By using Moodle Web Service (REST) call core_user_get_users_by_field I successfully get my user details. One of the returned fields is profileimageurl that links to my user profile picture and look like this:
http://my_moodle_server/pluginfile.php/89/user/icon/f1
Unfortunately that link works only in a browser where I have already logged in, otherwise it will redirect to a standard user icon (the grey anonymous face).
So in order to get the actual picture form a client app that is using moodle web services I think I have to call core_files_get_files and pass correct values. So I tried to remap that link to calls paramenters like this:
contextid: 89
component: "user"
filearea: "icon"
itemid: 0
filepath: "/"
filename: "f1.png" (also tryed without .png)
and of course my valid token
but all I get is:
{"parents":[],"files":[]}
Parameters seem to be formally correct (otherwise I would get an exception) however I only get empty response which tells me that some values are not correct.
Ok I found the solution to my problem. I'm posting the answer here also because there's not much information about Moodle web service around...
First of all, core_files_get_files is not the way... it will only show files information, it won't give you the actual file contents (binary).
Fortunately, there's an equivalent URL to be used when calling from external client app:
http://my_moodle_server/webservice/pluginfile.php
It accepts the same parameters/format as http://my_moodle_server/pluginfile.php and in addition you can also pass your token for web service authentication.
So profileimageurl field returned by core_user_get_users_by_field which looks like this:
http://my_moodle_server/pluginfile.php/89/user/icon/f1
can be turned into
http://my_moodle_server/webservice/pluginfile.php/89/user/icon/f1?token=my_web_service_token
Also note that appending ?token= parameter is required
Related
The users of my website can add facebook fanpages and profiles to the website. I am trying to figure out a way, to determine whether a url that was added leads to a facebook profile or to a facebook fanpage.
I have the facebook php-sdk version 5 installed on the website and I also have valid access tokens for my own profile.
Is there a way to find out whether any given facebook url leads to a profile or a fanpage without having and access token to either of them?
Is there a way to find out whether any given facebook url leads to a profile or a fanpage without having and access token to either of them?
No official one.
You can still try and make an educated guess, if you got a profile URL that contains a username (user or page).
Trying to access a user profile that you have no access to this way, currently still results in the error message, “(#803) Cannot query users by their username (xyz).” Facebook introduced this error message after they removed the username field from the user object.
If it is a page instead, and again you have no token that specifically grants access, then you should get the error “(#10) To use 'Page Public Content Access', your use of this endpoint must be reviewed and approved by Facebook. […]” (assuming that your app doesn’t have this feature reviewed & approved; if it had, you should be able to read basic public page data using this request, so you could draw your conclusions from that.)
That would be for pages that are currently public and have no access restrictions; if that wasn’t the case, you should get the message, “(#10) Object does not exist, cannot be loaded due to missing reviewable feature 'Page Public Content Access', or does not support this operation. […]”
But there might also be other situations. Not every user has a username set for their personal profile - and if you got a numeric user id only, you’d get “Unsupported get request. Object with ID 'xyz' does not exist, cannot be loaded due to missing permissions, or does not support this operation.” But that message is not specific to user profiles, you might get it regarding other objects you simply do not have access to as well.
And on top of that, Facebook might probably changes this, if they feel that this exposes more information than they are comfortable with. They might switch to a more generic error message covering all those cases at some point, or something like that.
Unless you absolutely have to make sure that your app knows what’s a user profile and what’s a page, I would recommend against trying this - and rather trust your users that they will pay a bit of intention, if the result matters to them.
Edit: One more thing that could be - partially - used, is the syntax to get information about “external” Open Graph objects, by specifying the URLs using the ?ids=… syntax. A request for ?ids=https://www.facebook.com/zuck,https://www.facebook.com/facebook currently yields the following result,
{
"https://www.facebook.com/facebook": {
"name": "Facebook",
"id": "20531316728"
},
"https://www.facebook.com/zuck": {
"id": "https://www.facebook.com/zuck"
}
}
As you can see, for the first one, which is the official page for Facebook, it returns the page ID, whereas for the second one, which is Mark’s personal profile, it doesn’t. But, careful - for non-public pages, you would not get any ID here either. But maybe in combination with the aforementioned requests, that will result in different error messages depending on the type of object, that could increase the quality of the “educated guess” here.
