Which SaaS Subdomains to block - saas
I'm working on a SaaS (Software as a Service) web app and I'm using subdomains for separate accounts.
Which subdomains should I prevent the user from using.
The ones I currently have are... admin, administrator, blog, support and help. I remember seeing a question on Quora about it but I can't find it any more.
Thanks for your suggestions. I've made a Rubygem for blocking a load of subdomains which can be found here - https://github.com/deanperry/saas_deny_subdomains
Just add deny_subdomains :subdomain (:subdomain) being the field, and it will block/deny a massive list of subdomains.
Here is my version in PHP. I added some of mine + ones suggested in the thread + dean perry's.
I was able to cover lots of scenarios by using some regex.
/**
* Checks if the subdomain is good. e.g. forbidden names are: ssl, secure, test, tester etc.
* #see http://stackoverflow.com/questions/11868191/which-saas-subdomains-to-block
* #see https://github.com/deanperry/saas_deny_subdomains/blob/master/lib/saas_deny_subdomains/subdomains.rb
* #return boolean
*/
public function isSubdomainAvailable($subdomain) {
$banned_subdomains_csv = 'admin, login, administrator, blog, dashboard, admindashboard, images?, img, files?, videos?, help, support, cname, test, cache, mystore, biz, investors?
api\d*, js, static, s\d*,ftp, e?mail,webmail, webdisk, ns\d*, register, join, registration, pop\d?, beta\d*, stage, deploy, deployment,staging, testers?, https?, donate, payments, smtp,
ad, admanager, ads, adsense, adwords?, about, abuse, affiliate, affiliates, store, shop, clients?, code, community, forum?, discussions?, order, buy, cpanel, store, payment,
whm, dev, devel, developers?, development, docs?, whois, signup, gettingstarted, home, invoice, invoices, ios, ipad, iphone, logs?, my, status, networks?,
new, newsite, news, partner, partners, partnerpage, popular, wiki, redirect, random, public, resolver, sandbox, search, servers?, service,uploads?, validation,
signin, signup, sitemap, sitenews, sites, sms, sorry, ssl, staging,features, stats?, statistics?, graphs?, surveys?, talk, trac, git, svn, translate, validations, webmaster,
www\d*, feeds?, rss, asset[s\d]*, cp\d*, control panel, online, media, jobs?, secure, demo, i\d*, img\d*, css\d*, js\d*';
$regex = $banned_subdomains_csv;
$regex = preg_replace('#\s#si', '', $regex); // rm new lines, spaces etc
$regex = preg_replace("#,+#si", '|', $regex); // more than one comma
$regex = trim($regex, ','); // remove any leading/trailing commas
$regex = '#^(?:' . $regex . ')$#si'; // let's create a nice regex.
$status = !preg_match($regex, $subdomain); // without main domain added
return $status;
}
Slavi
http://orbisius.com
To name a view:
www
help
support
admin
api
assets0-x
In addition to those mentioned:
test
stage/staging
dev/development
status
mail
webmail
ftp
feeds
ssl/secure
demo
git/svn
files/docs
Might also want to reserve your own name and any variations.
Edit: Just a thought, and perhaps over the top, but you could also consider reserving something like i.example.com ("i" being for internal) then you've got a whole namespace of *.i.example.com for internal use.
Another way of approaching this would be app-tenant.domain.com where tenant is your customer's username or company. Which means you can willcard your users with something like app-*.domain.com in your DNS settings. But if you use an application level load balancer that should be easier. This looks prettier IMHO.
Note: app.**.domain.com is not valid AFAIK
Related
TYPO3 v10: How to access TSFE in Backend/Scheduler Task?
The current situation: I am trying to access the TypoScript configuration of the frontend from within the backend (or rather a scheduler task). Previously with Typo3 v8 and v9, I initialized entire $GLOBALS["TSFE"] object, however this was already hack the last time around (using mostly deprecated calls) and now it has all been removed with the v10 release. My goal: Access the TypoScript configuration of the frontend of a certain page (root page of a site would be fine) from within a scheduler job. Background of the whole project: I have a periodic scheduler job that sends emails to various users (fe_users). The email contains links to certain pages (configured UIDs in typoscript) as well as file attachments and the likes (generated by other extensions, which are also fully configured via typoscript). Currently, I basically initialize the entire frontend from within the backend, but as I said before, its inefficient, super hacky and I doubt it was the intended way to solve this problem.
