i want to make a sequence diagram, which shows the login process in an .Net MVC Webapp (i.e. webshop).
I am quite new to UML modeling, so i am not sure, how to build the interaction between, Controller, model and view. I found different solution online.
Here are some question i have:
Does the client interact with the view, or directly with the Controller (in my test Trial the client interacts with the Controller)?
For the loginvalidation: In my test Trial the Controller ask the model, if the login_data (username and pw) are correct. Is it necessary, that the model interacts with an database, where the user data are stored?
If i would like to send data in an http Request, should i just add the variable in the brackets?
Here is my test Trial:
This is perfect. You just could shortcut the http-response and move it outside the alt fragment.
The controller is the one to "do the job" and the view just to present it. Actually there's a bit of intermix since views contain some basic I/O logic. But here the http-data travel from the client to the controller.
It depends. You "can" show that but you "must not". If the model reader needs to know the details you can show that directly or in a separate SD.
You would usually pass data as parameter of a method. You can also show concrete data (e.g. a quoted string or an integer value).
Related
So, lets say that this is a general definition in VIPER architecture:
The main parts of VIPER are:
View: displays what it is told to by the Presenter and relays user
input back to the Presenter.
Interactor: contains the business logic as specified by a use case.
Presenter: contains view logic for preparing content for display (as
received from the Interactor) and for reacting to user inputs (by
requesting new data from the Interactor).
Entity: contains basic model objects used by the Interactor.
Routing: contains navigation logic for describing which screens are
shown in which order.
Now in my interactor, I do a login network request, and I get the response that has access token (that I later save in keychain using my KeyChainManager).
Now, were would be a good and a proper place to save the token? Immediately in the interactor, or to pass it somewhere further maybe, eg. presenter... ?
This is a service so that's what the interactor is for. You should have a service for doing the request and a service for storing or retrieving the token, and only an interactor should be allowed to speak to them or even know of them.
That is, in fact, the whole point of the interactor — it's so that the presenter does not know anything about this. No one else should know anything about what's going on. A presenter should know nothing about the token — that it exists or where it is stored. That's all just behind-the-scenes implementation.
So I am writing an app in Rails 5, and I am interested in the security issues of a simple feature I am trying to write. Users make Picks, which are secret from one another until a certain time. If I pass:
#picks = Pick.all
which contains everyones picks,
to the view with the controller, and then filter what is displayed depending on who the user is on the view, would a user be able to access that #picks variable using nefarious methods? At first I thought yes, but now I am thinking that the user just gets the raw view sent with no #picks variable. Unless users can sneaky dev their own html views?
Disregard that it's probably a better idea to do the filtering in the controller anyway, I just want to see if you can expose variables if you give them in full to the view and then filter them there.
Short Answer:
No, the client cannot access the #picks variable directly. Your view would have to display the value of #picks in the view in order for the browser to receive it.
Long Answer:
However, it would be good practice to limit the data assigned to #picks before it gets to the view. As your codebase grows and ages, and perhaps other developers start maintaining it, you may not remember that the #picks variable contains data that should not be displayed in the view.
Six months down the road, when the client wants to update the view based on new feature enhancement, you do not want to rely on the developer who is modifying the view to know that #picks contains sensitive data.
Make life easy on future developers (including you) by restricting the content of #picks to those records that the user is allowed to see at the time. Using the code suggested in the comments is a good idea:
#picks = current_user.picks
Or better yet, add a method to your model that contains the business logic for determining which picks are available to the user at a given time:
class User < ApplicationRecord
...
def authorized_picks
# code that returns the picks this user is allowed to see right now
end
...
end
And then your controller code is:
#picks = current_user.authorized_picks
That way all of your business logic is in the model, where it belongs 90% of the time. This also allows you to keep your code DRY by having the authorization logic all in one place.
Keep your code simple and DRY and you will thank yourself down the road.
No, They won't be able to get the instance variable which we use in haml/erb files. They just get the raw html.
As Ruby on rails does server rendering, all instance variables will be used to prepare view at the server side.
Anyways filtering should be done on controller side as best practice.
First-time poster, long-time admirer! :-) Coming from ASP.NET WebForms world and building my first MVC web app. Over the past month or so, I've watched a lot of videos and read a lot about MVC, EF Code-First, patterns, strategies, etc. Exciting!
