Here I like to explain my problem clearly, How can I restrict get request through URL in Yii2
this is my url:
http://localhost/school/backend/web/index.php?r=user%2Fview&id=42
here if I change the view id = 43, it showing the data of id 43, I don't want to get data through url. I want to restrict get request through url or how can I encrypt the id value
If I change my url manager to
'urlManager' => [
'enablePrettyUrl' => true,
'showScriptName' => false,
],
then am getting url like below
http://localhost/school/admin/user/view?id=42
here also if I change id=43 am getting the data of id 43
How can I do this. Help will be really appreciated.
Assuming the current scenario (let me know if i misunderstood something):
Company can see/add/edit People (that part you already did). Now, each Company can only do actions on your own People, not the others.
One Solution:
In your Company model you must have something like:
public function getPeoples()
{
return $this->hasMany(People::className(), ['id_people' => 'id']);
}
You can add another function just to return the Ids of the People:
public function getPeoplesIds()
{
return ArrayHelper::map($this->peoples, 'id', 'id');
}
Now in your controler you must rewrite your beforeAction function:
public function beforeAction($action){
$id = Yii::$app->request->get('id');
if($id && !Yii::$app->user->isGuest) {
$user = User::findOne(Yii::$app->user->getId());
$company = //Do the logic to get the company's user
if (! in_array($id, $company->peoplesIds) {
throw new NotFoundHttpException('The requested page does not exist.');
}
}
return parent::beforeAction($action);
}
With that, you are checking the $id before runing each action.
first of all you should think about your purpose .
why do you want to prevent user from getting another IDs ?
if they are not authorized to see other IDs you can easily authorize their requests : Yii2-authorization
otherwise , you can use a string key for your table and generate random strings for keys using Yii built in classes .
Yii2-security
Related
My web app generates a UUIDv4 for every new 'post', and each post has its own URL like /posts/<uuid>. I'm not able to predict what uuid gets generated, and therefore I'm unable to go back to a specific post that was created earlier during testing.
According to the docs, cy.url() returns the URL as a string. I tried saving the URL using a .as(), but it didn't work:
cy.url().as('postUrl');
// go somewhere else
cy.visit('#postUrl');
// ends up visiting `localhost:3000/#postUrl`
I saw in another SO question that I should use .then on cy.url(), but that didn't work either:
cy.url().then(url => url).as('postUrl');
// go somewhere else
cy.visit('#postUrl');
How do I save the current URL for use later?
Found the answer buried in later pages of a google search. In order to use the saved URL, use cy.get('#postUrl') and call a .then with a callback that visits that url.
cy.url().as('postUrl');
// go somewhere else
cy.get('#postUrl').then(url => {
cy.visit(url);
}
var currentUrl=''
cy.url().then(url => {
currentUrl = url;
});
cy.visit(currentUrl)
I'm writing an application for Twinfield. I login to an account with 4 administrations in it. I would like to retrieve all information belonging to not payed invoices.
With the search opttion I get al open invoices for a certain office.
string[][] finderOptions = new string[2][];
switch (office)
{
case 0:
finderOptions[0] = new string[] { "office", "xxxx01-01" };
break;
case 1:
finderOptions[0] = new string[] { "office", "xxxx03-01" };
break;
}
finderOptions[1] = new string[] { "dim1", "1300" };
TwinfieldFinder.MessageOfErrorCodes[] errorCodes = xmlFinder.Search(hdrXml, "IVT", "*", 0, 1, 0, finderOptions, out findResult);
This works. But it retuns the invoicenumber and I also need the transaction number. Therefore I perform a Browse to find the traansaction number.
Maybe there is another way to find the complete transaction using the invoicenumber iso the transactionnumber?
The Browse call looks like this:
TwinfieldProcessXml.ProcessXmlSoapClient xmlClient = new
TwinfieldProcessXml.ProcessXmlSoapClient("ProcessXmlSoap", cluster + "/webservices/processxml.asmx?wsdl");
TwinfieldProcessXml.Header hdrXml2 = new TwinfieldProcessXml.Header();
hdrXml2.CompanyCode = finderOptions[0][1];
hdrXml2.AnyAttr = hdr.AnyAttr;
hdrXml2.SessionID = hdr.SessionID;
It doens't matter if I user the CompanyCode in the headers It alwasy return the informatie belonging to the first office: xxxx01-01.
When using the browse codes in Twinfield, make sure to do the SoapCall to select the right company, as documented there:
https://c3.twinfield.com/webservices/documentation/#/FAQ
Otherwise you will get the data back for the default company:
Q. When using the Browse Data functionality, in the response I get data from a different company. What is wrong?
A. In the browse data request there is no option to set the current company. Before sending the request, make sure the correct company is set by using the SelectCompany function. See also Web Services Authentication.
To get the open invoices the best way is to use the browse codes. Select code 100 and add a filter on the column matchstatus, here is an example:
https://gist.github.com/alexjeen/d4ef3295820dc98c7f0171e47294dbfe
A common pattern for a user's settings page would be for it to live at /settings.
In my Rails app, I'm accomplishing this on the API side by mapping get 'settings' to Settings#show and looking for the current_user's settings.
But on the Ember side, I'm stumped. There's no ID to use for the GET request, so I can't use the typical pattern of this.store.find('setting', params.id) within my route.
