Is something like this supported by Flow?
/**
* #ORM\Entity
* #UniqueEntity(
* fields={"host", "port"},
* errorPath="port",
* message="This port is already in use on that host."
* )
*/
class Service
{
I need to validate that one title isn't used twice for one user.
Edit: Added model validator to check for uniqueness, but now it's checked in all actions: loading, updated etc.
Edit 2: "Solved" by checking in validator if object is new (not yet persisted). Still problem when updating already existent entity.
You can use the UniqueEntityValidator and only annotate the validator in the actions where you need to check the uniqueness.
http://flowframework.readthedocs.org/en/latest/TheDefinitiveGuide/PartV/ValidatorReference.html#uniqueentityvalidator
Alternatively, you could maybe use ValidationGroups to only validate with your existing model validator in the places you want it to happen.
http://flowframework.readthedocs.org/en/latest/TheDefinitiveGuide/PartIII/Validation.html?highlight=validationgroups#advanced-feature-partial-validation
Related
Recently I've been working on a simple state-tracking system, its main purpose is to persist updates, sent periodically from a mobile client in relational database for further analysis/presentation.
The mobile client uses JWTs issued by AAD to authenticate against our APIs. I need to find a way to verify if user has permissions to send an update for a certain Item (at this moment only its creator should be able to do that).
We assume that those updates could be sent by a lot of clients, in small intervals (15-30 seconds). We will only have one Item in active state per user.
The backend application is based on Spring-Boot, uses Spring Security with MS AAD starter and Spring Data JPA.
Obviously we could just do the following:
User_1 creates Item_1
User_1 sends an Update for Item_1
Item has an owner_ID field, before inserting Update we simply check if Item_1.owner_ID=User_1.ID - this means we need to fetch the original Item before every insert.
I was wondering if there was a more elegant approach to solving these kind of problems. Should we just use some kind of caching solution to keep allowed ID pairs, eg. {User_1, Item_1}?
WHERE clause
You can include it as a condition in your WHERE clause. For example, if you are updating record X you might have started with:
UPDATE table_name SET column1 = value1 WHERE id = X
However, you can instead do:
UPDATE table_name SET column1 = value1 WHERE id = X AND owner_id = Y
If the owner isn't Y, then the value won't get updated. You can introduce a method in your Spring Data repository that looks up the Spring Security value:
#Query("UPDATE table_name SET column1 = ?value1 WHERE id = ?id AND owner_id = ?#{principal.ownerId}")
public int updateValueById(String value1, String id);
where principal is whatever is returned from Authentication#getPrincipal.
Cache
You are correct that technically a cache would prevent the first database call, but it would introduce other complexities. Keeping a cache fresh is enough of a challenge that I would try it only when it's obvious that introducing the complexity of a cache brings the required, observed performance gains.
#PostAuthorize
Alternatively, you can make the extra call and use the framework to simplify the boilerplate. For example, you can use the #PostAuthorize annotation, like so, in your controller:
#PutMapping("/updatevalue")
#Transactional
#PostAuthorize("returnObject?.ownerId == authentication.principal.ownerId")
public MyWidget update(String value1, String id) {
MyWidget widget = this.repository.findById(id);
widget.setColumn1(value1);
return widget;
}
With this arrangement, Spring Security will check the return value's ownerId against the logged-in user. If it fails, then the transaction will be rolled back, and the changes won't make it into the database.
For this to work, ensure that Spring's transaction interceptor is placed before Spring Security's post authorize interceptor like so:
#EnableMethodSecurity
#EnableTransactionManagement(order=-1)
The downside to this solution is that there are still the same two DB calls. I like it because it's allowing the framework to enforce the authorization rule. To learn more, take a look at this sample application that follows this pattern.
since Typo3 v10 you have to use Classes.php file in Configuration/extbase/Persistence Folder for configuration of persistence table mapping.
Does anyone know how to implement
config.tx_extbase.persistence.classes {
Domain\DomainUsergroupMailer\Domain\Model\FrontendUserGroups {
mapping {
tableName = fe_groups
columns {
subgroup.foreignClass = TYPO3\CMS\Extbase\Domain\Model\FrontendUserGroup
}
}
}
I can't find documentation concerning the foreignClass Parameter.
I found parameter subclasses in https://docs.typo3.org/m/typo3/book-extbasefluid/10.4/en-us/6-Persistence/5-modeling-the-class-hierarchy.html
Does anyone know if this is the right way parameter and how to use it?
Thank you
There never was such a feature in TYPO3 as confirmed by searching the TYPO3v9 source code for foreignClass. So this must be provided by a 3rd party extension.
However, from the name it sounds like you only need to use an appropriate element type for your collection relation:
/**
* #var ObjectStorage<FrontendUserGroup>
*/
private ObjectStorage $subgroup;
See Implementing the domain model for details.
In Grails framework I saw the command object pattern but its use is not very clear for me. In addition most of examples given by Grails documentation are about domain classes not command objects (maybe to simplify code example).
1 - Command object is something used between view and controller layer and must stay there ?
2 - Or is it a good practice to pass command object to service layer ?
To illustrate point 2 :
class MyController {
def updateUserPassword (UserPasswordCommand cmd) {
...
myService.updatePassword(cmd)
...
}
}
If point 2 is a bad practice, then how do you pass submitted data to the service layer ? Via domain class ?
EDIT : Seems OK
[EDIT]
If I use command object and not domain class what to do in this case :
def signup(UserCreateCommand cmd)
{
if (!cmd.hasErrors()) {
def userInstance = userService.signup(cmd)
}
}
if (cmd.hasErrors()) {
/* Stay on form in order to display errors */
render(view:"/app/authentication/_signupForm", model:[userCreateCommand: cmd])
return
}
...
