There is a large table with data.
On the site, each user is given access only to a certain set of data from the table (a selection is made according to certain criteria).
But in the URL line, he can change the number to get access to any data from the table.
How can I restrict access to data from the URL string?
For example: there is a table of goods. 1 and 3 are available to the user. URL: shop.com/goods/show/1 or shop.com/goods/show/3
but he can also go and see the goods under the numbers 2 - shop.com/goods/show/2.
How can this be avoided?
I created a domain class, based on it I created a table. The controller was created automatically with the basic methods of index, show, edit, etc. I make a selection using the createCriteria() in the index method
grails v3.3.0
Related
I have a an MS Access database with nine tables. The main form will be driven by a query linking the two main tables. When I pull up any one record ("family within a house"), I have a lot of variable data to pull into the form (how many family members, names of each, other specific information) to retrieve from the other seven tables. I created a VBA module, linked to this form, which is triggered when a record is loaded. The code aggregates all the family member data into a Collection of "person" elements. All of that works, as evidenced by the "Immediate" window in VBA. The "person" object is defined as a Class Module with all the relevant attributes (firstname, lastname, email, is-parent/is-child, etc).
Where I'm stuck: how do I access the collection within the form, so I can start populating elements? I haven't been able to find any documentation to do this, nor any similar questions asked/answered online. Next step will be creating all the elements dynamically, but right now, being able to create a static element and setting the control source to (at least some component/value within) the collection would be a huge help.
My VBA form module has a method, "Private Sub Form_Current()", which generates the collection when the current record is changed.
Thanks in advance...
Got my answer: "you don't". Set the element values in code, rather than trying to pass the collection the form.
Dear SAPUI5 Developers,
I developed a SAPUI5 Fiori Worklist project by using WebIDE template projects.
In the Component.js file the OData model has been fetched.
var sServiceUrl = this.getMetadata().getManifestEntry("sap.app").dataSources.mainService.uri;
var oModel = new sap.ui.model.odata.ODataModel(sServiceUrl, {
json: true,
loadMetadataAsync: true
});
oModel.attachMetadataFailed(function() {
// Call some functions from APP controller to show suitable message
}, this);
this.setModel(oModel, "BrandSet");
This part of code causes a call to OData server to fetch data from the remote server.
Now I want to order the data in backend and then receive the data. Assume the sorting function has been implemented correctly in the backend.
Thus, if I use $orderby=name or $orderby=price it has to be sorted by name or price respectively.
In some toturial they said for ordering use sorter option inside of the XML view file. Like here:
https://sapui5.hana.ondemand.com/#docs/guide/c4b2a32bb72f483faa173e890e48d812.html
Now my questions are:
How to apply this sorting inside of the Component.js file where the Model is initiated?
The second question is how to apply this ordering when we apply a filter to the model? Like the example that in the following link applied filter:
https://sapui5.hana.ondemand.com/#docs/guide/5295470d7eee46c1898ee46c1b9ad763.html
In fact I am looking for a function or any kind of method that add the $orderby=xxx to the OData service call.
I found a way here: https://sapui5.hana.ondemand.com/docs/api/symbols/sap.ui.model.odata.ODataModel.html#constructor
If I use mParameters.serviceUrlParams then I can add some URL parameter to the service request but it has been said "these parameters will be attached to all requests". Does it mean if I add the $orderbywith this method then I can not get rid of that in the further requests on that data model for example for filtering?
An app would normally be structured a bit differently to what you propose. The general assumption is that there is a lot of data available from the backend and to load all this data at once can cause performance problems, particularly when used over a mobile phone network. Furthermore, the data is an oData Entity Set, that is, a list of many items of the same type, so the data would be presented in the UI with a list or table.
Typically the app would then show the data in some kind of list, such as sap.m.List or sap.m.Table. These controls are designed to work with large volumes of data and would load initially the first 20 items from the entity set. Only when the user scrolls down the list of data would additional items be loaded. Also, with these controls the user can decide to sort or filter the data according to certain fields in your data.
Assuming that your app is work like this, here is the standard approach.
The Main model (as defined in the manifest) would not be loaded in Component.js, but loaded via the binding defined in the xml views of the app. In the views you could define a fixed sort and/or filter in the binding or you could allow the user to set the sort and filter criteria. This would be handled programmatically in the respective controllers. Normally the changes that the user makes to the sort and filter would be applied separately. For example, he/she chooses an new sort order, the oData is reread and the new sort order shown in the UI. Then the user may chose a filter criteria, and this is applied too. Of course, in your programming logic in the controllers you would need to have applied any default sort and filter criteria and then maybe combine or replace these with the criteria selected by the user.
To see an example of this, I would suggest to look at the Template Application “SAP Fiori Master-Detail Application” in the WebIDE.
Scenario:
(with an ASP.NET web app - Core or MVC)
I have a database with Users and Items for each user.
