I'm using the spring-session project and I find it quite awesome. My requirement is to show the customer a list of his latest logins (IP address, date/time of his latest logins). I'm looking at the SessionRepository but I can't seem to find such a method. Is it possible to introduce such a method to return a org.springframework.data.domain.Page of latest sessions for a given customer? If not could anyone suggest how to tackle this problem?
We want to keep SessionRepository as simple as possible, so it will not be introduced into that API. Instead, we will likely create an extension to the interface when resolving gh-7 is resolved.
In the meantime, you can extend the existing implementation to provide additional methods that map the additional necessary information.
for org.springframework.web.context.request.RequestContextHolder
example usage:
public static HttpSession session() {
ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
return attr.getRequest().getSession(true); // true == allow create
}
Related
since Typo3 v10 you have to use Classes.php file in Configuration/extbase/Persistence Folder for configuration of persistence table mapping.
Does anyone know how to implement
config.tx_extbase.persistence.classes {
Domain\DomainUsergroupMailer\Domain\Model\FrontendUserGroups {
mapping {
tableName = fe_groups
columns {
subgroup.foreignClass = TYPO3\CMS\Extbase\Domain\Model\FrontendUserGroup
}
}
}
I can't find documentation concerning the foreignClass Parameter.
I found parameter subclasses in https://docs.typo3.org/m/typo3/book-extbasefluid/10.4/en-us/6-Persistence/5-modeling-the-class-hierarchy.html
Does anyone know if this is the right way parameter and how to use it?
Thank you
There never was such a feature in TYPO3 as confirmed by searching the TYPO3v9 source code for foreignClass. So this must be provided by a 3rd party extension.
However, from the name it sounds like you only need to use an appropriate element type for your collection relation:
/**
* #var ObjectStorage<FrontendUserGroup>
*/
private ObjectStorage $subgroup;
See Implementing the domain model for details.
Basically this comes up as one of the related posts:
Isn't it dangerous to have query information in javascript using breezejs?
It was someone what my first question was about, but accepting the asnwers there, i really would appreciate if someone had examples or tutorials on how to limit the scope of whats visible to the client.
I started out with the Knockout/Breeze template and changed it for what i am doing. Sitting with a almost finished project with one concern. Security.
I have authentication fixed and is working on authorization and trying to figure out how make sure people cant get something that was not intended for them to see.
I got the first layer fixed on the root model that a member can only see stuff he created or that is public. But a user may hax together a query using extend to fetch Object.Member.Identities. Meaning he get all the identities for public objects.
Are there any tutorials out there that could help me out limiting what the user may query.?
Should i wrap the returned objects with a ObjectDto and when creating that i can verify that it do not include sensitive information?
Its nice that its up to me how i do it, but some tutorials would be nice with some pointers.
Code
controller
public IQueryable<Project> Projects()
{
//var q = Request.GetQueryNameValuePairs().FirstOrDefault(k=>k.Key.ToLower()=="$expand").Value;
// if (!ClaimsAuthorization.CheckAccess("Projects", q))
// throw new WebException("HET");// UnauthorizedAccessException("You requested something you do not have permission too");// HttpResponseException(HttpStatusCode.MethodNotAllowed);
return _repository.Projects;
}
_repository
public DbQuery<Project> Projects
{
get
{
var memberid = User.FindFirst("MemberId");
if (memberid == null)
return (DbQuery<Project>)(Context.Projects.Where(p=>p.IsPublic));
var id = int.Parse(memberid.Value);
return ((DbQuery<Project>)Context.Projects.Where(p => p.CreatedByMemberId == id || p.IsPublic));
}
}
Look at applying the Web API's [Queryable(AllowedQueryOptions=...)] attribute to the method or doing some equivalent restrictive operation. If you do this a lot, you can subclass QueryableAttribute to suit your needs. See the Web API documentation covering these scenarios.
It's pretty easy to close down the options available on one or all of your controller's query methods.
Remember also that you have access to the request query string from inside your action method. You can check quickly for "$expand" and "$select" and throw your own exception. It's not that much more difficult to block an expand for known navigation paths (you can create white and black lists). Finally, as a last line of defense, you can filter for types, properties, and values with a Web API action filter or by customizing the JSON formatter.
The larger question of using authorization in data hiding/filtering is something we'll be talking about soon. The short of it is: "Where you're really worried, use DTOs".
I have a grails application where I have contacts which belongs to another domain contactGroup. It all seems to be working fine except for removeFromContacts method. I am using following code. The code works correctly but removes only one contact from the group at a time. I even did some debugging and the foreach loop runs as many times as the contacts provided. There is no error message. Any idea what could be going wrong -
ContactGroup group = ContactGroup.findByIdAndOwner(params.groupId, user)
def contactIds = request.JSON.data.contact
contactIds.each {
Contact contact = Contact.findByContactIdAndOwner(it.contactId, user)
if(contact) {
group.removeFromContacts(contact)
}
}
I've read a few things about the findAll methods loading proxies if the associations are lazy-loaded rather than the "real" instance.
Try this:
group.removeFromContacts(Contact.get(contact.id))
The 'get' should bypass the proxies and use the "real" instance. There is a JIRA that talks about this (Grails-5804). An overall fix according to the JIRA (from Burt Beckwith) is to implement the equals and hashCode method in your Contact class.
Thanks for all your support. I realized that I have not defined the relationship at the domain level correctly and that was messing up with the whole thing. When I corrected that it was working correctly.
saurabh
I am looking for a simple way to hydrate a related object. A Note belongs to a Document and only owners of a Document can add Notes so when a user tries to edit a Note, I need to hydrate the related Document in order to find out if the user has access to it. In my Service layer I have the following:
public void editNote(Note note)
{
// Get the associated Document object (required for validation) and validate.
int docID = noteRepository.Find(note.NoteID).DocumentID;
note.Document = documentRepository.Find(docID);
IDictionary<string, string> errors = note.validate();
if (errors.Count > 0)
{
throw new ValidationException(errors);
}
// Update Repository and save.
noteRepository.InsertOrUpdate(note);
noteRepository.Save();
}
Trouble is, noteRepository.InsertOrUpdate(note) throws an exception with "An object with the same key already exists in the ObjectStateManager." when the repository sets EntityState.Modified. So a number of questions arise:
Am I approaching this correctly and if so, how do I get around the exception?
Currently, the controller edit action takes in a NoteCreateEditViewModel. Now this does have a DocumentID field as this is required when creating a new Note as we need to know which Document to attach it to. But for edit, I cannot use it as a malicious user could provide a DocumentID to which they do have access and thus edit a Note they don't own. So should there be seperate viewmodels for create and edit or can I just exclude the DocumentID somehow on edit? Or is there a better way to go about viewmodels such that an ID is not required?
Is there a better way to approach this? I have read that I should just have a Document repository as an aggregate and lose the Note repository but am not sure if/how this helps.
I asked a similar question related to this but it wasn't very clear so hoping this version will allow someone to understand and thus point me in the right direction.
EDIT
Based on the information provided by Ladislav Mrnka and the answer detailed here: An object with the same key already exists in the ObjectStateManager. The ObjectStateManager cannot track multiple objects with the same key, it seems that my repository method need to be like the following:
public void InsertOrUpdate(Note note)
{
if (note.NoteID == default(int)) {
// New entity
context.Notes.Add(note);
} else {
// Existing entity
//context.Entry(note).State = EntityState.Modified;
context.Entry(oldNote).CurrentValues.SetValues(note);
}
}
But how do I get the oldNote from the context? I could call context.Entry(Find(note.NoteID)).CurrentValues.SetValues(note) but am I introducing potential problems here?
Am I approaching this correctly and if so, how do I get around the exception?
I guess this part of your code loads the whole Node from the database to find DocumentID:
int docID = noteRepository.Find(note.NoteID).DocumentID;
In such case your InsertOrUpdate cannot take your node and attach it to context with Modified state because you already have note with the same key in the context. Common solution is to use this:
objectContext.NoteSet.ApplyCurrentValues(note);
objectContext.SaveChanges();
But for edit, I cannot use it as a malicious user could provide a DocumentID to which they do have access and thus edit a Note they don't own.
In such case you must add some security. You can add any data into hidden fields in your page but those data which mustn't be changed by the client must contain some additional security. For example second hidden field with either signature computed on server or hash of salted value computed on server. When the data return in the next request to the server, it must recompute and compare signature / hash with same salt and validate that the passed value and computed value are same. Sure the client mustn't know the secret you are using to compute signature or salt used in hash.
I have read that I should just have a Document repository as an aggregate and lose the Note repository but am not sure if/how this helps.
This is cleaner way to use repositories but it will not help you with your particular error because you will still need Note and DocumentId.
Using Symfony 1.4.5 with Doctrine
I have a model which includes an uploaded image as one of the columns - creating and updating the record is fine (using the doSave() method to deal with the upload and any changes to the file).
The problem I'm having is if the record is deleted - I want it to remove the associated file as well. But I can't find anyway to do this after several hours of hunting through documentation and Google.
Is there a way to specify some kind of post-delete code?
Final solution:
in /lib/model/doctrine/Image.class.php
class Image extends BaseImage
{
public function postDelete()
{
$filename = $this->getFilename();
$filepath = sfConfig::get('sf_upload_dir') . '/' . $filename;
#unlink($filepath);
}
}
Thanks to Colonel Sponz for pointing me in the right direction
It's a while since I last used Doctrine but I seem to remember there is a post delete hook function that you can use for this kind of thing. If you look into the source for the Doctrine base class you should be able to find the exact method name and usage.
EDIT: The method is postDelete() and is found in the Doctrine_Record class
Here's the section from the Symfony documentation that covers advanced Doctrine usage.
Hijacking Colonel Sponsz's answer, the postDelete() method is definitely the way to go. +1 to him :-) But, you'll need to enable Doctrine callbacks in your config/ProjectConfiguration.class.php. Add this method:
public function configureDoctrine(Doctrine_Manager $manager)
{
$manager->setAttribute(Doctrine_Core::ATTR_USE_DQL_CALLBACKS, true);
}
Clear your Symfony cache, and Doctrine will fire the callback methods such as postDelete() at the appropriate times.