I was wondering if it is possible to limit which resources is a user allowed to see based on its userid.
For example, suppose I have this endpoint:
GET /user/{userid}
Which will give me the information for the given user ID.
I want to limit which users can access that resource, only user with ID X should be able to view /user/X, user with ID Y should get a 401 if tries to do that.
The JWT payload could be something like:
{
"sub": "{userid}",
"name": "{username}"
}
And for this example:
{
"sub": "X",
"name": "User X"
}
Is this possible with Istio?
Related
I'm trying to figure out how to Get and Update a Customer's GL Accounts info via Rest API.
As seen in this screenshot, a Customer's GL Accounts section has fields such as:
AR Account
AR Sub
Sales Account
Sales Sub
etc.
Via Rest API, where can I retrieve this Customer's above info, and how can I update them accordingly?
I'm able to perform CRUD for all the other Customer entity fields, but I'm quite lost regarding how per Customer GL Accounts can be retrieved and updated. Looking for any help to point me to the right direction.
Those fields are not the part of the Default endpoint, so you need some tricks to retrieve or update them.
You can either use custom endpoint or retrieve/update these fields using 'Custom' fields collection.
As for custom endpoint, here is the link that can help.
As for the custom fields, you can retrieve the values like that:
GET: {{sitename}}/entity/Default/20.200.001/Customer?$custom=DefLocation.CSalesAcctID, DefLocation.CARAccountID
Response:
{
"id": "90f25585-fbc0-eb11-9d4f-3ce1a14ed5bf",
"CustomerID": {
"value": "AAA"
},
"custom": {
"DefLocation": {
"CSalesAcctID": {
"type": "CustomStringField",
"value": "40000"
},
"CARAccountID": {
"type": "CustomStringField",
"value": "11000"
}
}
}
}
See here how to get the field names.
To update the fields you send them in the body the same way you get them in the response
I am trying to access the likes per post within a group on facebook. I am an admin of the group and of the app I have created.
I can access the feed which includes the post messages, creation date, comment count, sub comment count, the comment message.
Plenty of field values are accessible.
Example of GET end point below (which works as expected):
https://graph.facebook.com/{group-ID}/feed?fields=link,caption,description,message,message_tags,comments.summary(true).limit(50){message}, created_time&access_token={Access-Token}
Even when trying to access the endpoint specifically for likes, I get the error message. This was my last resort to query each post using its object-ID but is in no way the ideal situation.
https://graph.facebook.com/v6.0/{object-id}/likes
I get the same error message as if I try to add "likes.limit(0).summary(true)" to the main feed query field values.
"error": {
"message": "(#100) Tried accessing nonexisting field (likes) on node type (Post)",
"type": "OAuthException",
"code": 100,
"fbtrace_id": "AGvN2KcMhKsuR7MxeUTxDZR"
}
}
I must be missing something simple here because to allow me to retrieve comments, sub comments and the number of likes per comment should provide me with adequate rights for post likes.
Likes have become "reactions".
Use this instead:
reactions.limit(0).summary(true)
as per OP NeemaB's own comment to the question.
I was thinking about the most logical request for my api, while trying to think about rest, but I can't wrap my head around which one of these three choices is correct: what would be the best design for the request, supposing that I want to send 10 from some user triggering the request to user2?
1)
POST /pay
body: {"username": "user2", "amount": 10}
2)
POST /pay/users/user2
body: {"amount": 10}
3)
POST /pay/users/user2/10
I don't know how much information should be in the URL vs. how much information should be in the URL.
Suppose you have many users and some functions that users can perform.
So your api could be like:
GET /users # get user list
POST /users + {"name": "John"} # create user
DELETE /users/{userId} # remove user
GET /users/{userId} # get user by id
GET /users/{userId}/payments # get users payments
POST /users/{userId}/payments + {"amount": 10} # submit new payment
GET /users/{userId}/payments/{paymentId} # get users payment details
As you can see it is a very simple resource tree.
I recommend taking a look at restful-api-guidelines
You want to put an Canonical Identifier in the URL and any other data in the body.
For a POST (which is used to create an new resource) the Canonical Identifier generaly does not yet exist therefor it doesn't need one.
The server then creates one and returns it to the client in the location header.
If you mean to update instead of insert, PUT or PATCH should be used. If the username is your Identifier, then option 2 should be used. An identifier should in general not be editable.
Since your "adding" an new payment I would suggest using option 1. But I would call it payment and perhaps add more information about the payment.
I am building a single page application for booking hotel conference rooms and am not sure how to set it up, or even if RESTful is the proper approach. There will be four steps to this SPA:
The user chooses a date (available dates come from server - some days could be fully booked).
The user chooses a conference room (conference rooms available at this hotel on the date chosen in step 1 are retrieved from the server).
The user enters their name, address, billing info.
User sees confirmation page.
This same SPA will be used by multiple hotels with the same database back-end, and for the front-end I was thinking Ember.
Is RESTful the right approach for this application?
I was thinking:
GET /dates?hotel_id=xxx (should I pass the hotel ID in the URL vs. in headers vs. in the body?)
GET /rooms?hotel_id=xxx&date=yyy (should I be passing the date and hotel_id in, or somehow remember it on the server?)
POST /order with body: {date, conference_room_id, name/address/billing info}, returns { confirmation_id }
Should the name/address/billing info be put into a separate POST?
