We have this requirement where we send an email to a user where he can click yes or no. Based on the click some action would take place. But if the user forwards it to someone, and if they click on the buttons nothing should happen.
One way to make this happen is to have the recipient of the email to sign in, before he can click. But ideally, we would like to avoid that.
How can this be done if we don't want the user to sign in?
This is a bona-fide e-mail that arrives in someone's gmail inbox or something, I'm assuming? If that's the case, you are going to have to authenticate them one way or another using your system.
Some kind of HTML-format email with image/links on it to direct to your site, the links including some kind of unique-key that you can use to look up the user who received the e-mail with said unique-key, prepopulating the user ID field, and them having to supply their password to authenticate.
That's about the only way I can imagine it working, unless you are relying on the user having some kind of third-party identity-verification service like uh... what's the Microsoft one called, Passport? I'm very unfamiliar with that.
Related
I have developed an application, which has got an approval flow. The application approval / reject is working fine and I have been tasked with developing a solution for approval through emails, instead of the users log in on to the application, which anyway uses domain credentials. The application is hosted locally, allowed locally only, and is not published onto any public IPs. This requirement of mail approvals are for Management approvals, who are on the move most of the time and will not be agreeing to go for a VPN Access of the said application.
So far I developed a solution which sends an eMail to the approval authority with 2 URLs (one for approve and other for reject). When the recipient of the mail clicks on the relevant link the action is updated in the database. Until here everything was tested and working fine.
Now in case the mail is forwarded by the authorized approver to a different email ID, they secondary recipient also will be able to click on the relevant links and get the database updated which is not the intended functionality since the secondary recipient is not an authorized approver.
Any suggestions on how to control this are desired.
Edit 1
To the 2 URLs I am sending in mail, I am adding a query string, which is a unique identifier associated with the approval authority ID.
However, if the same mail is forwarded to a secondary recipient, I am not sure on how to validate the eMail ID from which the click originated.
Edit 2
I have tried the suggestions (given in the comments below ). I have generated the mail with Request ID in the subject of the mail and requested the users to reply to that mail with only one word in body either Approve / Reject. I have ensured that the application shall process it in a case insensitive way. However, there were so many typos for one word that I could not imagine the number of combinations I had to cope up with.
I have also tried, having the Request ID in the subject of the mail, and requested the users to reply to that mail by appending either : A for approve or : R for reject (case insensitive). But this again resulted in numerous typos.
You have basically two options
have your users reply to the email with Accept or Reject like you said. In this case, you will have to validate whether the email account in the FROM field has the right to do so.
have your user click a link. In this case, you will HAVE to make the application validate the user based on his login credentials.
There is no other way to go about this. You either have to validate the email sender, or the person has to be logged in to the application. There is no other mechanism available in this scenario.
There might be different ways of implementing these two options, but those are the only options you have.
I've created an ASP.net web page that allows the user to create an account. This site is purely for my own practice with the environment, but I have a question about the best way to handle logging in.
My site is more or less (eventually) going to be similar to Twitter.
When the user signs up for the site, they are required to put in a company ID number and a handle. In addition, they have an option of adding an email address, if so desired.
On my login page, I want the user to be able to login with any of those three options (email address, company ID, or handle).
The confusion that I'm running into: what if someone makes a handle that is the same as someone else's ID? How do I handle that?
Would the best option be to validate based off of the (salted and hashed) password if it matches more than one? I would guess no, but I'm not sure.
Now, I know that there are a lot of different options to alleviate this problem (require at least one letter in the user handle being the primary one that comes to mind, or as someone commented, adding a constraint to deny the creation if the ID already exists), but since this is just a mental exercise for me I figure I should learn something about it.
Let users specify the type of credentials they are providing.
Create a separate login form for each type of credentials: company ID, handle, e-mail address. When a user visits the site, you ask them to select the type of credentials they are providing. You could even remember this preference in the browser's storage.
When the form is posted, you know exactly what to validate. You don't have to worry about a handle being the same as a company ID. Store company ID, handle, and e-mail address as separate fields in the database with each user's account.
This is similar to sites which use federated authentication and give user's the option to sign in with Google or Facebook.
ASP.NET newbie question. I'm starting with ASP.NET's Starter Site that comes with a set of built-in registration, authentication pages, and membership DB.
Now my question is, how can I restrict registration to my site? This site is for a patient practice and only patients need access.
I have read about roles, but assigning roles means the user has already registered. I don't want users created in the DB without being authorized either by email or other credentials that an admin will enter prior to registration.
Please let me know the best way to achieve this modification to the starter site template.
Thanks in advance.
As siva.k mentioned in a comment you can remove the registration process from public access, that means users will not be able to register by themselves, an administrator must be in charge of creating users. This implies that you will need user security roles...at least if you don't want your patients to have access to administrative areas such as user management.
Another approach which will require a bit of more effort is to "send email invitations to your patients". Someone perhaps an administrator simply need to enter (at least) an email address and the system would trigger an email inviting the user to register. Obviously, this will require to have a registration page/view to be publicly accessible, but protected to only users who have been sent out an invitation. Determining whether the user is genuine or not it's quite simple. At the time the system sends out the invitation, it logs an entry in a database record...say an email address, a random unique code and perhaps an expiry date to validate the invitation. The random unique code could be whatever you want but must be unique within the system and most importantly NON-SEQUENTIAL (as in incremental integers or something like that). This code can be sent to the invited patient in the form of a url query string parameter, this url is the link to the registration page. Then, the registration page will extract this code from the url, validate it against the database record, deletes the record and then serves the registration page. If the validation fails you can easily respond with a 403 or 404 http code.
As I said, it requires a bit of effort on your side but you could make it a robust solution you can report on.
I am required to write a small webpage / utility for both Google and Yahoo to validate their email addresses. Suppose I give two textboxes, one for Yahoo and the other for Google. When the user provides the email addresses and hit the GO button I want to show if the provided emails actually exist and are valid or not. Plus, I would also like to show any publicly available information like Name, Date of Creation of Account or anything else that is available.
I have tried searching the net but was unable to find any helpful material. Hence asking the question here.
Sounds like you need to implement oauth in your application. By doing so, the user can click on the button of a network and login there. The user will be redirected back to your application with some details (depending on the settings), in most cases you will get the email address and user name.
The simplest way to implement oauth I found was with Simple Authentication: https://github.com/SimpleAuthentication/SimpleAuthentication
An implementation I made: http://www.zonneprijzen.nl/Account after login go to: http://www.zonneprijzen.nl/User/Edit
Hopefully this solved your problem.
I want to send the email to the sharepoint adminsitrator when user clicks the form button. How I can achieve this ?
The simplest solution for this scenario is to create a workflow with SharePoint Designer 2007. Here is an article that describes how to create a workflow that sends an email. You can manually choose administrators you want to mail, but it is much better approach to create a SharePoint group for admins and send an email to this group.
Make sure you have properly configured SharePoint outgoing email settings.
Upvoted Toni's but since the OP tagged it as C#, the function to send emails using the Central Administration is called SPUtiliy.SendEmail. To grab the email of the user (if you dont know the email) you could go with something like SPContext.Current.Web.AllUsers["DOMAIN\login"].Email (not test environment here, syntax may be off)