certificates – Client Cert Authentication: Accept cert in request or retrieve from host?

No, there is no benefit to doing that, and in fact it likely opens a security hole. Let my explain.

First, a metaphor. A bouncer at a bar asks for your ID. The normal system is for you to present your ID (metaphor: client cert), the bouncer checks that the ID legitimate (metaphor: validates the issuer, revocation, etc), and checks that the photo matches the person standing in front of them (metaphor: the client cert will digitally sign part of the TLS handshake using their private key). You are proposing that instead of accepting the ID presented to you, you should take their name and go retrieve the ID from a government database. This is only necessary if you don’t have a good way to check legitimacy of the ID on the spot. That may well be a weakness of physical IDs, but it is not a weakness of digital certificates. If the issuer signature is valid and the cert is not revoked, then it is authentic and you would get the same certificate from the CA or domain owner. So the extra lookup is not necessary.

I said your suggestion might open a security hole; let me explain:

As part of TLS client auth the client will perform a “proof of possession” by signing part of the TLS handshake with the private key that matches the certificate. If you (the server) go off and get their “real” certificate, maybe they have multiple valid certificates, how do you know that you’re getting the one that matches the private key they’re trying to use? Also, how are you going to do the lookup, with a name (DN) that the client gave you? How do you know that they are not lying to you and getting you to look up someone else’s cert? So the extra lookup may in fact introduce vulnerabilities.

vulnerability – Can python be used to retrieve a session ID to mimic logged in user at periodical times?

Let me quickly explain and then ask the question. I’m developing a Web Vulnerability assessment scanner for a project, and I’m learning python as I go, so forgive me if it might sound like a dumb question. The idea is to allow a user to run periodical scans against their website and report SQL injection findings, XSS vulnerabilities for the beginning and further develop from there. They could then go back and view all the scans and keep track of their website’s security performance.

The pre-requisite is for the user to be logged in when they run the scan to grab the Session ID to mimic the user. But I want the scan to be able to run once a day in the background. How would that be possible? Is the Session ID used initially still being valid for the next scans? Is there a better approach I could take to it, maybe?

Thanks for taking the time to read so far. Hopefully might get some advice from someone more knowledgeable than me :]

PS: If you have any recommendation to make me consider other vulnerabilities/libraries, I’m all ears

sharepoint online – How to retrieve the Creator or Author of a site or any sub site?

I cannot find a way to get the creator of a site in a SharePoint site collection (There are more than one administrators), be it in web view or programmatically.

I tried get-author-creator-of-a-site-subsite-using-jsom-or-rest-api but seems to work only for (sub-)subsites.
I also tried https://www.sharepointdiary.com/2018/02/find-who-created-site-in-sharepoint.html. I would prefer using PnP, but no solution has worked so far.

$con = Connect-PnPOnline -ReturnConnection -Url $mySiteUrl -Credentials $myCreds
$web = Get-PnPWeb -Connection $con
Get-PnPProperty -ClientObject $web -Property Author
Get-PnPProperty : 'Author' is not a member of 'Microsoft.SharePoint.Client.Web'

+ Get-PnPProperty -ClientObject $Web -Property Author
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (:) (Get-PnPProperty), ArgumentException
    + FullyQualifiedErrorId : EXCEPTION,SharePointPnP.PowerShell.Commands.Base.EnsureProperty

I tried including all properties $web = Get-PnPWeb -Connection $cnx -Includes allproperties without any success.

domain driven design – DDD Aggregate in PHP — how to retrieve the root?

Hi and thank you for reaching this question out!

Status quo

  • I created an aggregate, let’s call it Foo. It has two entities within itself, let’s call them Foo & Bar.
  • You can mutate things by calling the aggregate’s public methods. E.g. $foo->doSomething(). I.e. the aggregate itself has an repository injection. Looks this way
class Foo
{
    /**
     * @var FooRepositoryInterface
     */
    private $fooRepository;

    /**
     * @var BarRepositoryInterface
     */
    private $barRepository;

    /**
     * @var FooEntity|null
     */
    private $fooEntity;

