12 Replies Latest reply on Jan 17, 2018 10:42 AM by mnudel RSS
    mnudel Apprentice

    Is it possible to disable SQUEAL for external users?

    Somebody posted this question previously, however, it is still valid today.

     

    In order to implement a simple 'change your password' feature, a user must have associated visibility under a particular organisational unit which he/she must be a member of. A curious user can modify url to something like 'https://myapp.twx.com/ThingWorx/Users' and see the list of ALL users corresponding to that organisational unit.

     

    I'd be grateful for your help. Thanks.

      • Re: Is it possible to disable SQUEAL for external users?
        raghun Explorer

        A User should not be able to see other Users unless you have given the visibility access at the collection level. In your case what might be happening is that the new user is in 'Everyone' Org which has some default visibility set at collection level. Therefore you are able to see all the users. Can you go to Everyone Org and remove 'Users' group from there and try this again !

          • Re: Is it possible to disable SQUEAL for external users?
            mnudel Apprentice

            Raghu Nayak, I removed 'Users' user group from 'Everyone' organisation some time ago in order to implement granular visibility as suggested in ThingWorx documentation. There is no associated user or user group in 'Users', 'User Groups' collections. Service invoke is enabled via override.

             

            From the code below, one can conclude that in order to change his/hers password, a user must be 'see' his own user entity. For that to happen, an entity must have a 'Visibility' set to a particular organisational unit. A user must be a member of that organisational unit.

             

            Thus, it is logical to assume that if a user is a member of an organisational unit and other users have visibility set to that organisational unit, he/she would be able to get a list of all users linked to that organisational unit. Surely, there must be a better way.

             

            var params = {
                 newPasswordConfirm: newPasswordConfirm /* STRING */,
                 oldPassword: oldPassword /* STRING */,
                 newPassword: newPassword /* STRING */
            };
            
            // no return
            Users[userName].ChangePassword(params);
            
              • Re: Is it possible to disable SQUEAL for external users?
                raghun Explorer

                ok now I understand what you are trying achieve clearly. It is true that for user to take any action in terms running a service or updating property, 1st thing required is visibility which you assign by Organization (group of users or user groups). But you dont have to assign visibility to that same organization unless you have a use case that requires it!

                From your example, it looks like you want the user to change his password using a mashup that triggers this password change service correct ? If yes then all you need is create this service on Thing (lets a generic thing that has this password change service) assign the visibility of this Thing to the Org that contains all the Users who will have this password change functionality and then in the 'Runtime Permission' just provide this service execute capability to that user group.

                By default each User is owner of his own entity (and user name is one of them). So when the User open this mashup and clicks the button to change the password he should be able to do so as he is changing his own entity. This is possible without having visibility access to Org or User group that he belongs to.  Try the above approach and let me know if it works for you! thanks

                  • Re: Is it possible to disable SQUEAL for external users?
                    mnudel Apprentice

                    Raghu Nayak, thank you for your reply. Your proposed solution looks a lot like my current implementation. There is a generic thing with the appropriate service, organisation visibility and run-time permissions. The latter ensures that a user can see this entity and trigger corresponding service. However, a user cannot see his own 'user' entity as described above. Having triggered the service, the following error messages appear:

                    1. User does not have visibility permission for SomeUser
                    2. JavaException: java.lang.RuntimeException: Entity [SomeUser] does not exist. User attempts to change password

                     

                    By default each User is owner of his own entity (and user name is one of them). So when the User open this mashup and clicks the button to change the password he should be able to do so as he is changing his own entity.

                              That might be the case when 'Users' user group is a member of 'Everyone' organisation.

                      • Re: Is it possible to disable SQUEAL for external users?
                        raghun Explorer

                        hmm that's really strange if you are receiving that message. Can you please do the below with a brand new user and see if the below works or not ! And by the way my assumption is still that the User is trying to change his own password and not somebody else's password, let me know if thats not true!!!

                         

                        1. Create a brand new user (since you have already removed the 'Users' group from 'everyone' org  - this user should not be able to see anything)

                        2. When this user is logged into composer he should see his own User Name entity in the home page and that will be the only entity. -- This basic test will show that each user is owner of his own entity and doesnt need explicit visibility. Although you cannot edit this through composer because you need design time for that. And thats why you will use the generic thing entity service to modify the password.