Building an ASP.NET MVC 5 web application, which is to be a fairly simple, 3-step sign-up form on an anonymous portion of the web site. An [anonymous] user fills out "step 1," clicks "next," and data gets recorded into a database between steps (which is desired even if the user quits before finishing step 3).
So my approach so far is to build a single "Signup" controller with 3 controller actions for the 3 steps (along with their own ViewModels containing only the needed fields for each step):
Site/Signup/Step1 (creates a new record in DB and fills out some fields)
Site/Signup/Step2 (edits the record created in Step1 and fills out some other fields)
Site/Signup/Step3 (edits the record created in Step1 and fills out some other fields)
My question is, how do I best persist a unique identifier for the newly-created record from Step1 over to steps 2 and 3, safely, securely, conveniently?
There is an auto-identity integer SignupID, but that is not safe-enough to pass via querystring (.../Step2?id=xxx), as anyone could just type a different number and overwrite data in the database.
Some thoughts I've had so far:
Option: Generate a longer random number or alphanumeric code and store in DB, and use it as a URL parameter. Maybe even GUID without hyphens or something like that.
Option: Persist the identifier (auto-increment ID or the longer alphanumeric code) someplace other than the querystring. Maybe Session? TempData?
Option: Some combination of the two above, but with added crypto hashing or something, to ensure that the ID only works for some small period of time (say, an hour, or something).
I don't want to make this overly complex for a very small application with small number of users/sign-ups. Just need to make it not stupidly "inviting" for poking around, considering the form needs to be filled out by anonymous users.
I'd appreciate some thoughts from the community. Thanks!
In my application users are able to transfer points between them. In my view, I check if user can transfer points from his account, if he can, I render something that allows him to do that. I would not like to check that again in my controller, so I need some mechanism, that will allow me to check if user that I rendered a viewpage for, is the same as the one that is sending a request to my controller.
So basically, I would like to check in my controller, if currently logged user is the same as the one that sent the request - and to do this, I think that I need something that works similar to ViewBag, but not from the controller to a view, but from view to a controller. Is that possible?
A proper way to do this will not be the transfer of such information between user requests. Every request shall be stateless but you trying to embed a state. This is a fair way to shoot yourself in a foot.
If your action requires authentication (you are who you say you are) you should do it using standard classic ASP net way. This will embed a standard authentication token to any further user requests. This way you will know that the user is authenticated or not.
For some actions that require authorisation (user has permissions to perform an action) you must validate that a user has the power to perform such action. This must be done for every request and it is usually a fast operation. No need to optimise things here by reducing your security barrier.
If you search for authentication and authorisation with classic asp, you will get a more fine grained answer on how to do the coding bit.
I wouldn't recommend, but you can still embed hidden information with
<input type="hidden" value="..."/>
I'm building a web application that has a particular model representing some events. Users need to be able to add N number of people to a given event. Choosing people is handled by a partial view.
I'm trying to build a menu that displays when users click "add a person" to the event. Because the event hasn't been filled out completely yet, there is nothing in the database to persist between requests.
I also have validation logic on the event page.
My proposed solution is to add the form to search or add for people on the event form itself and have a submit button that sends the values that have been added back to the server, where I can store them in ViewData or Session.
Unfortunately, doing this flags the validation.
My second solution is to load a partial view responsible for loading the UI to add/search for a person. I could add a little code on the method in the controller that returns a partial view storing the existing data in a session variable or viewdata. Trouble is, I have to submit the form to do it--again tripping the validation!!!
I'm wondering if perhaps I chose the wrong tool to do this...because in webforms, there would probably be a postback and you would just perform an operation on that postback. I'd like to avoid rewriting the application in webforms and am wondering if there are ways I'm overlooking in ASP.NET MVC.
Thanks in advance for the ideas!
I would probably have the partial view send it's data to the main page (with javascript). That way there is only one post to the server and it is when all of the data the user needs to enter has been filled out. How are you displaying the partial view? Is it on the main page (in a div), or is it a separate pop-up window? Either way, you should be able to use javascript to store this data on the main page and post all of the data back at one time.
HTH