Forum | Appery.io

"That's why admin acount has all needed rights to make changes (if you didn't set ACL manually)"

So when you say admin account you are referring to master key that bypasses ACL? If so, is that safe to use in a web app?

So I also still need to update the users password at the end. How do I do this without knowing the user id? How do I get the user id? From the docs:

curl -X PUT \
-H "X-Appery-Database-Id: 4ffcf6c8e4b0211629c4ad01" \
-H "X-Appery-Session-Token: 80aeb50a-14de-4fd2-9c8e-11c5b60d8959" \
-d "{"email":"a href="mailto:newjoe@mail.com" rel="nofollow"newjoe@mail.com/a"}" \
https://api.appery.io/rest/1/db/users...

Hi Sean,

You can use server code for the password recovery. It is server code can perform actions on behalf of administrator.[quote:]Your application creates a record in a separate table RecoveryPass that contains information this user requested a password reset. Creation request returns a unique _id of created record.[/quote]We mean the following:
The user enters login or email. You make a request to the database and check if there is such user.
Yes, there is: in recovery records spreadsheet you create a record, that recovery mechanism is launched for the login. You use returned _id of record created as a key in the letter. Then under that key (== _id) you get email, find this email in the user database and get _id of that user.

[quote:]
The user enters login or email. You make a request to the database and check if there is such user.
[/quote]
At some point in the process, I need to verify that user is in Users table. I understand I need to do this as my admin user with server code. What I do not understand is how to look up the user by username or email address to get their database user id so I can update their record.

As I mentioned before, there appears to be no way to query the Users table for a specific user without their User id. I understand my admin account can edit User records server side, but I believe I need a user id from Users table.

I can query a collection, but not a User table right?

For example if I make the assumption that Users collection is like other collections I could query it. I have tried this, but I cannot query users table like a normal collection:

code
var DB_id='XXXXXXXXXXXXXXXXXXXXXXX';
var collectionName='users';
var userName=request.get("userName");
var userPass='XXXXXXXXX';

try {
result = {};
var token = DatabaseUser.login(DB_id, userName, userPass).sessionToken;
result.token = token;
result.collectionsList = Collection.getCollectionList(DB_id, token);

var params = {};
//var mail='me@somewhere.com';
params.criteria = {'businessname': 'XYZ Corp'};

result.query = Collection.query(DB_id, collectionName, params, token);

response.success(result);
} catch (e) {
response.success("message: " + e.message + "ncode: " + e.code);
}
/code

error is:
message: Collection 'users' absent in database with id 'XXXXXXXXXXXXXXXXX'.ncode: DBSQ203

Hi Sean,

Please try with collection name "_users" and let us know about the result.

using _users eliminates the error, but I still cannot seem to retrieve the record:
code
var params = {};
params.criteria = {"username": "avaliduser"};
params.skip = 3;
params.limit = 3;
result.query = Collection.query(DB_id, collectionName, params, token);
console.log(params);
/code
this outputs to console:
{"limit":3,"criteria":{"username":"avaliduser"},"skip":3}

This is a valid user name, but my query results are empty:
this:
response.success(result);
generates:
{"token":"XXXXXXXXXXXXXXXXXXXXXXX","query":[],"collectionsList":[{"name":"text"}]}

Do I incorrectly understand that the fields for user with username of 'avalideuser' would be in "query" array?

Sorry to interrupt you, but I am facing similar problems with built-in User's collection.

1) After I import users table from CSV, my passwords does not work (getting error DBUI112). Sample password is "hjd&gdh177". When I set it explicitly in DB backend, it works. I try with the same code and password is url-encoded (looks like "hjd%26gdh177")

2) Manual says that username should be url-encoded too. My username looks like a href="mailto:username@example.com" rel="nofollow"username@example.com/a, but it works both url-encoded (looks like "username%40example.com"), and not-encoded. Is it OK behaviour?

3) I have 200 records in Users collection and need to implement all auth procedures (login, logout, registration, password restore). I am worried about user database is publicly accessible - everyone may delete everything it after first succesful login. I know about ACLs, but is there a way to automatically put "read: all, write: owner" for every record in the database?

Hi Sean,

Then why do you use:
codeparams.skip = 3;
params.limit = 3;/code
You ask the database not only to limit the result of three entries, but also in response to miss the first three entries.

Hi Zahhar,

1. The issue is probably in the interface of shell that encodes special characters.
2. See 1
3. No, there is no such settings. You will have to automate this process yourself.

Thanks for prompt reply. As an interface I am using POSTMAN plugin for Chrome. It is pretty standard and works with hundreds of other APIs. Please try by yourself.

I need a solution how to check passwords, that were uploaded from CSV. Please help me.