New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Thoughts about a "register to newsletter" plugin #2050
Comments
Can you elaborate on why the |
Whenever a user creates or modifies a record, the Is that clearer @Natim ? |
Actually what you said is not entirely true. The write permission will be added only to records that the user created, is that an issue that a user can delete its registration? |
I don't think we'll add newsletter features to kinto, but using this use-case to rethink permissions or options makes sense ;) I would like to have finer-grained permissions :) see #1550 and #368 for example. Something like...
|
I was going to create a plugin for that feature, not modify kinto itself obviously. As I said above:
Which is probably the best solution. It might be a lot more involved and a lot more work though, so I might spend some time on the "newsletter" plugin in the meanwhile, I'll see. Closing this now. |
For instance: newsletter.py
|
I missed the fact that people are not authenticated at this stage. I agree that we need to fix that somehow. I think what is missing too is a way to give access to authenticated people with a given authentication policy: Why? Because if you allow both accounts and basicauth with some collections with This allow throw away sessions that will meet this use case. |
Is there a way to configure kinto so Useful for newsletter or contact forms |
You can use the What we used in the past is to derivate the email address from the form to generate a api key so that the user can manager their subscription. |
Looks like create:record implies read on the collection. Is it correct or did i miss something ? |
No it doesn't implies read on the collection. However you can read the
record you created.
Le sam. 14 nov. 2020 à 14:03, Julien Bouquillon <notifications@github.com>
a écrit :
… Looks like create:record implies read on the collection. Is it correct or
did i miss something ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2050 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABYATPFC6VCPNEM6PWSUODSPZ523ANCNFSM4GYE5SCA>
.
|
Thanks for the confirmation, will try again ! |
Hi Julien,
As my colleagues already said
- there is no "create but can't read" permission: whatever one user
creates, they can read
- if there is no "read" permission on a collection, a user can ONLY read
what they have CREATED
So the trick is to have a different random user for each and every
newsletter subscription: each time somebody want's to subscribe to the
newsletter, generate a random user:pass pair (that you won't need to
save or record, it won't be used again) and use it to create the
subscription (save the mail in the record). No user will be able to list
all the subscribed emails, only the admin (or the user allowed to READ
that collection) will.
I'm not sure if that made sense, if not, ping me on mattermost or call me ;)
Mathieu
Le 14/11/2020 à 19:59, Julien Bouquillon a écrit :
…
Thanks for the confirmation, will try again !
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#2050 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABI6V6RMZGGFDFXG3EZXCTSP3HPPANCNFSM4GYE5SCA>.
|
if i set then when i create a record as some random user (or anonymous), the records always ends up having The record record : {
"data": {
"pouet": 44
},
"permissions": {
"read": ["account:userY2", "account:userY3"],
"write": ["account:userY2", "account:userY3"]
}
} i must doing something wrong |
As @magopian said 👍
You shall use To activate the BasicAuthAuthenticationPolicy you need to add Be careful that then people will be able to create throw away accounts that are unique by login:password couples. Usually we generate 32 bytes string as a login with an empty password such as |
@leplatrem do you know if since Kinto 14.1 we could rely on |
Ok, it worked, thanks !! create-collection : {
"data": { "id": "form" },
"permissions": {
"record:create": ["system.Authenticated"],
"read": [],
"write": []
}
} create-record with some user:pass in a basic auth Authorization header : {
"data": {
"pouet": 42
}
} environment variables : KINTO_STORAGE_BACKEND: kinto.core.storage.postgresql
KINTO_STORAGE_URL: postgresql://postgres:postgres@postgres/postgres
KINTO_PERMISSION_BACKEND: kinto.core.permission.postgresql
KINTO_PERMISSION_URL: postgresql://postgres:postgres@postgres/postgres
KINTO_MULTIAUTH_POLICIES: account basicauth result : {
"permissions": {
"write": [
"basicauth:dcd85f608b7d5cfdf2d0957d9c47966956d767745ff6511c4b0cf85b8d"
]
},
"data": {
"pouet": 42,
"id": "3e473dc0-3d8f-4d18-91b9-5bf162a985db",
"last_modified": 1606086609299
}
} Is there a trick to make the newly created record not alterable by the creator ? |
Yay!
I don't think there's a way, the creator is the owner and has full control over the record.
Mathieu
Le 23 novembre 2020 00:56:08 GMT+01:00, Julien Bouquillon <notifications@github.com> a écrit :
…Ok, it worked, thanks !!
create-collection :
```json
{
"data": { "id": "form" },
"permissions": {
"record:create": ["system.Authenticated"],
"read": [],
"write": []
}
}
```
create-record with some user:pass in a basic auth Authorization header
:
```json
{
"data": {
"pouet": 42
}
}
```
environment variables :
```sh
KINTO_STORAGE_BACKEND: kinto.core.storage.postgresql
KINTO_STORAGE_URL: ***@***.***/postgres
KINTO_PERMISSION_BACKEND: kinto.core.permission.postgresql
KINTO_PERMISSION_URL: ***@***.***/postgres
KINTO_MULTIAUTH_POLICIES: account basicauth
```
result :
```json
{
"permissions": {
"write": [
"basicauth:dcd85f608b7d5cfdf2d0957d9c47966956d767745ff6511c4b0cf85b8d"
]
},
"data": {
"pouet": 42,
"id": "3e473dc0-3d8f-4d18-91b9-5bf162a985db",
"last_modified": 1606086609299
}
}
```
Is there a trick to make the newly created record not alterable by the
creator ?
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#2050 (comment)
--
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.
|
The idea is that sometimes a new record has to be created from a front-end, with the "admin" rights, but we obviously don't want the admin credentials to be available on the front-end.
Such a case is when you want to allow a user to register to a newsletter on your website: if you create all the records with the same user, that same user can view the list of all the registered emails for the newsletter (even if the permissions don't include
read : system.Everyone
, as an owner it has theread
permission).So this plugin would add an endpoint that would allow an anonymous
POST
to create a record as a different registered user, transferring the ownership.Example configuration:
Example usage:
echo '{"data": {"email": "foo@bar.com", "name": "test name"}}' | http POST https://kinto.server/v1/newsletter
Propositions:
/newsletter
root endpoint it could be a "leaf" endpoint like thekinto-attachment
plugin does:http POST https://..../v1/buckets/foo/collections/bar/newsletter
owner
as metadata:echo '{"data": {...}, "owner": "account:admin"} | http POST ...
.In this case, we might want to discuss the security and configuration implications (provide a list of allowed owners? A list of allowed resources to create with a different owner?)
As a heads up: the same "newsletter" use case could be fixed by having finer grained permissions (eg a "read-only" permission that would not give read access to the owner/creator).
The text was updated successfully, but these errors were encountered: