Adding Member Changes Upon Saving - google-cloud-storage

Well I thought I had resolved the issues I had with the owner of a Project in Cloud Storage.
I was able to add my main email as owner and was able to access IAM ... and the 3rd party backup program worked.
Then I had the not so bright idea to remove the other owner ... now backup will not work because it was set to use the deleted owner for access (which is still a surprise to me).
So I went in to the IAM and added the owner back with the same email, quickbooksrus#gmail.com ...
However even though the email is correct when I save, it changes to quickbooks.rus#gmail.com in the permissions list, and because of this I never get the activation email ...
Why does this keep changing ? Because I deleted it in the first place ?
Thanks

I was able to figure this out, but it was simply the old email that I never used had a typo in it and was misspelled ... didn't notice it ...
No issues now ... Thank you to the Google Billing Support ...

Related

Keycloak Identity Broker - Possible to create invalid User-Accounts

When using Keycloak as an Identity Broker there seems to be an issue with some usernames. Default behavior of Keycloak is that when some info (username/email/firstname/lastname) is missing the "Update Account Information" is displayed.
So far so good. The issue though is that you can actually save an invalid username that way, e.g. (asd/fölkj - notice the slash). Now I basically created a broken user that can no longer be modified, not even using the Admin-UI:
[
You can't save it like that because the username is invalid, but you can't change the username since it is read-only.
This seems to be a bug. The bigger issue for me though is that the IDP we are connecting to does not return the email-claim (otherwise I could use that as username too). It only returns a "sub" and since sadly this DOES contain slashes the account is broken if the user does not pick another username. I took a look at the "UsernameTemplateMapper", but they seem a bit limited. Is there any way to just remove all slashes from the "sub"-claim and STILL use it as default username?

How to atomically delete user and user's data from Firebase Auth and Realtime Database respectively?

Some background
When a user account is created, I do 3 things using callback chaining in the sequence 1 > 2 > 3.
A user is created in Firebase Auth (the standard way using createUser(withEmail ...))
I upload the user's profile picture to Firebase Storage and capture the returned downloadUrl for use in step 3
I store the user's other information (including the downloadUrl from step 2) in a node in the realtime database (keyed by $userid)
Now the problem
I provide a button called 'Delete account' which should enable the user to delete everything. That is, clear all their data in the Realtime Database, clear their profile picture in Firebase Storage, and finally delete their account from Auth. The important thing is that all these operations should succeed or be canceled if even one fails.
I've gone through ~10 pages of S/O questions & answers, there was 1 unanswered question like this one (it asked about the account creation process...I suppose an answer to that question can easily be adapted here.)
What have i tried?
Currently, I use callback chaining like so:
// start by atomically deleting all the user data from the Realtime Database using the fanout system.
- get all appropriate locations and save in fanout dictionary
- update all these locations to nil // atomic goodness :)
-callback:
-on failure:
- just return // no worries, nothing has changed yet :/
-on success:
// proceed to delete user files on firebase storage
- delete path $userid on firebase storage
-callback:
-on failure: // this is bad, no idea what to do :(
-on success:
// proceed to delete account from Auth
- delete user account from Auth
-callback:
-on failure: // this is terrible, also, it could happen often b/c firebase does ask for re-authentication sometimes :(
-on success: // thank goodness! I have an authListener somewhere ready to show the 'signInViewController' :)
How do you handle such multi-system (Auth, Storage, RealtimeDB) operation atomically? I have looked into transactions but can't see how they can be adapted for this - the docs only show them being used in incrementing counters for likes/stars etc in the RealtimeDB.
Any help will be very much appreciated.
So the main problem is what to do if the data you're trying to delete is being deleted only partially.
I think you should think about a method that will help you restore it if something goes wrong.
I'm not on my computer now but I suggest you to try to download the data that you want to delete and only if there were a success you delete the local copy too, otherwise you should be able to restore it easily.
Edit: if we talk about a serious amount of storage instead of a local copy you can make it on the cloud.
So you first copy this data, then delete it, then delete the database data (also copied previously) then you can delete the user account and finally you can delete the copy.