Getting TypoScript settings in the backend is ugly, but possible. You need a page ID and a rootline which you can pass to \TYPO3\CMS\Core\TypoScript\TemplateService::runThroughTemplates(). Something along these lines: $template = GeneralUtility::makeInstance(TemplateService::class); $template->tt_track = false; $rootline = GeneralUtility::makeInstance( RootlineUtility::class, $pageId )->get(); $template->runThroughTemplates($rootline, 0); $template->generateConfig(); $typoScriptSetup = $template->setup; You can get inspiration from \TYPO3\CMS\Extbase\Configuration\BackendConfigurationManager::getTypoScriptSetup and \TYPO3\CMS\Tstemplate\Controller\TypoScriptTemplateObjectBrowserModuleFunctionController
This won't get any better and is not intended to be done such way. I would use as configuration: plain PHP, e.g. in $GLOBALS['TYPO3_CONF_VARS]` YAML site config if depending on various sites You can build links by using e.g. something like that protected function generateUrl(int $pageId, int $recordId) { $additionalParams = 'tx_xxxx[action]=show&tx_ixxxx[controller]=Job&tx_xxxx[job]=' . $recordId; return BackendUtility::getPreviewUrl($pageId, '', null, '', '', $additionalParams); }
Using additional request parameters in Twitter Premium Search API
I am using the Twitter API from Matlab, specifically by means of the twitter class from the Datafeed Toolbox. I have essentially followed the example code from the official documentation. I created a Twitter app in my Twitter developer page, and obtained its API keys and access tokens. With those I can use the Twitter Standard search API from Matlab: c = twitter(consumerkey,consumersecret,accesstoken,accesstokensecret); % The variables 'consumerkey' etc are defined as character vectors s = search(c,tweetquery,'count',100); % this works Now I want to use the Premium search API. This has two endpoints for accessing Tweets: 30-day endpoint: provides Tweets from the previous 30 days. Full-archive endpoint: provides complete and instant access to Tweets dating all the way back to the first Tweet in March 2006. In addition, the Premium API has two tiers of access: Free Sandbox access that enables initial testing and development. Paid Premium access that provides increased access. The link above specifies the restrictions associated to sandbox as compared with paid access. I am trying to use the full-archive endpoint with sandbox access. For that I had to create a developer environment on Twitter, which I named dev. The search method in Matlab's twitter class (which worked for the Standard access, as described above) doesn't seem to work with the Premium access. But I noticed that search actually calls getdata, and the latter does work for Premium access as follows. First, the Premium access URL needs to be defined: c.URL = 'https://api.twitter.com/1.1/tweets/search/fullarchive/dev.json'; and then the following syntax works: s = getdata(c,c.URL,'query','Jimi Hendrix'); % this works I have also been able to add operators within the query string, for example to specify a range of geographical positions or to restrict the search to tweets that contain images: s = getdata(c,c.URL,'query','place:"Palo Alto"'); % this works s = getdata(c,c.URL,'query','Robert Smith bounding_box:[-0.2 51.4 0.1 51.6]') % this works However—and this is my question—, I haven't been able to use additional request parameters defined in the Twitter API to refine the search, such as fromDate, toDate or maxResults: s = getdata(c,c.URL,'query','John Frusciante', 'fromDate', '201708130000') % doesn't work s = getdata(c,c.URL,'query','Rob Scallon', ... 'fromDate', '201708130000', 'toDate', '201708150000') % doesn't work s = getdata(c,c.URL,'query','Michael Lemmo', 'maxResults', '20') % doesn't work All of the above return an HTTP/1.1 422 Unprocessable Entity error. Is my syntax not correct? Maybe the fromDate etc parameters have to be part of the query string? Or maybe the sandbox tier of the Premium search doesn't support those parameters? For context, I don't really know what all those terms like endpoint, tier, developer environment and token mean, but still I'd like to make this work.
