browsed the list, by chance he went to the source of the page, and he found the url to list information.
He copied the url and started to use different user id's, he might get lucky any time.
I am not talking about implementing any type of security up til now, there must be several ways to secure it.
My main concern is that isn't it a large security hole, or we can call it an invitation, for injections?
So I just want to clear my understanding, where I am wrong?
Thanks
This is not some security loophole. This is the way it is supposed to work.
Let's put aside the case of APIs. Consider the simple example::
I have a url: www.example.com/jobs/
This will list all the jobs on my website. No authentication or permission of any sort is required to access this data. I am providing it to every user that visits my website. Now I need a way to figure out if the user visiting my website wants to filter the jobs available on my website. So I provide this option in url kwargs. This will look something like::
www.example.com/jobs/java/
So, now the list will contain the data only for Java jobs. Plain and simple.
Now some day I decide that I will let only the registered users to view Java Jobs. So, I introduce a new check in my View that lets you access the java jobs only if you are logged into my website. Otherwise it redirects you to the login page. Depending on the requirement, you put restrictions on the data being sent to the user.
Same is the case with APIs. If you allow the data to be available to any user that uses the API, there is a flaw with your design and not with the concept of APIs. APIs are just the implementation of your logic.
If you don't want a user with id 12345 to access the data of a user with id 123, you have got to restrict the permissions on the API code. You have got to handle themselves. The API will respond to your code.
Hope this clears out everything.