問題描述

我正在為客戶構建一個 Web 應用程序，但我不確定我是否在做正確的事情...

I'm building a web application for a customer and I'm not really sure I'm doing the right thing...

基本上，我創建了一個 PHP 應用程序，它可以讀取、編輯、刪除 Google 上的日歷，并在我自己的 Web 應用程序數據庫中保留一個副本(出于各種原因).現在，我閱讀了 OAuth 2.0 并意識到使用它比直接在我的網絡應用程序中的 PHP 文件(在其他也就是說，如果黑客進入服務器，他就可以竊取她的密碼……)

Basically, I created a PHP application that read, edit, delete calendars on Google and keeps a copy on my own web application DB (for various reasons). Now, I read about the OAuth 2.0 and realise it could be safer to use this than have my client general Google password (that access ALL google services (calendar, email, etc)) directly in my web app in a PHP file (in other words, if a hacker enter the server than he can steal her password...).

所以我創建了 OAuth 2.0 帳戶，從這個頁面添加類/文件夾 http://code.google.com/apis/calendar/v3/using.html#setup 并添加了測試頁面上的適當腳本以授權訪問您的信息"(請參閱同一頁面中的實例化客戶端") ...

So I created the OAuth 2.0 account, add the classes/folders from this page http://code.google.com/apis/calendar/v3/using.html#setup and added the proper scripts on a test page to "authorize access to your information" (see "Instantiating the client " in the same page)?...

這是我的問題:如果我使用我的登錄信息(不是我的客戶)登錄我的 gmail 并轉到我的測試頁面，它會要求我授權訪問我的 Google 日歷.但我想要我客戶的日歷，而不是我的！所以，讓我們假設我退出，使用我的客戶信息登錄并轉到測試頁面:這很完美，我授權了帳戶，然后我被重定向到我的應用程序，我可以在其中看到她的日歷.

Here is my questions: If I am logged in my gmail with MY login info (not my Client) and I go to my test page, it will ask ME to authorize access to my Google Calendar. But I want my client's calendar, NOT MINE! So, let's pretend I logout, log in with my customer info and go to the test page : it's perfect, I authorize the account, then I'm redirected to my app where i can see HER calendar.

但這不切實際或不合邏輯...因為，例如，我希望她的 GENERAL PUBLIC 網站上的人進入一個頁面，并填寫表格以自動安排她的約會.該腳本必須檢查她的谷歌日歷....并要求他們的 gmail 帳戶許可?不，我想要她的日歷.

But this is not practical OR logical... Since, for example, I want people on her GENERAL PUBLIC website to go on a page, and fill a form in order to automate her appointments. The script must check her google calendar.... and ask permission for THEIR gmail accounts? No, I want HER calendar.

這是我的問題/問題.我究竟做錯了什么?這是正確的方法還是我錯過了一步?這個 API 是用來做這個的嗎?

So this is my problem / question. What am I doing wrong? Is this the right way to do so or did I miss a step? Was this API meant to do this?

如何使用 API 以上述方式工作?

How can I use the API to work in the way described above?

感謝大家點燃我的蠟燭

喬爾

推薦答案

如果我沒理解錯，那么您就已經獲得了正確的身份驗證.問題是你不想顯示登錄用戶的日歷；您想顯示客戶的日歷.

If I'm understanding you correctly, you've got the authentication right. The problem is that you don't want to display the calendar of the logged-in user; you want to display your client's calendar.

用戶可以在以下兩種情況之一寫入日歷:

A user can write to a calendar in one of two circumstances:

1. 用戶擁有日歷，或
2. 所有者通過指定用戶的電子郵件地址明確授予用戶寫入權限.

顯然第二種情況不能擴展.無論哪種情況，您都需要將客戶的憑據嵌入到應用程序中，然后使用它們代表經過身份驗證的用戶創建約會，或者與用戶共享日歷.當然，您需要對客戶的憑據進行加密——不要簡單地在您的應用中對其進行硬編碼！

Clearly the second situation doesn't scale. And in either case, you'd need to embed your client's credentials in your application, then use them either to create appointments on behalf of an authenticated user, or to share the calendar with the user. Of course, you'll want to encrypt your client's credentials--don't simply hard-code them in your app!

與使用您客戶的真實"帳戶相比，專門為此日歷創建一個新帳戶(使用唯一的電子郵件地址和密碼)似乎更安全.然后，您的客戶可以像她的客戶一樣通過您的應用程序訪問它，或者您可以與她共享日歷并授予她寫入權限.

Rather than using your client's "real" account, it would seem more secure to create a new account (with a unique email address and password) specifically for this calendar. Your client could then access it through your application as her customers would, or you could share the calendar with her and give her write access.

另一種可能性可能是將日歷設置為對用戶只讀，而不是允許他們直接在您客戶的日歷上創建約會，您的應用可以讓他們請求em>約會:它會在用戶的日歷上創建事件并將邀請發送到您客戶的日歷.那么您的應用程序將不需要任何嵌入式憑據.它還可以讓您的客戶有機會確認或拒絕每個約會，自動將她的回復發送給她的用戶.另一個好處是每個用戶的約會都會出現在他/她自己的個人 Google 日歷上.

Another possibility might be to make the calendar read-only to the users, and rather than allowing them to create appointments directly on your client's calendar, your app could let them request appointments: it would create the events on the users' calendars and send invitations to your client's calendar. Then your app won't need any embedded credentials. It would also give your client the opportunity to confirm or decline each appointment, automatically sending her response to her users. Another benefit is that each user's appointments would appear on his/her own personal Google calendar.

我很想知道您(或其他任何人)是否找到了更好的解決方案.

I'd be interested to know if you (or anyone else) finds a better solution.

這篇關于如何在 Google 日歷中使用 OAuth 以僅訪問一個日歷?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！