GWT RequestFactory: check if members have been set without permission

I am working with GWT / RequestFactory and a set of customer requirements regarding permissions. Let me explain a basic example:
Every user is assigned to a company. Every user should be able to edit company's core data - but only e.g contact information, website etc. Security-relevant ones like BIC/SWIFT, IBAN, Company name and so on can only be changed if the user has a certain permission XY.
So far so good, on the client side I can check the permissions and disable those fields the user is not allowed to edit. But what would be the most elegant way to ensure on the server side that those fields have not been set without permission?
My problem is that I cannot track changes on the server side. Having #PreAuthorize on every setter is not an option too, because it would end in an authorization-massacre in each and every entity.
At the moment I am following a workaround: every field that is secured / depends on a given permission is passed as an argument to the entity-method and is excluded from the proxy. That way, values cannot be set using the proxy and I can check in my server code if the user has permissions. If not, nothing happens. If user has permissions, I set the values manually. But that produces a lot of boilerplate-code and ugly method signatures because the number of values passed to the method could get large.
I hope you understand my issue. I'm looking forward for your opinions and tips. Thank you in advance.
Well, you can receive many answers (different each other), and all of them could be right, so, at the end is your call. Wait for others answers. I am going to give you the approach that I followed (and it worked pretty well). :D.
Under my opinion, the server should do less as possible, so keep the logic for allowing modify each param on the server I think it is not a scalable solution (if your system has 1M users modifying everything at the same time, will your server work fluent?). I prefer let the client do the job (like Roomba :D).
For solving that problem, in our system we implemented an Access Control List solution. You can store in your db, on each user entity, a list with granted permissions. So, when that information arrives to the client (after user's log in, for example), you can get them, and show the fields that he/she is allow to modify.
Something like:
if (canModifyPersonalDetails(user.getAcls(), ...) ) {
//show labels ...
}
if (canModifyBankDetails(user.getAcls(), ...) ) {
//show labels
}
You can not avoid server call for log in, so it is not a big deal send the extra information (think about the ACLs could be simple list of integers 0 means personal details, 1 bank details....).
If you are dealing with very compromised information and you prefer do some stuff on the server, in that case probably I'd set up a security level, when you are persisting/updating your proxy, I'd do something like:
if (isAllowForPersonalDetails(user.getSecurityCode()) {
//update the modified personal details
}
if (isAllowForBankDetails(user.getSecurityCode()) {
//update the modified bank details
}
user.update();
I am a big fan of clear User GUI's, and a very big fan of let the server free as much as possible, so I prefer the first option. But if you have constraints for modifying user entity in db, or you prefer do not modify your views, or any constraint with security, maybe the second option is the best one for you.
Hope that helps!

Request Tracker for Users created without privileges

I have configured request tracker4 to be an interdepartmental helpdesk solution. The current setup is that users will login to RT using LDAP. Once logged in there account is automatically created. However, their account is created with no privileges.
To fix this I have been having to go to Tools-->Configuration-->Select then put in the users DN name and clicking add I then have to check the box "Let this user be granted rights (Privileged)" I have also tried setting Set($AutoCreate, Privileged); but no luck.
I looked at the user accounts in the sqlite database and noticed that when new user logs in they are indeed created in the database. But with no privileges.
709|tuser3|*NO-PASSWORD*|||||||tuser3|||||||tuser3||tuser3|||||||||||||1|2013-03-08 13:47:38|1|2013-03-08 13:47:38
791|Mayra|*NO-PASSWORD*||||Mayra#**************||Main Office|Mayra Hernandez|||||||Mayra||Mayra||**************|||||||||||1|2013-04-03 21:46:36|1|2013-04-03 21:46:36
797|sdrakeford|*NO-PASSWORD*||Autocreated when added as a watcher||sdrakeford#**************|||Sophia C. Drakeford|||||||sdrakeford||sdrakeford|||||||||||||1|2013-04-04 13:18:58|1|2013-04-04 13:18:58
827|Robert.Troy|*NO-PASSWORD*||||Robert.Troy#*******************||Main Office|Robert Troy|||||||Robert.Troy||Robert.Troy||***************|||||||||||1|2013-04-04 16:11:58|1|2013-04-04 16:11:59
Am I missing something, because usually these things are quite obvious.
The $AutoCreate option takes a hashref with all of the default options you want to pass to the User Create method. Try something like:
Set($AutoCreate, {
Privileged => 1
});
(As an aside, it's generally not recommended to run a production instance on sqlite. You might want to consider converting to MySQL or Postgres.)

Cannot log in to admin after upgrade

I need some help troubleshooting.
I've just upgraded my 1.3 site to 2.0 (with the intent of going on to 2.1). I get the actual page running, content is read from DB etc, but I cannot log in to the admin panel!
Just to make sure I didn't forget the password I did
<?php echo sha1('password' . 'salt'); ?>
Taking the salt from the DB, and the output is the same as is stored in the DB. But still I cannot log in. The log in prompt just reloads, no error message or anything. Any ideas?
I've also tried clearing cache/sessions/etc, and even a different browser to no affect.
Crossposted from the PyroCMS forum: https://www.pyrocms.com/forums/topics/view/19323
OK, since there doesn't seem to be any good suggestions found either here or on the PyroCMS forums and my site is very small content wise I decided to just wipe everything and do a clean install of the latest build instead.
Not a very good solution for future reference, but it will have to do.
From my checklist (it's been a while since I had this happen to me):
If you didn't get an incorrect password error, it may well be you were just being redirected back to the login page before the details were even checked. You can run into issues with enabling the 'Remove index.php from URL' in .htaccess - in /system/cms/config/config.php try changing
$config['index_page'] = 'index.php';
to $config['index_page'] = '';
or (as you've hinted):
clear the contents of default_ci_sessions table
clear the cookies for the domain (a quicker way is to just open a new Google Incognito window which won't have any cookies).
Also - you can initiate a password reset for the admin password using the ordinary user login form if you or someone else does ever forget it (don't though).