I'm doing a soap request to an external API using Laravel & Guzzle. All other calls have succeeded to get the actual response but for the redirecting user to the external page has failed because the external API web service only allows my server IP to access that page.
I have tried:
windows.location (javascript)
location header (PHP)
return redirect URL (PHP)
This is their documentation on how to redirect in VB language :
redirection code in VB
All of these methods only use the browser redirection which is using user IP not the server IP.
Any method that I can use to redirect user using my server IP that you guys can recommend?
Thanks in advance.
Extra context/information:
Example screenshot for the fourth call which include get the quotation number and generate the url parameter
That is the code for VB that they provided in API documentation. So why I want to bring the user to the page? It is because when the GetQuotation (fourth call) is already submitted to their database and it will return QuoNo that will be used in the URL parameter. When the user gets redirected to the external page with parameter QuoNo=12412194149124, their backend will query for the quotation details that the user fills in my side (mydomain.com/form) and auto filled it on their side (otherdomain.com/form).
If you see from the screenshot, the System.Diagnostics.Process.Start will execute the url once the Quotation number (QuoNo) is generated. So once the user click on the 'buy now' button on our end (mydomain.com/form), it will call the fourth call (GetQuotation guzzle function) and generate a Quotation Number (QuoNo) then it will be populated in http://otherdomain.com/main.a5w?tokenid=wm-9Kj-14e-Fa4-I1adlXrQ00weqwe3S&QuoNo=QUO022348921312301623. Based on what my understanding on VB code, System.Diagnostics.Process.Start will force the url to be opened.
I'm sorry if it's still lacked of info given. Feel free to ask more. Thank you
What you want can not be achieved sadly. The only thing you can do with the redirect is tell the browser where to go, you have no control over the IP here since this would pose all kinds of issues regarding security and identification. The only way to achieve what you want is to wrap the html of the resulting webpage in your website or remove the restriction of the ip addresses. Another solution could be to build a simple page which is accessible to everyone and limit the API routes to specific IP addresses. For example:
Let's assume the payment gateway is at: example.com/checkout, this one would be accessible to everyone and would contain a form to which you can perform the redirect and fill this form with the passed data.
This form would then post the information to example.com/api/v1/checkout which will process your form data and return if the transaction was succesful. Based on this return the user will be redirected to another page. This is assuming you have control over the other domain since only with your server IP you can access this site.
If this is not the case there is no other way than to post the data to an endpoint via guzzle and use these return values to provide feedback to the user.
I hope this answers your question, if anything is unclear please let me know.
I am trying to integrate mTurk API in one of my sites. I am creating HIT and using EXTERNAL QUESTION, passing my custom PHP web page hosted on my server. Example- http://abc.com/submitanswer.php?var1=testname
Now, on mTruk site, on completion of the task by user, when the user wants to submit the work done to my site, mTurk calls url provided by me in EXTERNAL QUESTION parameter. Additionally, it adds one more parameter - "turkSubmitTo=https://workersandbox.mturk.com" in the url.
So, when request is made for the page it creates a problem and gives 403 - Forbidden. If I directly call this url, then even it gives the same error. But, if I alter any text in value of GET para - turkSubmitTo like : remove "h" from OR remove ":" or such change, the browser nicely displays the page, without any errors..
Tried all possible ways one can think off, there is nothing else left now!
Need help !!!
Thanks !
Varshesh..
It's a mod_security issue. If you're on hosting provider, you can ask them to provide an exception for you. If it's local, you probably have to do it yourself.