Going by the description at https://developer.twitter.com/en/docs/tweets/search/api-reference/premium-search#DataParameters, what you call 'addition request parameters' are defined for requests of type POST /search/:product. These are HTTP POST requests, can you try using postdata (https://in.mathworks.com/help/datafeed/twitter.postdata.html) instead of getdata. Their usage is almost identical.
Backend access rights for news records
Is it possible to store all records of the news extension (ext:news) on the same storage page, but show only records, which are created by the loggedin backend user? So the current backend user can just see and edit his own records? Admins should see all records of course.
No, this is not possible, since backend user permissions on record level are not implemented in TYPO3. So you either have to separate the news records of the users in separate sysfolders or you could try to use hooks (e.g. $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['typo3/class.db_list_extra.inc']['getTable']) or XClass to customize TYPO3 backend to your needs. I do not recommend the latter, since the TYPO3 backend permission system is complex and you would need to make sure to restrict record access in several parts of TYPO3 (e.g. recordlist, element browser, related news field, ...)
There are two ways to archive that: If the backend user is not too much. You can just create a page(type is folder) named with the backend user name. And in the backend user module you can set the permission(Not for the group user but for the single backend user only). if the backend user is too much. and You just wanna set permissions for the group and all backend users are sharing the same rules. You can refer to Hook:https://docs.typo3.org/p/georgringer/news/main/en-us/Tutorials/ExtendNews/Hooks/Index.html so that the basic logic is like this: 2.1 get current logged-in user group. 2.2 if the group is Reporter, we can use the hook for the listing page: $constraints[] = $query->equals('cruser_id', $be_id); Edit(3/3/2022): Hi Chris, Yes you are right. Today, I have got a chance to dig into the news extension. I think we can still make it by the hook in your ext_localconf.php $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS'][\TYPO3\CMS\Recordlist\RecordList\DatabaseRecordList::class]['modifyQuery'][$_EXTKEY] = \T3docs\SitePackage\Hooks\DatabaseRecordListHook::class; (Please make sure the namespace is correct) within the file : T3docs\SitePackage\Hooks\DatabaseRecordListHook.Create a function named modifyQuery: public function modifyQuery($parameters, $table, $pageId, $additionalConstraints, $fields, $queryBuilder) { if ($table === 'tx_news_domain_model_news') { $tsconfig = $GLOBALS['BE_USER']->getTSConfig(); if (!empty($tsconfig['options.']['be_users'])) { $be_users = $tsconfig['options.']['be_users']; $queryBuilder->andWhere('cruser_id IN (' . $be_users . ')'); } } return $queryBuilder; } in the user Options tab set Tsconfg : options.be_users = 3,100 (3,100 is the be_user id. And the 2 two backend users's news will show up) thus, it works for me.
how to send files as attachment in email in magento for downloadable products?
I am new to Magento. I am working on a web site which is selling downloadable products. My client want purchased products should be sent via email in attachment? Currently, I am developing in localhost so I am not sure whether magneto actually send product files in email or not? Should I need to enable any option for that in configuration?