What's the "Ember way" of handling this sort of use case?
This has been discussed here: http://discuss.emberjs.com/t/fetching-single-records/529/3
The issue with loading a single record not based on an ID, is that you need to get back a DS.Model object as a promise. If you get back a record that's already in the client's memory you would now have two different objects representing the same record (type and id combination). Take this example:
var user123 = App.User.find(123);
var currentUser = App.findByUrl('/users/current'); //This is an imaginary method, i.e. Ember Data don't support it
notEqual(user123, currentUser, "The user objects can't be the same cause we don't know what the current user is yet");
Now we get this response from the server:
{
"user": {
"id": 123,
"name": "Mufasa"
}
}
Now currentUser and user123 both have id 123, but they are essentially different objects = very bad. This is why this approach wouldn't work.
Instead you will want to load a record array of users, listen for it to load, and then take the firstObject from the loaded records. Like this:
var users = App.User.find({ is_current: true });
users.one('didLoad', function() {
App.set('currentUser', users.get('firstObject');
});
$.ajax({
type: 'GET',
url: '/users/current',
success: function(payload) {
var store = this.store;
var userReference = store.load(App.User, payload.user);
App.set('currentUser', store.recordForReference(userReference));
}.bind(this)
});
My question can look stupid but I need to get in touch and get a decision. I want to pass parameters to url without the parameters being seen in the url. this is to secure my server. Because the url looks like this
controller/edit/123
and the '123' is the user ID in the database.
I can simple do this
public function action_edit($id) {
get_db_info($id);
}
Is it possible to hide the parameter while redirecting to this url from a view? ie in the view file
// Do something to set the ID
<?php Kohana_Request::post("user_id", $id); ?>
Click
and get the ID like this
public function action_edit() {
$id = $this->request->post("user_id");
get_db_info($id);
}
But the problem I can't access the KOhana_Request instance and get this error
*Non-static method Kohana_Request::post() should not be called statically*
Can someone gives a secured approach to this ?
I think I found a solution by encoding and decoding the parameters.
Since Kohana 3.3 do not allow parameters in controller functions see .
I do this in my view
$user_id = Encrypt::instance()->encode($liste->user_id);
$encode_id = base64_encode($user_id);
$encode_ure_id = urlencode($encode_id);
And from the controller,
$encoded_id = urldecode($this->request->param('uri_id'));
$encode_base_url = base64_decode($encoded_id);
$user_id = Encrypt::instance()->decode($encode_base_url);
If this can help others.
My first post here, hopefully It will be right! =)
I am creating a site to manage web application development using symfony 1.4 and doctrine.
My records consist for this problem of Project and ProjectFeatures
Now what I want to do is use the admin generator to let users manage the features for one project thru a link constraining all the returned features by project_id, that would look like: http://mysite/member/project/:project_id/features
in my routing.yml configuration, I have:
member_project_feature:
class: sfDoctrineRouteCollection
options:
model: ProjectFeature
module: memberProjectFeature
prefix_path: /member/project/:project_id/features
with_show: true
column: id
with_wildcard_routes: true
project_id is an existing column in the model ProjectFeature,
I will use a custom query to retrieve features only by that project_id.
Now I can generate a url to link to that admin generator module without error using:
url_for('member_project_feature', array('project_id' => $project['id']))
And the routing system does recognise the url:
May 04 14:30:59 symfony [info] {sfPatternRouting} Match route "member_project_feature" (/member/project/:project_id/features.:sf_format) for /member/project/1/features with parameters array ( 'module' => 'memberProjectFeature', 'action' => 'index', 'sf_format' => 'html', 'project_id' => '1',)
But the admin generator can't generate it's links inside it's templates with that prefix_path and returns error InvalidArgumentException with message The "/member/project/:project_id/features/:action/action.:sf_format" route has some missing mandatory parameters (:project_id).
Any idea?
Well I found my answer at this url: http://www.blogs.uni-osnabrueck.de/rotapken/?s=symfony
But I will give it here and shorten it because, stackoverflow is awesome and it should be there for a long time =)
1st - The routing configuration I used in my question is valid.
2nd - You need to add a method in the action file generated by the admin
public function execute($sfRequest)
{
// taken from http://www.blogs.uni-osnabrueck.de/rotapken/?s=symfony
$this->forward404Unless(
$project_id = $sfRequest->getUrlParameter('project_id'));
$this->forward404Unless(
$this->project = Doctrine::getTable('ttcWebProject')->find($project_id));
$this->getContext()->getRouting()
->setDefaultParameter('project_id', $project_id);
if ($id = $sfRequest->getUrlParameter('id'))
{
$this->getContext()->getRouting()->setDefaultParameter('id', $id);
}
$result = parent::execute($sfRequest);
return $result;
}
At this point the url gets generated correctly but here is the last step to get to the end result you most probably want to achieve:
3rd - To get the list by project_id I can either provide a table method in the generator.yml, a default value to the getFilterDefaults or this method in the action file:
protected function buildQuery ()
{
$q = parent::buildQuery();
$rootAlias = $q->getRootAlias();
$q->andWhere("{$rootAlias}.project_id = ?",
$this->getRequest()->getUrlParameter('project_id'));
return $q;
}
I'm not 100% certain about what you're trying to do here, but it sounds like you need the ProjectFeature::toParams method return the project_id.