我想使用REST API获取URL以打开发件人视图:
curl --request POST 'https://demo.docusign.net/restapi/v2/accounts/001122/envelopes/33fef057-1111-1111-8e81-5d93739ae4fd/views/sender' --data '{}' -H 'Accept: application/json' -H 'Authorization: bearer xxxxxxx=' -H 'Content-Length: 2' -H 'Content-Type:application/json'来自DocuSign的回复:
{ "url": "https://demo.docusign.net/Member/StartInSession.aspx?StartConsole=1&t=888db3ea-1e85-4860-a8e5-e9b37f38d769&DocuEnvelope=29fae057-9213-4485-8e81-5d93739ae4fd&send=1" }在我们的应用程序中,我想创建一个具有默认值的“已创建”状态的信封,然后打开发件人视图,以便用户可以完成信封并发送它。
最终用户不应该知道我用于创建信封和打开发件人视图的身份验证用户的凭据:API返回的URL包含一个应该工作几分钟的令牌。
我已经实现了这个解决方案,一切正常,但有一些我没想到的。 我认为返回的url只能用于执行单个操作(发送信封),但似乎用户可以完全访问该帐户,就好像他/她已经执行了登录一样。
有没有办法限制对给定信封的发件人视图的访问?
谢谢你,马可
I would like to use the REST API to get a URL to open the sender view:
curl --request POST 'https://demo.docusign.net/restapi/v2/accounts/001122/envelopes/33fef057-1111-1111-8e81-5d93739ae4fd/views/sender' --data '{}' -H 'Accept: application/json' -H 'Authorization: bearer xxxxxxx=' -H 'Content-Length: 2' -H 'Content-Type:application/json'Response from DocuSign:
{ "url": "https://demo.docusign.net/Member/StartInSession.aspx?StartConsole=1&t=888db3ea-1e85-4860-a8e5-e9b37f38d769&DocuEnvelope=29fae057-9213-4485-8e81-5d93739ae4fd&send=1" }In our application, I would like to create an envelope in the "created" status with default values and then open the sender view so that the user can complete the envelope and send it.
The end user is not supposed to know the credentials for the authenticating user that I am using to create the envelope and to open the sender view: the url returned by the API contains a token that should work for some minutes.
I have implemented this solution and everything works, but there is something that I was not expecting. I thought that the url returned could be used only to execute a single operation (to send the envelope), but it seems that the user has complete access to the account as if he/she has executed a login.
Is there a way to limit the access just to the sender view for the given envelope?
Thank you, Marco
最满意答案
使用嵌入式发件人视图(或嵌入式正确视图)将始终授予用户(发件人)与该DocuSign帐户相同的访问权限,如果他们使用API请求标头中提供的凭据直接登录到控制台时。 即,即使它们最初直接进入API请求指定的信封,也没有什么可以阻止它们在该信封之外导航到DocuSign控制台的其他区域,在那里他们可以完全访问该帐户以查看/发送/删除信封等
Using the embedded Sender view (or the embedded Correct view) will always grant the user (sender) the same access to that DocuSign account as they would have if they logged into the console directly with the credentials supplied in the API request header. i.e., even though they are initially taken directly into the Envelope that the API request specifies, there's nothing to prevent them from navigating outside of that Envelope to other areas of the DocuSign console, where they'll have full access to the account to view/send/delete Envelopes, etc.
更多推荐
发布评论