My site allows a user to create a watchlist of stocks. In the site, the action is referred to as "Add to watchlist". I wanted this to create a FB open graph action called "watch" but I believe this is not possible, because watching is a built in action that can only be used on video objects. As such, I've been receiving rejections from FB along the lines of:
Your Action failed the criteria: You are trying to submit a custom action which is not permitted. Please delete this action and submit a built-in version of this action instead.
I can't use the builtin because I need to connect it to my custom "Stock" object. I've tried renaming the action and its verb conjugations every way I can think of ("add to watchlist", "track", etc), but have been rejected at least 5 times. I've run out of ideas.
I've tried to find answers on FB, and here (1 2 3), but have so far not found a viable solution. I think FB must not like the fact that the action is called "watch" in the site itself, and so therefore I have to use the builtin. I'd rather not redo a significant piece of my site just on the off chance it might make FB's reviewers happy, so any other ideas would be appreciated.
Thanks.
Recreating the custom action from scratch as "Track" (deleting the original action, creating a new one, posting the shared activity as an appliction administrator, and then resubmitting with the same how-to instructions) has finally resulted in an approved custom action.
Related
I created an extension with the extension builder.
On saving I get this message:
The object was updated. Please be aware that this action is publicly accessible unless you implement an access check. See https://docs.typo3.org/typo3cms/extensions/extension_builder/User/Index.html
How can I fix this issue? Yes I read the page but there are no useful hints.
Since the question is how you can "fix the issue": There is no issue, it is a warning, you can remove it and make your request secure. (As in the other answer.)
The "hint" on the page is actually very straightforward. The "issue", that a user is able to manipulate the url and make the server to execute a not wanted action.
Here is an example:
You have a list of users of your page and you can open thier public porfile for more information:
https://yourdomain.com/list/?tx_ext_plugin['action']=show&tx_ext_plugin['userId']=41.
So if I want to make some trouble, I change the action "show" to "delete" and may I am able to delete the poor user "41" from the db. That is bad.
https://yourdomain.com/list/?tx_ext_plugin['action']=delete&tx_ext_plugin['userId']=41.
So since it is you business logic typo3 offers no out of the box solution for this. That is why this warning from extension builder says, that you need to make actions to prevent misuse.
Regarding how to implemnt a better security here are some thoughts about the Access Control and some ideas what to implement in your actions:
1) FE
You can separate your actions into different plugins. So if you have a public list action it can not be modified to the plugin that responsible for the delete action. How is it possible? TYPO3 will look the page record in your database. And will render it, and if there is a plugin on the page with the signature "tx_ext_plugin" then it will get the sent parameters. In this case you have the possibility to add the different plugins to different pages so changing the signature of it for an attacker won't help, because:
If the delete action is not registered by the plugin, TYPO3 will
throw an exception.
If you are trying to change the whole signature the page won't be able to identify the plugin.
You can add the edit / delete plugin to pages where a user has to be logged in. You can even manage multiple usergroups. Like normal user can only edit its profile, but a premium user can make further changes. You can use in fluid a view helper IfHasRole that can show parts of your template for defined user groups. (There is an ifAuthenticated ViewHelper too)
You can take the extension "femanager" as an example. There is a controller "EditController", that covers actions like "update" and "delete". For example before making the update action there is a check if the logged in user has the same user id as the record which going to be changed. If you have a complex example you can make a check on the user group also.
2) BE
It is actually almost the same as frontend.
BUT instead of plugins / user groups assigned in page settings. You can use different mountpoints, so BE users can not see folders where they are not allow to edit / delete.
You have those two ViewHelper for the BE too. There names are: f:be:security.ifAuthenticated and f:be:security:ifHasRole. However ifAuthenticated is also for FE, in a BE context it does not make sense.
You have also the possibility to identify the id and userGroups of the BE user and you can make your own checks before you let an action run.
You have also the possibility to turn on / off a module for a certain BE group.
+1: It is nothing to do with any action but just to list it too. There is also the possibility to allow / disallow field for BE Users by editing a record through the List mode in the BE.
Extension builder creates dummy actions to update and create records. Those example actions do not contain any security checks, whether the caller actually is allowed to do so.
So it is your job to add adequate access control to those methods. E.g. make sure the current user (be it Frontend or Backend) is actually allowed to update the model in question.
I made a form using Intalio's AJAX Widget tool but I was confused once I wanted to add the form to a user's pool.
I actually followed this tutorial from Intalio's website. In the 5th slide, they mentioned the ways of adding the form (initProcess, create and complete, notify, escalate):
but no further explanations were given.
So, I would like to know the differences between each one of these ways and when should I use one way and not the other.
You use the initProcess if that form will actually kick off a process. Doing so will show a new entry on the web site front end in the Workflow>Processes category. It's what you can see in slide 6. Connect the form to the process.
Use create and complete if you want to give a user or group of users a task to complete. This shows up in the Workflow>Tasks section on the website. It locks your process until a user completes the task or a deadline is hit.
