I am currently writing a script which has to curl a certain confluence page and parse it. Now I want to place the credentials directly into the script.
Therefore I need to create a Confluence user which is only allowed to read that single page. Is that possible (without having to manually restrict all other pages)?
Alternatively (2nd best): Is it possible to make one single page readable without login?
The best I found until now is a user which is only allowed to read one space.
create a new account e.g. foo https://yourdomain/admin/users/createuser.action
remove default membership of that account to any groups https://yourdomain/admin/users/editusergroups-start.action?username=foo
allow user to use confluence https://yourdomain/admin/permissions/editglobalpermissions.action
allow user to read the space the page is in https://yourdomain/spaces/spacepermissions.action?key=yourspace
Related
So I have a platform that works like this: Users can create accounts by logging in with their Google (I USE AUTH0) and then they can create "Projects" which contain lots of other unimportant stuff regarding my current problem (like todo lists, ability to upload files etc; they can also Edit the project by changing some of it's attributes like name, description, theme and so on). There is a home page where everyone can see each other's projects and access them (but not upload files, change the tasks in the to do lists; this is possible only by the person that owns it).
By using a tool like Burp, people can see the request made from frontend to backend, for example when accessing one of the projects, and modify it on the fly.
This is what it looks like inside Burp when they access one of the projects:
As you can see there is a Get request to /projects/idOfTheProject; they can replace the GET with DELETE for example and they will successfully delete it; they can also see what is sent to the backend when a project is edited (name changed, description, thumbnail picture etc) and change anything they want about it.
How should I prevent this?
What I've looked at so far:
a. JWT - Probably the best fitting for my situation, but required the most work to be done (as I already have my platform almost finished with no such a security measure implemented yet, so I may need to rewrite a lot of things in both backend and frontend)
b. Sending the user's id that initiated the action as well to the backend and verify if it has the necessary privileges - the worst solution as users can access each other's profile and see the id, then just change another field in the request's JSON
c. Have a sort of token for each user and send that instead of the user's id - in this way somebody can't get your token by just looking at the communication between frontend and backend (only if it is using YOUR account). That token should be taken maybe somewhere from the auth0 when they create their account? If they provide something like that; or I can just create it myself and store it alongside the other user variables. You would still see the requests in plain text but even if you modified something you would still have to "guess" the owner's token, which will be impossible.
For frontend I use NextJS and for backend Flask.
Thank you in advance!
The TL;DR is that you don’t. A determined user will always be able to see what requests are being sent out by the code running on their computer and over their network. What you are describing when asking how to prevent people from “sniffing” these requests is security through obscurity, which isn’t actually secure at all.
What you should do instead is have an authorization system on your backend which will check if the current user can perform a given action on a given resource. For example, verifying that a user is an administrator before allowing them to delete a blog post, or making sure that the current user is on the same account as another user before allowing the current user to see details about the other user.
I need to send user-specific values to an external system from Moodle. How can I force Moodle to send the session ID (or user ID, activity ID, etc.) to this third-party system? All of the articles out there seem to be written for calling into Moodle but this is not what I need to do.
Important:
I cannot alter the Moodle installation. The solution must only involve editing content. This means I cannot author a new plugin or alter any of the Moodle source code.
Edit:
I do have direct access to the Moodle database from a separate external API. The goal was to use this connection to validate the incoming parameters. However, I still need to be able to construct a parameterized URL to call out the external app. That app would then be able to validate the supplied values against the database. If the session ID is not available then I would need the values regarding the page, user, module, etc. to be sent via the parameterized URL.
For the session id do you mean the current user session? There is a session key stored in $_SESSION['USER']->sesskey but its not really useful data. It expires when a user logs out.
$_SESSION is server side, so you would need to use PHP code which isn't allowed in content for security reasons.
Have you got access to the database? You could pull user id and activity id from there. Otherwise you will need to use an API or a plugin.
EDIT: There is a URL activity that you could use to send data externally. But that would require the user to click the link.
Data includes user and course ids.
https://docs.moodle.org/311/en/URL_resource_settings
I can't think of any solution to send data externally without writing some PHP code or adding a plugin.
You can add javascript to every page via Site administration > Appearance > Additional HTML but the session variables aren't available without PHP.
https://docs.moodle.org/311/en/Header_and_footer
I want to retrieve all the individual users mapped to a Confluence space along with the permission granted to them. Is there a method to achieve the same via REST API?
Right now there is no way to get permission info on a space using the REST API.
An option would be to write your own Rest Service (using the Atlassian API diretly or via Scriptrunner) and query that.
A 2nd option, yet a bit cumbersome would be to call the permissions page of the space admin, and use webscraping to get the users and groups, and then expand the groups to get all users in these groups.
Please keep in mind that you might get all confluence users for some spaces which might cause a problem.
Why do you need this information? Maybe there is another way to solve your problem?
I'm working with Shopware.
I've added a new attribute "proxy" to the s_core_auth table for each user in order to show the ability to get access to the Customer Module in the backend, so that if a user is not selected as "proxy" he/she won't be able to make changes in that module.
I need help to understand what I need to write in my plugin's code (maybe having only a Subscriber file.)
I'll be very grateful!
Adding a custom column to the s_core_auth table is not a good idea. What you're trying to achieve can be done with user groups and group rights. From the Shopware Documentation:
With User administration you are able to create new users in the backend and control access rights to areas, modules and plugins in accordance with certain group policies that you define per ACL (Access Control List). Within the ACL you have the possibility to control precisely which user is able to perform which activity. Thus, it is possible to assign certain reader rights to an administration group without granting them authorization to edit or delete.
You can find instructions for User administration inside the Documentation.
Currently we have a user guide sitting in Confluence. We want to give access to this page to all users of the product. What is the best way to do this?
Do I put the user guide into its one space and make it public. Then would I need to make a group defining all my users on our product?
It would be ideal if the users did not have to log into confluence in order to view the user guide. The most important piece is we do not want to give access to the user guide to everyone to view.
If you want to grant access to the users of that product, you need to create a group, and then, give access to only that group. If users don't need to log into Confluence, then, anyone could access.
Another approach is to use Comala Share It (disclaimer, I work in Comalatech). This add-on allows you to create a unique URL, which could be shared with the users of your product, so only them could access. Of course, if the URL is shared with anyone outside the group, that person could access too. Guess the public URL is not possible, since it uses a secure token.
Regards,
Gorka