Re: [web2py] Re: Problem sending mails in web2py: Mail.send failure:[SSL: WRONG_VERSION_NUMBER]

[VJ Sosa]

Dear Dave,

Thanks for your reply.
I could fix my issue modifying the smtp server port to 465. Since the
problem was related to the use of SSL, Google prefers the use of 465 port
for SSL.
[smtp]
server = smtp.gmail.com: 465
sender = myu...@gmail.com
login  = myuser:mypassword
tls= true
ssl= true

And you right, I had also to change, in my google account, an option to
activate the use of  less secure apps. Maybe this is not the safe way to
solve this issue, but it works for me. You can On/Off the use of less
secure apps in your Google account at:
https://myaccount.google.com/lesssecureapps
in Security section.

More information about it can be found here:
https://support.google.com/accounts/answer/6010255?hl=en
https://support.google.com/a/answer/176600?hl=en
https://www.siteground.com/kb/google_free_smtp_server/

Best regards,
Víctor

On Wed, May 27, 2020 at 3:42 AM Dave S  wrote:

>
>
> On Wednesday, May 20, 2020 at 6:03:34 AM UTC-7, VJ Sosa wrote:
>>
>> Dear all,
>>
>> I'm using the library to manage users in web2py (it includes functions
>> such as login, profle, lost_password, etc..).
>> When I try to use the function lost_password, it ask for my email to send
>> me the password, but
>> it can not send the email. It shows the message "Unable to send email",
>> the log states:
>>
>> WARNING:web2py:Mail.send failure:[SSL: WRONG_VERSION_NUMBER] wrong
>> version number (_ssl.c:852)
>>
>> I'm using the configuration  ( appconfig.ini) file with this information:
>>
>> [smtp]
>> server = smtp.gmail.com:587
>> sender = myu...@gmail.com
>> login  = myuser:mypassword
>> tls= true
>> ssl= true
>>
>> I'm not sure if this is an issue with the python library or if I'm
>> missing something .
>> Any ideas?
>>
>> Thansk in advance for any support!
>>
>> Víctor.
>>
>
>
> This sounds like a different error than I've seen in the forum before, but
> gmail two-factor authentication has been an issue for some users.  There is
> something in the gmail options that can be turned off on a per-app basis,
> if you trust my memory which you shouldn't.
>
> There are other mail servers available, some of which are free for small
> volumes of mail (IIRC, BICBW) and some of which are suitable for bulk
> mailings (legitimate ones, of course).
>
> /dps
>
>
> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "web2py-users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/web2py/hwnv_A3sdtY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> web2py+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/web2py/752f15b6-8837-4862-a866-f6804d064990%40googlegroups.com
> 
> .
>


-- 
Victor J. Sosa Sosa

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/CAFMLpefz9rAkbsYq0%2Bi6rQU3XJiFhT%2Big%3DjDie23MtfyFAfSVg%40mail.gmail.com.

[web2py] Add to home screen

[mostwanted]

Whats the simplest way to get my web2py application to prompt users to add 
to screen? I have tried alot of things but none are working, there are no 
prompts happening! Some say its only achievable through a PWA design, i 
tried this 
https://groups.google.com/forum/#!searchin/web2py/pwa$20me%7Csort:date/web2py/rHBfs1zFG44/gKS6EOmlAgAJ
 

nothing is working, if anyone has a way to achieve this with web2py i'd 
appreciate your assistance.

Regards;

Mostwanted

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/8e4426ad-1240-41bf-a704-186baf382437%40googlegroups.com.

[web2py] Re: RestAPI: how to restrict query results to data belonging to logged in user?

[Jacinto Parga]

Hello, 

I used this workaround in a similar case:

@auth.requires_login()
@request.restful()
def myapi():
def GET():
response.view = 'generic.json'
myreg = db(db.mytable.created_by==auth.user.id).select() # Maybe in 
your case mytable.user_id==auth.user.id
if myreg:
return dict(myreg=myreg)
else:
data ='{"Result" : "Still empty"}'
return data
return dict(GET=GET)



El sábado, 23 de mayo de 2020, 10:17:44 (UTC+2), Alexei Vinidiktov escribió:
>
> Hello,
>
> How can I restrict access via RestAPI for the user such that they can only 
> get their own records (those that have the field user_id matching their 
> user id)?
>
> For example, I have a a table named 'collections' that has a 'user_id' 
> field, and I want my users to get only the collections that they created.
>
> If they try to get someone else's collection, then they should get a 'not 
> authorized' response.
>
> As an extension, I would also like to allow for users to be able to get 
> someone else's collection if its status is equal to 'PUBLIC'.
>
> Here's the definition of my collections table:
>
> db.define_table('collections',
> Field('user_id', db.auth_user, notnull=True),
> Field('language_code', length="3", requires=IS_IN_DB(db, 'language.code', 
> db.language._format), notnull=True),
> Field('title', length=512, notnull=True),
> Field('description', 'text', notnull=False),
> Field('privacy', length=50, requires=IS_IN_SET(privacy_set), notnull=True, 
> default='PRIVATE'),
> Field('level',length=10, requires=IS_IN_SET(level_set), notnull=True, 
> default='NONE'))
>
> Thanks,
>
> --
> Alexei
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/a01f1311-adfe-4b95-9200-14afe29c9e5b%40googlegroups.com.