Thank you for your advice.
In a REST(ful) framework there's no concept of session. Every request must send all the required information in order to identify a resource.
I'll post an example below, based on requirements you provided.
GET /hotels/{hotel_id}/dates
Path params:
hotel_id (required)
Query params:
startDate (optional, default: today)
endDate (optional, default (example): today + 3 months)
status (optional, "available"/"booked"/"all", default: "all")
Response body: [{"id":"20160503", "dateStr":"May 5th 2016", "status": "available"}]
GET /hotels/{hotel_id}/dates/{date_id}/rooms
Path params:
hotel_id (required)
date_id (required)
Query params:
status (optional, "booked"/"available"/"all", default:"all")
Response body: [{"id": "12", "status": "available", "reservationId": ""}, {"id: "13", "status": "booked", "reservationId" : "123"}]
Note: this kind of implementation allows to list different combinations of dates and rooms (e.g. booked rooms in available days).
POST /hotels/{hotel_id}/reservations
Path params:
hotel_id(required)
Request body: {"dateId":"20160503", "roomId":"12", "firstName":"John", "lastName":"Doe", "address": "xxx", "vatNumber" : "yyy", "companyName": "zzz"}
Note: if you store billing addresses as separate entities (e.g. if your server is required to "remember" them), then it can be useful to implement POST and GET services for billing addresses (/billing) and refer to them with proper identifiers.
Response body: {"reservationId" : "324"}
GET /hotels/{hotel_id}/reservations/{reservation_id}
Path params:
hotel_id(required)
reservation_id (required)
Response body: {"dateId":"20160503", "roomId":"12", "firstName":"John", "lastName":"Doe", "address": "xxx", "vatNumber" : "yyy", "companyName": "zzz"} (same as POST request body)
GET /dates?hotel_id=xxx (should I pass the hotel ID in the URL vs. in headers vs. in the body?)
GET /rooms?hotel_id=xxx&date=yyy (should I be passing the date and hotel_id in, or somehow remember it on the server?)
POST /order with body: {date, conference_room_id, name/address/billing info}, returns { confirmation_id }
Your solution can use Restful API approach. Because it enable any other component to directly call your APIs. It can be APP, or a website or plugin or just another java program connected to internet, they just need to trigger your API and they are done.
URL you mentioned for your application, please note that one should use resource-based URL approach while building RESTful api.
GET /date/hotels/ -> Gives you all available rooms in all hotels on that particular day
GET /dates/hotels/ -> Give you list of available rooms for a particular hotel (Use dates/hotel_id instead of dates/?hotel_id=xxx). Parameter should be used to filter your result. E.g. dates/hotels/hotel_id?PIN=142: This should gives you hotel whose pin matches 142
dates/hotels?MAX_RECORD=50: This should give you list of hotels but limit to 50
You can find more about creating resource-based Restful API https://www.youtube.com/playlist?list=PLqq-6Pq4lTTZh5U8RbdXq0WaYvZBz2rbn
I would put the "Selects" into GETs as designed.
e.g. dates GET /hotel/:id/date -> Get all available dates
rooms GET /hotel/:id/date/:date/rooms -> Get all available rooms
per design in a RESTful API GET is defined for requesting data.
For the POST I would not breakdown into a seperate POST but you can put some parameter like hotel_id or date into the URL.
Best
Fabian
How Can I fitler Facebook Events Using Location By FQL
ex. I want to get all event which will be in Egypt
SELECT name FROM event
WHERE strpos(lower(name), 'Egypt') >= 0
https://developers.facebook.com/tools/explorer?fql=SELECT%20name%0AFROM%20event%20%0AWHERE%20strpos%28lower%28name%29%2C%20%27Egypt%27%29%20%3E%3D%200
But when I try to use the above Query it returns that for me:
Your statement is not indexable. The WHERE clause must contain an
indexable column. Such columns are marked with * in the tables linked
from http://developers.facebook.com/docs/reference/fql
Note : I hope to get the public events filtered by event name contains.
With the changes that they have made, queries using an app access_token cannot
use the above query:
SELECT name,location FROM event WHERE contains('egypt')
The query works with session tokens (user access_tokens), however, with an app access_token
it just returns:
{
"error": {
"message": "(#200) Must have a valid access_token to access this endpoint",
"type": "OAuthException",
"code": 200
}
It was surprising to me since I could still use any other query else than contains on the events table with an app access_token
UPDATE:
After looking at their documentations, I found out that you can only use the app access token for very limited set of queries:
https://developers.facebook.com/docs/reference/api/search/
What I finally did was I used the following to obtain a session access_token from my user as a page_manager
https://www.facebook.com/dialog/oauth?client_id={MY_CLIENT_ID}&scope=manage_pages&redirect_uri={MY_REDIRECT_URI}&response_type=token
The above query returns your your access_token and you can use it to run your query successfully. What it basically does is that it appends your access_token to you as a hashed attributed
{MY_REDIRECT_URI}#access_token={MY_ACCESS_TOKEN}
If you would like to parse the access token on the server, this would not work for you, since the hashed attribute is not sent with the request to your server. What you can do is to append type=web_server to the above request to facebook. In that case the access_token will be returned as a request parameter named code
The closest you can get is to use the contains predicate
SELECT name,location FROM event WHERE contains('egypt')
Which will get you some events that contain "egypt" in the text