I am trying to setup an automatic way to upload videos to YouTube using the YouTube API. The application needs the videos to be uploaded for some processing by YouTube. Currently, I am setting up the oauth2.0 piece and I am able to redirect the user to login with their information. However, when the user is then redirected back to my site with my specified redirect uri, I need to be able to accept custom fields on the end of the URL. Right now, the web server just redirects the user to the page I want, but strips off all of the information returned by YouTube about authentication. I do not know much PHP at all, but think that it might be the way to solve this problem. Essentially, I want to be able to redirect the user to a page on the website where the extra information is retained so that I can use it. Thanks for your help.
http://ocf.berkeley.edu/~gregory/youtubeTestCode/indexRedirect#access_token=ya29.AHES6ZS8kOZN2T59fKpoUE0t7roUXqTPWDAwTMvrhZ5TjlZO57JZNQ&token_type=Bearer&expires_in=3600
The format of the redirect is http://ocf.berkeley.edu/~gregory/youtubeTestCode/indexRedirect followed by #access_token=ya9232.jdfka7327293&token_type=Bearer&expires_in=3600
However, I have no page with this specific URL..
There are two authentication methods for YouTube - client-side and server-side. (Actually there are more, but I've never used the others).
Documentation is https://developers.google.com/youtube/2.0/developers_guide_protocol_oauth2 but I'l try to paraphrase the bits you need.
"client-side" is what you are using - you basically send the user over the a URL and let google do the work and get the access token back.
"server-side" is what you'll need (as you guessed). To convert, as opposed to sending the user off to a url that ends "&response_type=token", change this bit to "&response_type=code& access_type=offline"
When you get the call back, you have ?code=4/ux5gNj-_mIu4DOD_gNZdjX9EtOFf - hopefully you can read this as it's before the #
You then use a POST to send this code to the Google servers and it sends back the token in JSON. Taken from that page before:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
code=4/ux5gNj-_mIu4DOD_gNZdjX9EtOFf&
client_id=1084945748469-eg34imk572gdhu83gj5p0an9fut6urp5.apps.googleusercontent.com&
client_secret=hDBmMRhz7eJRsM9Z2q1oFBSe&
redirect_uri=http://localhost/oauth2callback&
grant_type=authorization_code
and response is:
{
"access_token" : "ya29.AHES6ZTtm7SuokEB-RGtbBty9IIlNiP9-eNMMQKtXdMP3sfjL1Fc",
"token_type" : "Bearer",
"expires_in" : 3600,
"refresh_token" : "1/HKSmLFXzqP0leUihZp2xUt3-5wkU7Gmu2Os_eBnzw74"
}
So "relatively" simply change, but you need the PHP part to do the POST as it requires your secret key (which you don't want to reveal through Javascript).
I'll leave you to Google on how to:
read parameters in PHP (hint - use $_GET['paramter name'])
send a POST message to Google using CURL.
An alternative is to check out YouTube SDK for PHP - these are pre-written libraries that contain the POST and the GET bits for you. But this uses something called "Zend" which can get complex. https://developers.google.com/youtube/2.0/developers_guide_php
I have a site that allow users to check their statistics (number of file uploaded, how many files they have, quotas, type of access etc...)
I create a section on my site: api.domain.com
This can be access via curl or a web browser since I am returning a json object or xml (depending on the user prefs)
My question is this: should I restrict the access using a user/pass or should I create a hash of the user file?
for example:
scenario 1:
The user create a php curl that sends user and pass via post or the curl auth and get back the results, parse it etc...
For me this is secure but the user has to maintain his script if they change their pass
scenario 2
The user access a file like: api.domain.com/j355HGssgf3HESAjh45jusf4325GSj5hbsHhdh5HGHFS3732he4548475wbe3447nSNe5XfgjhGJ and then access the data
This one, nothing to maintain
Here's my thoughts on this.
If you return a page not found or an error message (with a good 200 OK status) when a request is made to your page, it might send to bots or UN-trustable people a clue on what can they get and try again and again and again ...
On the other hand, if you send a access denied, like a 401, or better a 500 error code to simulate a server error, these bots or UN-trustable people might go away for good.
I will say the user/password method is a little more secure in this case.
Now, would you trust simply entering a big string (like scenario 2) when you check your mail? or your bank account information?
If it was me I would give each account the ability to create a unique api key,
api.domain.com/?key=<API.KEY>
for more security measure you could make it only accept connection via the post method with the api key. If contacted via get then show an error etc.
Then if they change their pass/username it won't affect their api key