Re: [web2py] Re: RestAPI: how to restrict query results to data belonging to logged in user?

[Kevin Keller]

The "proper" way would be to define "scopes" in your application. Scopes
define who has access to which data.
You can also call it roles or tags or whatever.
Scopes is the term that is used by OAuth/OpenID connect, which is usually
used to secure APIs.

Normally you would get an OpenID (OIDC) ID Token as JWT when you login.
Once you have that you would read that tokens contents and look for the
scopes in the token and match those scopes with which the user shall access
your data.
Similiar to what you did here with the workaround to match the user.id to
the data.
I suppose you can extend this examlple/workaround to used custom auth
fields or the roles fields provided by web2py.

Some applications dont use scopes but so called claims from the JWT token.
Claims is extra info about a user such as first, lastname phonenumber etc.
that can be extracted from the token.
They put user roles in the tokens claims and match them with the
applications rest api against the database.
Similair to what you did.

But claims are not supposed to be used for that normally, that is what
scopes are for.
Claims are just used to "contextualize" a reqiest for the API i.e. fetch
relevant information for the requestor if the requestor is for example from
Europe fetch all infos for Europeans from the database,
if from another continent, fetch other data.

I have not seen Web2py used in this way, but there you go.
Just though this info may be interesting.

I found this example / workaorund super useful.

Will also use it :).

Seems to just get the job done quickly.





On Wed, May 27, 2020 at 6:18 PM Jacinto Parga  wrote:

> Hello,
>
> I used this workaround in a similar case:
>
> @auth.requires_login()
> @request.restful()
> def myapi():
> def GET():
> response.view = 'generic.json'
> myreg = db(db.mytable.created_by==auth.user.id).select() # Maybe
> in your case mytable.user_id==auth.user.id
> if myreg:
> return dict(myreg=myreg)
> else:
> data ='{"Result" : "Still empty"}'
> return data
> return dict(GET=GET)
>
>
>
> El sábado, 23 de mayo de 2020, 10:17:44 (UTC+2), Alexei Vinidiktov
> escribió:
>>
>> Hello,
>>
>> How can I restrict access via RestAPI for the user such that they can
>> only get their own records (those that have the field user_id matching
>> their user id)?
>>
>> For example, I have a a table named 'collections' that has a 'user_id'
>> field, and I want my users to get only the collections that they created.
>>
>> If they try to get someone else's collection, then they should get a 'not
>> authorized' response.
>>
>> As an extension, I would also like to allow for users to be able to get
>> someone else's collection if its status is equal to 'PUBLIC'.
>>
>> Here's the definition of my collections table:
>>
>> db.define_table('collections',
>> Field('user_id', db.auth_user, notnull=True),
>> Field('language_code', length="3", requires=IS_IN_DB(db, 'language.code',
>> db.language._format), notnull=True),
>> Field('title', length=512, notnull=True),
>> Field('description', 'text', notnull=False),
>> Field('privacy', length=50, requires=IS_IN_SET(privacy_set), notnull=True,
>> default='PRIVATE'),
>> Field('level',length=10, requires=IS_IN_SET(level_set), notnull=True,
>> default='NONE'))
>>
>> Thanks,
>>
>> --
>> Alexei
>>
> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to web2py+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/web2py/a01f1311-adfe-4b95-9200-14afe29c9e5b%40googlegroups.com
> 
> .
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/CADHCKLSFWgpUxn1khMyow3U23ZeUi%2Byd9o%3Dk5d9WGc2syOhPJA%40mail.gmail.com.

Re: [web2py] Re: RestAPI: how to restrict query results to data belonging to logged in user?

[Jacinto Parga]

Hello, 

yes you are right.

Are these tools not enough for the aproach of "scopes" 
http://web2py.com/books/default/chapter/29/09/access-control#Authorization
 and http://web2py.com/books/default/chapter/29/09/access-control#Decorators
 ?