Use notify if you want to send a form as a notification to a user. This shows up in the Workflow>Notifications section. User can only dismiss it. It does not lock you process. It basically just triggers the notification and moves on.
You can use escalate to reassign an existing form to another user or group. This basically sits between the create and complete part of the form, gets triggered by an external message/event and lets you reassign the form.
Hope this helps. Cheers.
I have followed the facebook page on creating action links https://developers.facebook.com/docs/opengraph/howtos/action-links/
to the letter i have one object recipe
and 4 actions cook, create, save, improve
save is a used as a linked action to cook.
improve is used as a linked action to create
there are 4 stories, one for every action with the object.
cook recipe, create recipe, save recipe, improve recipe.
posting actions work fine and the action link is visible.
however when clicking it i get different errors depending on the action link
clicking save (on a cook story) - gives an error -
Invalid Open Graph Action Link domain for URL ?signed_request=[base64]
clicking improve just returns status 500 from https://www.facebook.com/ajax/open_graph/actionlink
the interesting thing is both actions use the same https callback url.
has anyone managed to solve this?
If anyone runs into this in the future:
https://developers.facebook.com/docs/opengraph/howtos/action-links/ isn't very clear as to the Linked Action and Link Action Url. on the action you want to link you should choose the Linked Action, then open that actions advanced settings and enter a Link Action Url for the action itself.
After doing this everything worked like a charm.
I am trying to submit a facebook opengraph action. It is a simple "Read" "Article" action, however when I submit it for approval facebook eventually responds with this error.
"Status: Changes needed
You are trying to submit a custom action which is not permitted. Please delete this action and submit a built-in version of this action instead.
Please make changes below and resubmit for review."
I am not sure what that means, as far as I know it is not a custom action that I created.
Click to create a new action type, and when the text box appears, start typing "read" and then select the option that drops down. That is the built-in read action.
I had the same issue, it seems FB doesn't allow to add built in actions as custom for some unknown reason, may be they have some future plan with them for AI stuff. The only the thing I see in built in read is its very limited.
try this tutorial http://onlytipsandtricks.com/facebook/how-to-publish-actions-on-timeline/
As I submit an application for "read" action on Open Graph I received the following response.
Status: Changes needed
Unfortunately, your article.read built-in submission does not meet the read requirements specified at: https://developers.facebook.com/docs/opengraph/actions/builtin/#read. You must give users the ability to turn sharing off/on globally as well as remove an article that was shared within the app. In addition, read actions should only be generated when there is a strong indication that the user is actually reading the article. Please note that we cannot accept resubmission as this time due to technical limitations, so you will need to create a new submission. We plan to have this resolved within the next couple of weeks. We suggest making the required changes and checking back. We appreciate your patience. Note: If you are creating an aggregation based on the object, you need to add 6-7 unique sample objects, and then create a corresponding sample action acting on each of these unique objects. (You can not just create 6-7 sample actions pointing to the same sample object). Submission Checklist: https://developers.facebook.com/docs/opengraph/checklist
Please make changes below and resubmit for review.
Unfortunately, this "guide" is not helping with anything. Firstly, I have no idea where to do this:
You must give users the ability to turn sharing off/on globally as well as remove an article that was shared within the app.
Second of all, I don't even know how to "resubmit"!
Any help would be appreciated.
I was experiencing the same thing. You have to click on the name of your action that you submitted. Once you do that, Facebook provides detailed instructions why they didn't approve the action and what you need to do before you resubmit. Once you review the message, you can make the necessary changes and save the action again. Then you'll have the option to resubmit. In my case Facebook said that I need to provide more detailed instructions what the user needs to do to get an action published. They provided this example: "User must create an account, enable Timeline sharing in the settings, view a product within the app and then click the “want” button underneath the product image to trigger a story". I did that and resubmitted. Hopefully it works this time around. Good luck.
To resubmit, just delete the rejected action and create a new one. You can use the same action name as before. You then go through the submission process again as you did the first time.
Facebook have recently updated their guide to implementing their built-in action types. For the Read action type, see https://developers.facebook.com/docs/opengraph/actions/builtin/#read. You will see a sample application that meets the following criteria required for the use of this action type:
Turn sharing on/off globally on each page an article appears.
Remove articles they shared within your app on each page an article appears.
Only generate read actions when you're sure someone is interested in reading the article.
Built-In actions can't be resubmitted. It is a FB Bug:
https://developers.facebook.com/bugs/364663400220101?browse=search_4f44876aabaef7501649601
From this answer on FB tools and support I got this:
You can start a new submission at the bottom of the "Items in Review" page:
https://developers.facebook.com/apps/337449599791917/review-status/items-in-review/
That link didn't work for me.. so I just went to the app dashboard and clicked on status and review
clicking on the start a new submission button loaded a dialog that prompted me to select which items to "re-review".. so I only selected the problematic one:
after that it loads a form for you to resubmit, so here you gotta re-upload the iOS simulator build etc..
and that's it!