I want to prevent from IDOR attack in yii2.
If user change url in browser and request was Invalid stay in current page.
I use below code .I stay the current page and dot render page with id manipulate after change Id by firebug in link page.
But if I change id in browser I redirected to home page.
for example, the user(by Yii::$app->user->identity->id that is 19) is on this page : url http://localhost:8080/profile/test/19 and see own profile. if user change url to http://localhost:8080/profile/test/25 in browser and press enter , see the same page again http://localhost:8080/profile/test/19 That is, his profile but I go to home page, I think Yii::$app->request->referrer in empty in this case.
public function actionTest($id) {
if (Yii::$app->user->identity->id == $id) {
return $this->render('view', [
'model' => User::findOne($id),
]);
} else {
$this->goBack(Yii::$app->request->referrer);
}
}
Related
I have 2 divs on a page, based on the click id on left i load the content in the right div.
But when session expires, i am expecting the page to redirect to Login, but it does not behave tht way.
some times the button wont work or some times the login screen loads in the right div.
Any suggestions to handle this session expire?
By default, the IIS simply returns the login-page with an HTTP status code 200 when the session is expired. This makes your ajax not see it as an error.
So you need to do a check in your controller action to see whether the Session has expired, and if it has, you can return an HttpStatusCodeResult(HttpStatusCode.Unauthorized).
After that, in your ajax, you can use somthing like this:
$.ajax({
//...
error: function(data, textStatus, xhr) {
if(xhr.status == "401"){ window.location.href = "/login";
}
}
Whenever i press browser back button,it takes me to application's home page without any data even after successfully logout.This only shows page header part and on pressing any menu option brings me back to login page.
I am using Grails-2.3.6 along with JDK-6.
So any body can suggest me what could be the problem as i am new on grails ?
Is a common problem in web development, the page is cached in the browser, so when you press the back button, the browser show what is in his cache. In order to solve this you need to set the expires headers in your pages. In grails the easiest way of do that is using filters:
Create the fie grails-app/conf/RequestFilters.groovy with this content:
class RequestFilters {
def filters = {
requestHeadersFilter(controller: '*', action: '*') {
after = {
response.setHeader("Pragma", "no-cache")
response.setDateHeader("Expires", 1L)
response.setHeader("Cache-Control", "no-cache")
response.addHeader("Cache-Control", "no-store")
}
}
}
}
For safari you will need another small hack, add onunload="" to the body of your layouts (views/layouts)
Phonegap
Jquery mobile
Not working on chrome browser or iOS.
I'm trying to implement "Recent History" functionality, where if a user visits a page, the page title will be stored in localStorage, then retrieved later.
I have a button on a page, that when clicked adds a (key,value) to localstorage.
$(document).on('tap','#getMeThere',function(){
var title = $('#serviceTitle').text();
var duplicate = false;
for (var i = 0; i < window.localStorage.length; i++){//check if service is already in storage
if(window.localStorage.getItem(window.localStorage.key(i)) == title){
duplicate = true;
break;
}
}
if(duplicate == false){//does not exist in array
window.localStorage.setItem(title,title); //add to local storage
}
});
I have another button on a different page, that when clicked, loads a new page and displays all items in localStorage in a list view.
$(document).on('pagebeforecreate', '#recent', function(){//display services that user has visited
if(window.localStorage.length == 0){
console.log('local storage length=' + window.localStorage.length);
$('#recentEmpty').text("You haven't visited any services yet! Any services you visit will show up on this page.");
}
else{
for (var i = 0; i < window.localStorage.length; i++){
$("#recentList").append($("<li><a href='#ymca' data-transition='slide'>YMCA</a></li>"));
}
console.log('local storage length=' + window.localStorage.length);
}
});
Case 1: The problem is if say i open my app. I click the 2nd button, to see "You haven't visited...". That's fine. Then i go to another page and click the 1st button to add a value to localStorage. When i click the 2nd button again, i'm supposed to see one list item, instead i still see "You haven't visited". Even though i can see while inspecting element that localStorage.setItem was successful and there is 1 value in localStorage. I need to refresh the browser in order to see the list item.
Case 2: I open my app, click the 1st button to add to storage, then click the 2nd button to display it, my recent history page correctly shows 1 list item, without needed to refresh.
It seems to be some sort of caching issue. Or maybe i need to somehow refresh the page?
You are using pagebeforecreate, which is run before the page is created, which happens once. You probably want pagebeforeshow.
In BB when user typed any URL into the browser and hit enter.... then is it possible to get/track/fetch that url..???
shuld i implement any ineterface in my application.......that can track, when user opens the browser and passes a url.
I just want to tell that my application will run in the background......and from background I want to get the URL from BB's native browser. Means when user open the browser and pass a url, I have to get that url and check whether my Application should block that or not.
My application need is -
1) get the url, whatever user have typed in the browser field of the browser...
2) send that url to the server, in the form of xml
3) check response from the server......
4) if response value is "yes" then do nothing...
5) but if response value is "no" then block that URL ( regiseter that - URL into HttpFilterRegistery )
I have develop the code to add my own menu-item into the Browser.
By clicking on that custom-menu-item, I am receiving the URL successfully. But this doesn't meet my requirement actually.
As I told earlier, I want to track the browser application pro-grammatically through a third party application. So Is there any way, whenever Browser app comes to foreground, we can get the menu-item instance of the Browser (native application). So that I can run the custom menu item pro-grammatically.
I have used the following code:
Screen screen = Ui.getUiEngine().getActiveScreen();
System.out.println("\n\n**** " + screen.getClass().getName());
Menu menu = screen.getMenu(1);
for (int i = 0, cnt = menu.getSize(); i < cnt; i++)
System.out.println(" menu item : " + menu.getItem(i).toString());
System.out.println("\n\n");
I am successfully tracking the applications whichever comes to foreground through a background thread of my application, but even then My third party application's thread can't get the menu-instance of the foreground-native applications. It always return the instance of my application's screen...
output of the above code :
** mypackage.AppDemoScreen
menu item : Show Keyboard
menu item : Switch Application
menu item : Full Menu
you can use ApplicationDescriptor , and here is an example to add a new menu item with with the ability to avoid duble the custem menu item , also the code to recept the data from the browser and send it to the class you want
http://pastebin.com/BTSBL8AN
I have a website that outputs Excel reports with hyperlinks back to secure content. One of the links would look like this...
http://www.[site].com/externalLinkDigester?externalSession=[SHA Encrypted Text]
The query string argument (externalSession) is a unique alphanumeric string that is only valid for 24 hours and can only be accessed by the user who created the report. My controller looks something like this...
class ExternalLinkDigester{
def springSecurityService;
def index = {
def currentUser = springSecurityService?.currentUser
if (!currentUser){
redirect(controller:'login')
}
def request = ExternalSession.findByName(params.externalSession);
if (request.isExpired(){
//show expired content page
}
if (sameUser(currentUser, request.user){
//show content
}else{
redirect(controller:'login')
}
}
}
The problem is that no matter what the springSecurityService.currentUser is always null when coming form an external program like Excel even when I am logged before clicking the link however, if I copy and paste the link into the browser it seems to work fine. Help!
How can I securely access content this way?
Is it possible that Excel is opening up a different browser than the one you logged in with (eg. you logged in with Firefox and when clicking the link within excel, it defaults to opening the link within Internet Explorer). The new browser will not have the session cookie for the authenticated session so "currentUser" will appear as null.