}
what happen if when user service transaction ends, there is an exception raided by database (because of flushing data not respecting schema constraints) ?
The problem in my point of view is that there are two queries :
Firstly - when call cmd.hasErrors() there is a persistent call for unique constraint on email for example
Secondly - when service transaction ends, there is a flush to DB (which result in one SQL insert in my case), and maybe raises an exception on column email which has unique constraint
Test cmd.hasErrors() doesn't prevent the case where DB raises a violated constraint unique exception or I'm wrong ?
That's the best way to pass request params to service layer. I have seen people passing params to service which is really a worst practice. Our controllers should be dump, Max 5-8 LOC in controller method is a guideline in my company.
Command object gives you so much power out of the box like validation, method etc.
Constraints like unique which needs to validated from database cannot be applied on command object. In this case you can use validator http://grails.github.io/grails-doc/2.5.1/ref/Constraints/validator.html.
You can also use importFrom constraint to have all the constraint form User domain to command object http://grails.github.io/grails-doc/2.5.1/guide/validation.html.
For instance, suppose I wanted to let that column be set to whatever the database defaults it to, without redefining that default in the domain class?
I can't find much through Google. There are hints that if I were working with Hibernate directly, I could set that particular column/property to private, and this might accomplish what I seek.
I can of course leave that column undefined, and GORM ignores it. But I need the values out of it whenever the Grails app does a select.
You can use the GORM property insertable as in doc or can read the value with a beforeInsert event:
class Book {
String title
String isbn
static mapping = {
isbn nullable: false
}
def beforeInsert {
title = queryFromDatabase...
}
}
I think you have to go the beforeInsert / Hibernate interceptor route since your requirement is to read default values from an existing database.
You can read the database default values for columns with JDBC's DatabaseMetaData.getColumns .
To find out the database table and column names, you can use something like this (this code is not tested)
import org.codehaus.groovy.grails.orm.hibernate.cfg.GrailsDomainBinder
import org.codehaus.groovy.grails.orm.hibernate.cfg.Mapping
import org.codehaus.groovy.grails.commons.DomainClassArtefactHandler
def gdc=grailsApplication.getArtefact(DomainClassArtefactHandler.TYPE, someInstance.class.name)
Mapping mapping=GrailsDomainBinder.getMapping(gdc)
def tableName=mapping.tableName
def columnName=mapping.getPropertyConfig('someColumn').column
This is not a complete answer, but I hope this helps.
I am looking for a simple way to hydrate a related object. A Note belongs to a Document and only owners of a Document can add Notes so when a user tries to edit a Note, I need to hydrate the related Document in order to find out if the user has access to it. In my Service layer I have the following:
public void editNote(Note note)
{
// Get the associated Document object (required for validation) and validate.
int docID = noteRepository.Find(note.NoteID).DocumentID;
note.Document = documentRepository.Find(docID);
IDictionary<string, string> errors = note.validate();
if (errors.Count > 0)
{
throw new ValidationException(errors);
}
// Update Repository and save.
noteRepository.InsertOrUpdate(note);
noteRepository.Save();
}
Trouble is, noteRepository.InsertOrUpdate(note) throws an exception with "An object with the same key already exists in the ObjectStateManager." when the repository sets EntityState.Modified. So a number of questions arise:
Am I approaching this correctly and if so, how do I get around the exception?
Currently, the controller edit action takes in a NoteCreateEditViewModel. Now this does have a DocumentID field as this is required when creating a new Note as we need to know which Document to attach it to. But for edit, I cannot use it as a malicious user could provide a DocumentID to which they do have access and thus edit a Note they don't own. So should there be seperate viewmodels for create and edit or can I just exclude the DocumentID somehow on edit? Or is there a better way to go about viewmodels such that an ID is not required?
Is there a better way to approach this? I have read that I should just have a Document repository as an aggregate and lose the Note repository but am not sure if/how this helps.
I asked a similar question related to this but it wasn't very clear so hoping this version will allow someone to understand and thus point me in the right direction.
EDIT
Based on the information provided by Ladislav Mrnka and the answer detailed here: An object with the same key already exists in the ObjectStateManager. The ObjectStateManager cannot track multiple objects with the same key, it seems that my repository method need to be like the following:
public void InsertOrUpdate(Note note)
{
if (note.NoteID == default(int)) {
// New entity
context.Notes.Add(note);
} else {
// Existing entity
//context.Entry(note).State = EntityState.Modified;
context.Entry(oldNote).CurrentValues.SetValues(note);
}
}
But how do I get the oldNote from the context? I could call context.Entry(Find(note.NoteID)).CurrentValues.SetValues(note) but am I introducing potential problems here?
Am I approaching this correctly and if so, how do I get around the exception?
I guess this part of your code loads the whole Node from the database to find DocumentID:
int docID = noteRepository.Find(note.NoteID).DocumentID;
In such case your InsertOrUpdate cannot take your node and attach it to context with Modified state because you already have note with the same key in the context. Common solution is to use this:
objectContext.NoteSet.ApplyCurrentValues(note);
objectContext.SaveChanges();
But for edit, I cannot use it as a malicious user could provide a DocumentID to which they do have access and thus edit a Note they don't own.
In such case you must add some security. You can add any data into hidden fields in your page but those data which mustn't be changed by the client must contain some additional security. For example second hidden field with either signature computed on server or hash of salted value computed on server. When the data return in the next request to the server, it must recompute and compare signature / hash with same salt and validate that the passed value and computed value are same. Sure the client mustn't know the secret you are using to compute signature or salt used in hash.
I have read that I should just have a Document repository as an aggregate and lose the Note repository but am not sure if/how this helps.
This is cleaner way to use repositories but it will not help you with your particular error because you will still need Note and DocumentId.