That means the UserId is a foreign key in the Items table.
From the browser I login as a User. I get my Items as a list of ItemViewModels, which are mapped (AutoMapper) to ItemViewModels via a simple api GET request.
I want to update one of the items (which should belong to me - the logged in user) via a simple API call. So I send the modified item back to the server via a PUT request as an ItemViewModel.
First approach:
The simplest approach would be to include the Item's database ID, ItemId, in the ItemViewModel - so when I receive the item to be updated as an ItemViewModel, I can map it back to the existing item in the database.
This however sounds pretty unsafe to me, as anyone could modify the PUT request with any ItemId and affect items which don't belong to the user who executed the request. Is there anything I'm missing about this approach?
Second approach:
Don't pass the database PK ItemId in the ItemViewModel.
Instead use an additional form of identification: let's say that user X has 10 items. And they are numbered from 1 to 10 using a property named UserItemId(which also exists in the database).
I can then pass this UserItemId in the ItemViewModel and when I get it back I can map it to an existing Item in the database (if all was ok with the request) or discard it and reject the request if the UserItemId didn't match anything from the logged in user's items.
Is anyone using this approach?
Pros:
The user only has access to it's own items and can't affect anyone else's since it doesn't know the actual Item ID (primary key), and any modifications are restricted to it's items.
Cons:
A great deal of extra management must be implemented on the server side for this approach to work.
Any other approaches ?
Please consider that the case mentioned above applies to all entities in the database which a client side implementation can CRUD, so it's not just the simple case described above.
The proposed solution should work for the entire app data.
I know this question has been asked here and here but the first one doesn't have a satisfying answer and I don't think the second one really applies to my situation, since it just deals with the UserId.
Thanks.
EDIT
Please consider the Item above as an aggregate root which contains multiple complex subItems each with a table in the db. And the question applies for them as much as for the main Item. That means that each subItem is passed as a ViewModel to the client.
I should mention that regarding further securing the update request:
For the first approach I can easily check if the user is allowed to change the item. But I should do this for all subItems too.
For the second approach I can check if the user can update the Item as follows: I get the userItemId of the incoming ViewModel -> I get all the logged in user's items from the database and try to find a match with the same userItemId, if I get a hit then I proceed with the update.
I think your application is not secure, if you only hide the Id.
You must check, before changing the database entity, if the user is allowed to change the entity.
In your case you should check, if your Id from the authenticated user is the UserId in your item.
If your ViewModel ist similar or identical for your API you could use a FilterAttribute in your controller.
I have a minor problem in MVC 3. I'm creating an application, where my model, a shipment, consists of the following:
a user id (string, required)
a reference id (string, optional)
a list of order ids (strings, cannot be empty)
The index view of the application is where the user creates the shipment (model). Once this is done, the user has no further interaction with it (no edit, detail or list views).
My problem is this. I'm trying to use one form for both adding order ids, and for creating the shipment itself, using two separate buttons for submitting ("Add" for adding order ids, "Send" for creating the shipment). It seems that when I'm using the Create-action of my controller, that pressing "Send" overwrites my list of order ids with an empty one. However, if I'm submitting to the Index-action, and redirecting to Create on a press of "Send", my model validation is gone (ModelState only contains "submit").
Right now I'm using sessions to pass data around my controller actions, which is probably not the best way to do it.
TLDR; I need a way to add items to a list in a model, one at a time, while persisting other form data, and still be able to validate it.
Any suggestions?
It's better to take a look on your Actions, because it's not quite clear what are you doing there, but still it looks like you are tring to use same data structure to pass different tipes of parameters (one contains list, another contains general data). I think it's better to submit different data structures and build required result data object in each action.
This is probably a newbie question.
I have a table USER which contains info about login, pass and authorities. Depending on authority or role, detail information about each user can be found in one of following: Teacher, Student, Parent. When the User logs in, the information stored in USER table can be easly taken from security context.
I want to display first name and last name all the time in the header after log in - these can be fetched from the other tables.
My question is this: how do I handle storing one of these objects in session all the time? Or is it okay just to store User (its stored by spring) and then fetch particular table every time I need detail information?
I use spring security 3, hibernate, jsp, sitemash.
For more clarification:
I know how to deal with logged user and to restrict some content. Login details (id, pass, role) are stored in USER table and this is ok - I can fetch it and show whereever I want. The problem is that the details about a particular user (address, name, email, etc) are stored in in another table (STUDENT, TEACHER, PARENT - depending on the role in USER table). This is what I want to know on every page - for example to show his/her name.
TO cut it short -
1. you need to extend spring User to provide additional fields.
2. you need to implement UserDetailsService interface and reference it in the security context.
3. Now you can fetch your object in a controller like this: authentication.getPrincipal() - rememebr to cast to your type.
Additionaly - personally i always have AbstracController which is a base for every controller in my project. There, among others, I have method which returns current principal.