I have developed an application, which has got an approval flow. The application approval / reject is working fine and I have been tasked with developing a solution for approval through emails, instead of the users log in on to the application, which anyway uses domain credentials. The application is hosted locally, allowed locally only, and is not published onto any public IPs. This requirement of mail approvals are for Management approvals, who are on the move most of the time and will not be agreeing to go for a VPN Access of the said application.
So far I developed a solution which sends an eMail to the approval authority with 2 URLs (one for approve and other for reject). When the recipient of the mail clicks on the relevant link the action is updated in the database. Until here everything was tested and working fine.
Now in case the mail is forwarded by the authorized approver to a different email ID, they secondary recipient also will be able to click on the relevant links and get the database updated which is not the intended functionality since the secondary recipient is not an authorized approver.
Any suggestions on how to control this are desired.
Edit 1
To the 2 URLs I am sending in mail, I am adding a query string, which is a unique identifier associated with the approval authority ID.
However, if the same mail is forwarded to a secondary recipient, I am not sure on how to validate the eMail ID from which the click originated.
Edit 2
I have tried the suggestions (given in the comments below ). I have generated the mail with Request ID in the subject of the mail and requested the users to reply to that mail with only one word in body either Approve / Reject. I have ensured that the application shall process it in a case insensitive way. However, there were so many typos for one word that I could not imagine the number of combinations I had to cope up with.
I have also tried, having the Request ID in the subject of the mail, and requested the users to reply to that mail by appending either : A for approve or : R for reject (case insensitive). But this again resulted in numerous typos.
You have basically two options
have your users reply to the email with Accept or Reject like you said. In this case, you will have to validate whether the email account in the FROM field has the right to do so.
have your user click a link. In this case, you will HAVE to make the application validate the user based on his login credentials.
There is no other way to go about this. You either have to validate the email sender, or the person has to be logged in to the application. There is no other mechanism available in this scenario.
There might be different ways of implementing these two options, but those are the only options you have.
Related
ASP.NET newbie question. I'm starting with ASP.NET's Starter Site that comes with a set of built-in registration, authentication pages, and membership DB.
Now my question is, how can I restrict registration to my site? This site is for a patient practice and only patients need access.
I have read about roles, but assigning roles means the user has already registered. I don't want users created in the DB without being authorized either by email or other credentials that an admin will enter prior to registration.
Please let me know the best way to achieve this modification to the starter site template.
Thanks in advance.
As siva.k mentioned in a comment you can remove the registration process from public access, that means users will not be able to register by themselves, an administrator must be in charge of creating users. This implies that you will need user security roles...at least if you don't want your patients to have access to administrative areas such as user management.
Another approach which will require a bit of more effort is to "send email invitations to your patients". Someone perhaps an administrator simply need to enter (at least) an email address and the system would trigger an email inviting the user to register. Obviously, this will require to have a registration page/view to be publicly accessible, but protected to only users who have been sent out an invitation. Determining whether the user is genuine or not it's quite simple. At the time the system sends out the invitation, it logs an entry in a database record...say an email address, a random unique code and perhaps an expiry date to validate the invitation. The random unique code could be whatever you want but must be unique within the system and most importantly NON-SEQUENTIAL (as in incremental integers or something like that). This code can be sent to the invited patient in the form of a url query string parameter, this url is the link to the registration page. Then, the registration page will extract this code from the url, validate it against the database record, deletes the record and then serves the registration page. If the validation fails you can easily respond with a 403 or 404 http code.
As I said, it requires a bit of effort on your side but you could make it a robust solution you can report on.
Not sure if this question is programming related, but i think SO users might having experience about my problem to share.
is it possible to automatically see online user on specific group without having to subscribe (add as friend/buddy)? so whenever user enter to specific group he/she will automatically see all the online user on the appropriate group. every users are free to enter to any group on the website.
is this can be done on the chat server side by using plugin etc, or can be done on agsxmpp side.
we tried using Conference Room (MUC), but it having limitation only maximum 100 users, on our website number of user entering group can be more than 500 users.
any idea?
openfire / asp.net mvc / agsxmpp
Ok, so it is impossible to do that.
here is quote from Alex (agsxmpp forum)
XMPP requires always mutual subscription. This means the contact you are adding and subscribe to must approve your subscription. Without the approval you get no presence. This means that the contacts you add must either manual or automatically accept this requests. If they will do so everything will work and the server will start sending you presence.
I would like to add the ability for users to send an email to an address that automatically saves the attachments as documents and saves the email as html, etc.
I think I understand how I can write the functions, but I'm uncertain on how to ensure the security. My application is designed as single code, but each customer has their own database and subdomain. The app looks at the subdomain and determines the database to use for authentication, etc. (There is no master db.)
First, I thought sendgrid would give you a custom email address to use like a897a88s8#sendgrid.net that you could forward to for testing or real use but I don't see that anywhere. I would probably set up a separate domain
How do I ensure that emails sent from user from companyA gets saved in their db? I've thought of:
putting the company name in the email address that the user sends to "addpart-companyA#mysaasapp.com"
a custom email address with a company-wide unique key "addpart-3515645#mysaasapp.com"
The code can find the right db, look at the 'from' email address to see if it matches an existing user, then perform the desired functions. However, that doesn't seem too secure. I also am going to want several different email addresses that a user can use that performs different functions ('add to existing part, add to new part, don't add document, etc.)
I'm looking for a better setup that preferably allows for non-ugly email addresses. What do others do?
It sounds like you already have subdomains for each company. Are these used for email at all right now, or can you change the MX records for the subdomains? If you can programmatically alter your DNS, then it would be very easy to add a SendGrid parse MX record for each subdomain when it is created. Then you could use addpart#company.mysaasapp.com.
For security, I think you're on the right track with checking against a user in your database. Assuming your clients have their email properly configured, you could check SPF via the Authentication-Results header if you are concerned about spoofs.
I'm developing a web application in ASP.NET MVC, and I want users to be able to click on a new link and have it send an email through their default email client with information already filled in, how do I do this?
How would I do it if I wanted an email to be sent out when a new ticket was submitted in the help system?
From MSDN:
<a href="mailto:user#example.com?
subject=MessageTitle&
body=Message Content">
Contact Us</a>
If you wanted to send this email to all users of your application, you'd probably need to automate that part into a service that sends email automatically. You can send email through .NET without any interaction from the user.
Without having the particulars, I see you could do it as follows:
User adds Ticket to the database.
Asynchronous Service polls database for changes to that table.
When it encounters a new ticket, sends an email to a list of users using information from this Stack Overflow question.
The list of users would come from the database, or whatever mechanism you have in place to authenticate and authorize users. If it's Active Directory, it would come from members of that group.
Update
If the user wants to share that email with others, then why not let them pick who they want to share it with in Outlook?
At that point, you can leave off the email address and they can choose it when it pops up in their email editor:
Contact Us
That produces the following when you click on the link:
I want to send the email to the sharepoint adminsitrator when user clicks the form button. How I can achieve this ?
The simplest solution for this scenario is to create a workflow with SharePoint Designer 2007. Here is an article that describes how to create a workflow that sends an email. You can manually choose administrators you want to mail, but it is much better approach to create a SharePoint group for admins and send an email to this group.
Make sure you have properly configured SharePoint outgoing email settings.
Upvoted Toni's but since the OP tagged it as C#, the function to send emails using the Central Administration is called SPUtiliy.SendEmail. To grab the email of the user (if you dont know the email) you could go with something like SPContext.Current.Web.AllUsers["DOMAIN\login"].Email (not test environment here, syntax may be off)