                        3. Now just create a new org and assign this user to that Org and provide visibility and runtime permission to that password change service and you should be able to do it without any problem.

                        In fact I did that with a quick test user and a test org. Again as I said before the user's password you are trying to change is his own and not some other User. Please try this and let me know if you are still running into issues !!!

                          • Re: Is it possible to disable SQUEAL for external users?
                            mnudel Apprentice

                            Raghu Nayak, thank you for looking into my problem. I repeated the steps you described, however, the problem of being able to see other users still persists. The following screenshots depict the problem quite nicely.

                            The password change code works if the visibility is set on the user entity. However, the user is now able to see everyone in the organisation (pic above).

                            If I remove this visibility, then after changePassword() service was triggered I get the following message in the application log:

                              • Re: Is it possible to disable SQUEAL for external users?
                                raghun Explorer

                                Can you provide some more information!

                                1. Which version of ThingWorx are you using ?

                                2. Add a screenshot for the Composer when you login as User1. I want to see if the User1 is visible in the list !

                                3. Are you triggering the service through a mashup by logging in as User1 ? Or let me know the how are you executing it ! The reason I ask that is your error message shows as Visibility issue while the generic message from platform should have been something like the entity doesnt exist !

                                Provide me these info and I will see how to debug this further. thanks

                                  • Re: Is it possible to disable SQUEAL for external users?
                                    mnudel Apprentice
                                    1. 7.3.5
                                    2. When visibility is assigned to organisation for both users, the following entities are visible in the composer. If no visibility is assigned then no entities are visible. The experiments confirmed that if I assign user visibility to organisation, all members of that organisation can see other members and other entities assigned to that organisation.
                                    3. The service is executed through a mash-up (landing page of tempOrg) which in turn utilises services on a thing. I am logged in as a User1. There is no problem executing a service, otherwise there'd be an error associated with the actual thing.

                                        

                                      • Re: Is it possible to disable SQUEAL for external users?
                                        raghun Explorer

                                        mnudel - Thanks for providing the info. I did look at the 7.4 instance which is close to 7.3.5 that you have and it behaves similarly. It looks like starting from TWX 8.0 there has been changes to security that allows a user to take the ownership their own entities without an explicit assignment.

                                         

                                        So in short if you dont have a specific reason to be on 7.3.5 I would suggest upgrade to TWX 8.0 as a fresh install (as upgrading may not affect the existing visibility) and then import your entities.

                                        If you need to be on 7.3.5 for other reasons then you just have to follow the same approach we discussed before. The downside is that a savvy user may be able to do a REST call to see who are the other users in same Org but they cannot access anything further than that if you harden the security by not giving Read/Write access. As long as you group the Users of similar capabilities and work responsibility in Unique Orgs this should not create a systemic risk. I hope this helps. Thank you

                                          • Re: Is it possible to disable SQUEAL for external users?
                                            mnudel Apprentice

                                            Raghu Nayak, thank you for your support. Unfortunately, installing a new version of the platform from scratch is not an option at the moment. The application is deployed and a number of users/processes are dependent on it.

                                             

                                            To be honest, I don't see the point of exposing a development environment to all users. Cyber security is a great concern for many and one can go to great lengths to assess system vulnerability. Just by tampering with the URI or SQUEAL, a sensitive information can, therefore, be extracted.

                                             

                                            I'd like to implement the solution proposed by Sushant Pandey, however, yet again I'm getting errors I can't find explanation to.

                                             

                                            Jason Geiger, have you made any further progress regarding this topic? Thanks.

                                              • Re: Is it possible to disable SQUEAL for external users?
                                                supandey Ninja

                                                mnudel sorry i somehow missed your message in the sequence of referencing. To understand your situation, are you using Gmail or is it a local setup of a mail server? If the mail server is running on different machine then the ThingWorx Server, could you try using utility like Telnet with something like  telnet <hostname> <portnumber> from the ThingWorx server adding the server detail to the <hostname> where the mail server is installed. I'm asking this because of the error that you have posted under the blog which is basically pointing to resource not found thus the HTTP 404