    /**
     * @var BarEntity|null
     */
    private $barEntity;

    public function __construct(
        FooRepositoryInterface $fooRepository,
        BarRepositoryInterface $barRepository,
        ?FooEntity $fooEntity,
        ?BarEntity $barEntity
    ) {
        $this->fooRepository = $fooRepository;
        $this->barRepository = $barRepository;
        $this->fooEntity = $fooEntity;
        $this->barEntity = $barEntity;
    }

    public function doSomething()
    {
        // check if the entities are not nulls or nulls. Depends on what the method does
        // create/mutate entities and persist them
        // assign entities to $this
    }

    public function getSomethingA(string $bla)
    {
        return $this->foo->getSomething();
    }

    public function getSomethingB()
    {
        return $this->bar->getSomething();
    }
}

I.e. the entire persistence “logic” is within an aggregate. As there are dependencies on the repositories, makes sense to erect such aggregates via factories. E.g.

class FooFactory {
    /**
     * @var FooRepositoryInterface
     */
    private $fooRepository;

    /**
     * @var BarRepositoryInterface
     */
    private $barRepository;

    public function __construct(
        FooRepositoryInterface $fooRepository,
        BarRepositoryInterface $barRepository
    ) {
        $this->fooRepository = $fooRepository;
        $this->barRepository = $barRepository;
    }

    public function createForFooBaring(): Foo
    {
        return new Foo($this->fooRepository, $this->barRepository, null, null);
    }
}

And then in a use-case e.g. or a service, just inject the factory and you are good to mutate things.

class UseCase {
    private $fooFactory;

    public function __construct(FooFactory $fooFactory)
    {
        $this->fooFactory = $fooFactory;
    }

    public function execute(Input $input): Output
    {
        $foo = $this->fooFactory->createForFooBaring();
        $foo->doSomething($input->getSomething()); // that's it. The data is transactionally (if it's a must) persisted. You read the business logic here, not technical implementation of inserts or updates. Awesome!
    }
}

Problem

Now, let’s assume I want to find an aggregate root in the use-case above. Smells like it’s right about time to inject a repository here, find entities and use a factory to establish an existing aggregate.

But. First of all, the factory itself has all of the dependencies needed, yet if we do something in the factory like

public function findByEmail(string $email): ?Foo
{
   $fooEntity = $this->fooRepository->findByEmail($email); 
   // let's assume here we found it
   $barEntity = $this->barRepository->findBySomeForeignKey($fooEntity->getBarFk());
   // let's assume here we found it

   return new Foo($this->fooRepository, $this->barRepository, $fooEntity, $barEntity);
}

Nice. But. It’s no longer a factory sorta. Could rename it to say… uhm… FooManager/Service e.g. and then it fits an idea.

Hence the question. How do you normally find an aggregate in DDD?

Thank you & Best Regards,
Nikolai

python – Discord.py Role.overwrites does not retrieve members with overwrites on channels

I’m having trouble with using Discord py to try and find the members who have been given specific overwrites for a channel.

@client.command(name='inferpermissions')
async def _inferPermissions(ctx):
    cat = ctx.channel.category
    catOverwrites = cat.overwrites
    print(catOverwrites)

When I run the above command, what it prints is a dictionary of all the roles with overwrites, but not members, even though there are members with permission overwrites as well.

The documentation says that the CategoryChannel.overwrites returns all overwrites, members and roles. So I can’t seem to see what I’m doing wrong. Any ideas?

woocommerce – How to retrieve a Menu Name by Menu Location with ACF fields

To retrieve the Menu Name:

$menu_name = wp_get_nav_menu_name("menu-products");

Then, using the menu name you can get data like the nav menu:

$term = get_term_by('name', $menu_name, 'nav_menu');

And using the term taxonomy ID you can pull the ACF fields

$menu_id = $term->term_taxonomy_id;
$post_id = 'term_'.$menu_id;
$field = get_field('my_acf_field', $post_id);

On the CMS side, the ACF Group, you need to select the Rule:
Menu Item | Is equal to | Product Location

theming – How to retrieve view row attributes when in twig template

I am using addClass() in hook_preprocess_views_view_unformatted (see my question regarding this at here), and the class is added to each row, but the next stop for the view results is views_view.html.twig, where dumping the rows data with

{{ dd(rows) }} 

shows no sign of the attributes part of the row data, which contains the class.