I mean you are talking about allow certain users to certain information in 
some tables. You are talking about access control and permissions. 
Something like the example in the book:

Assuming the following definitions:

>>> from gluon.tools import Auth
>>> auth = Auth(db)
>>> auth.define_tables()
>>> secrets = db.define_table('secret_document', Field('body'))
>>> james_bond = db.auth_user.insert(first_name='James',
 last_name='Bond')

Here is an example:

>>> doc_id = db.secret_document.insert(body = 'top secret')
>>> agents = auth.add_group(role = 'Secret Agent')
>>> auth.add_membership(agents, james_bond)
>>> auth.add_permission(agents, 'read', secrets)
>>> print auth.has_permission('read', secrets, doc_id, james_bond)
True
>>> print auth.has_permission('update', secrets, doc_id, james_bond)
False


@auth.requires_permission('read', secrets)
def function_four():
return 'you can read secret documents'




El miércoles, 27 de mayo de 2020, 19:03:07 (UTC+2), Kevin Keller escribió:
>
> The "proper" way would be to define "scopes" in your application. Scopes 
> define who has access to which data. 
> You can also call it roles or tags or whatever. 
> Scopes is the term that is used by OAuth/OpenID connect, which is usually 
> used to secure APIs. 
>
> Normally you would get an OpenID (OIDC) ID Token as JWT when you login. 
> Once you have that you would read that tokens contents and look for the 
> scopes in the token and match those scopes with which the user shall access 
> your data.
> Similiar to what you did here with the workaround to match the user.id to 
> the data. 
> I suppose you can extend this examlple/workaround to used custom auth 
> fields or the roles fields provided by web2py. 
>
> Some applications dont use scopes but so called claims from the JWT token. 
> Claims is extra info about a user such as first, lastname phonenumber etc. 
> that can be extracted from the token. 
> They put user roles in the tokens claims and match them with the 
> applications rest api against the database. 
> Similair to what you did. 
>
> But claims are not supposed to be used for that normally, that is what 
> scopes are for. 
> Claims are just used to "contextualize" a reqiest for the API i.e. fetch 
> relevant information for the requestor if the requestor is for example from 
> Europe fetch all infos for Europeans from the database, 
> if from another continent, fetch other data. 
>
> I have not seen Web2py used in this way, but there you go. 
> Just though this info may be interesting. 
>
> I found this example / workaorund super useful. 
>
> Will also use it :). 
>
> Seems to just get the job done quickly. 
>
>
>
>
>
> On Wed, May 27, 2020 at 6:18 PM Jacinto Parga  > wrote:
>
>> Hello, 
>>
>> I used this workaround in a similar case:
>>
>> @auth.requires_login()
>> @request.restful()
>> def myapi():
>> def GET():
>> response.view = 'generic.json'
>> myreg = db(db.mytable.created_by==auth.user.id).select() # Maybe 
>> in your case mytable.user_id==auth.user.id
>> if myreg:
>> return dict(myreg=myreg)
>> else:
>> data ='{"Result" : "Still empty"}'
>> return data
>> return dict(GET=GET)
>>
>>
>>
>> El sábado, 23 de mayo de 2020, 10:17:44 (UTC+2), Alexei Vinidiktov 
>> escribió:
>>>
>>> Hello,
>>>
>>> How can I restrict access via RestAPI for the user such that they can 
>>> only get their own records (those that have the field user_id matching 
>>> their user id)?
>>>
>>> For example, I have a a table named 'collections' that has a 'user_id' 
>>> field, and I want my users to get only the collections that they created.
>>>
>>> If they try to get someone else's collection, then they should get a 
>>> 'not authorized' response.
>>>
>>> As an extension, I would also like to allow for users to be able to get 
>>> someone else's collection if its status is equal to 'PUBLIC'.
>>>
>>> Here's the definition of my collections table:
>>>
>>> db.define_table('collections',
>>> Field('user_id', db.auth_user, notnull=True),
>>> Field('language_code', length="3", requires=IS_IN_DB(db, 'language.code', 
>>> db.language._format), notnull=True),
>>> Field('title', length=512, notnull=True),
>>> Field('description', 'text', notnull=False),
>>> Field('privacy', length=50, requires=IS_IN_SET(privacy_set), notnull=
>>> True, default='PRIVATE'),
>>> Field('level',length=10, requires=IS_IN_SET(level_set), notnull=True, 
>>> default='NONE'))
>>>
>>> Thanks,
>>>
>>> --
>>> Alexei
>>>
>> -- 
>> Resources:
>> - http://web2py.com
>> - http://web2py.com/book (Documentation)
>> - http://github.com/web2py/web2py (Source code)
>> - https://code.google.com/p/web2py/issues/list (Report Issu