If you want to develop this at your localhost keep in mind, that you have to set up mail server or use some solutions from community like below link, to send it by gmail and other: https://www.magentocommerce.com/magento-connect/smtp-pro-email-free-custom-smtp-email.html You also can just configure your server to save mails without sending. So you'll be able to review it. Good article about how to send downloadable by email here: https://magento.stackexchange.com/questions/49511/how-can-i-get-only-the-downloadable-product-url-in-email-template But!!! keep in mind that the latest Magento use queue to send email (which runs by cron), so if you have such a distribution (for example 1.9+) you need to adjust code which you have from link above. Here istwo solutions for this case: Disable adding email to queue after order. Just comment this part of code in "Mage_Core_Model_Email_Template"'s "send()" method: // if ($this->hasQueue() && $this->getQueue() instanceof Mage_Core_Model_Email_Queue) { /** #var $emailQueue Mage_Core_Model_Email_Queue */ /* $emailQueue = $this->getQueue(); $emailQueue->clearRecipients(); $emailQueue->setMessageBody($text); $emailQueue->setMessageParameters(array( 'subject' => $subject, 'return_path_email' => $returnPathEmail, 'is_plain' => $this->isPlain(), 'from_email' => $this->getSenderEmail(), 'from_name' => $this->getSenderName(), 'reply_to' => $this->getMail()->getReplyTo(), 'return_to' => $this->getMail()->getReturnPath(), )) ->addRecipients($emails, $names, Mage_Core_Model_Email_Queue::EMAIL_TYPE_TO) ->addRecipients($this->_bccEmails, array(), Mage_Core_Model_Email_Queue::EMAIL_TYPE_BCC); $emailQueue->addMessageToQueue(); return true; }*/ So emails will be sent immediately (be aware, that if you have very big turnover with spikes it can create performance issue) Second way is to save full path of attachment to table "core_email_queue" field - "message_parameters". You can do it adding url to array of argument here $emailQueue->setMessageParameters( in code above. After that you can handle it in "Mage_Core_Model_Email_Queue"'s "send()" method using standard "Zend Mail"'s method - "createAttachment()". Below link provides deeper explanation of this part. https://magento.stackexchange.com/questions/9652/magento-send-file-attachements-in-emails Hope it will help sombody. Have a good day!!!
REST Url ID Placement for Resources with Collections
Is this a good structure for REST URLs? Assuming: GET /account <- get list of accounts GET /account/1234 <- get account 1234 etc. If the account resource has a collection that I want to interface, is this a good idea? GET /account/1234/note <- get notes for account 1234 POST /account/1234/note <- add note to account 1234 DELETE /account/1234/note/321 <- delete note 321 on account 1234 Especially that last one gives me pause; typically I wouldn't require both the entity ID and the parent ID when deleting. Or maybe something like this would be better? GET /account-note/1234 <- get notes for account 1234 POST /account-note/1234 <- add note to account 1234 DELETE /account-note/321 <- delete note 321 on account 1234 (b/c note 321 is on account 1234) But then I'd end up with a pretty shallow URL set. Thanks
There's nothing wrong with your first api. In large part, the idea of the RESTful interface is to go with the natural tree structure of the web, and your first approach is in keeping with that. It's also going to be a structure that does the API's job of abstracting away implicit constraints of your datastore, because the second approach implicitly assumes that the id of note is globally unique. This may be true now, and will probably remain true, but it's also exactly the kind of bug that suddenly appears with disastrous consequences when, down the line, some kind of major db change happens. I'd go with your first scheme. It's a familiar rest pattern, it's intuitive, and it's not going to blow up in a weird way down the line. Also, in response to #Corwin01 minimize the query params--they're not so RESTful.
I referenced this question in my comments on another question and between the feedback I got there and my own research this is what I've come up with. Firstly, the question is sort of flawed. RESTful APIs, or to use the perferable term Hypermedia APIs should include the urls of related actions so that the interface is discoverable and changes won't break existing clients, therefore the exact structure has significantly less importance than I was placing on it, these can be changed later. Secondly, the note in the example will be retrieved as part of an account query, maybe something like this: <account> ... <notes> <note> ... <link href="/account-note/123" rel="note"> </note> </notes> </account> The client will never be assembling urls to the account on their own, the client will use the link provided. Since the note ID is globally unique in this case, there is no need to include the key twice. Hence the answer to the question is no, the first example is not a good REST url structure, the second one is better. (Although still maybe not the best...)
Mind you, my experience is with JAX-RS and Jersey, so I'm not sure what the exact differences are. However, this is what I would do: #GET #Path ("/account/note/{id}") public void displayNotes(#PathParam ("accountId") String accountId) { //do stuff } #POST #Path ("/account/note") public void addNote(#FormParam ("accountId") String accountId) { //do stuff } #POST #Path ("/account/note/delete") public void deleteNote(#FormParam ("accountId") String accountId, #FormParam ("noteId") String noteId) { //do stuff } This way, you don't have cluttered and confusing URLs that the user doesn't need to see anyways, especially if the user tries to navigate there on their own. Which is ok for displaying the accounts, but would confuse them for the URLs that POST, since they would get a 404 and not understand why. Keep it simple, and just user #FormParams since the user doesn't need to see that anyways.