Just wanted to understand what is the best way to add an Authorization header for all ajax requests using trigger io. Currently, I'm manually adding the header on each request. Would be great to know if such a feature is available or undocumented, and if not then what is the best way to do this. Something similar to AFNetworking which allows you to add persistent headers.
There isn't currently a way to set a default, you could write yourself a simple helper function though something like:
var username = "myuser";
var password = "skldjghslg";
function myAjax(options) {
options.username = username;
options.password = password;
forge.request.ajax(options);
}
Then whenever you would normally use forge.request.ajax just use myAjax.
Related
Is there any simple solution, or it can be accomplished only by defining a custom helper?
The best solution is probably to have the server send the array in reverse order to begin with. In most cases, the "Dust way" is to have the server send data in the format that it will be presented by Dust. If you don't have control over how the data is sent, though, you will either need a helper, or you can manipulate the data (using JavaScript) before passing it to dust.render.
var data = getData();
var data.arrayToReverse = reverseArray(data.arrayToReverse);
dust.render('myDustTemplate', data, function(err, out) {
// Show the result.
});
You would need to write the getData and reverseArray methods, but this way you could get the reversed array without a helper.
Basically this comes up as one of the related posts:
Isn't it dangerous to have query information in javascript using breezejs?
It was someone what my first question was about, but accepting the asnwers there, i really would appreciate if someone had examples or tutorials on how to limit the scope of whats visible to the client.
I started out with the Knockout/Breeze template and changed it for what i am doing. Sitting with a almost finished project with one concern. Security.
I have authentication fixed and is working on authorization and trying to figure out how make sure people cant get something that was not intended for them to see.
I got the first layer fixed on the root model that a member can only see stuff he created or that is public. But a user may hax together a query using extend to fetch Object.Member.Identities. Meaning he get all the identities for public objects.
Are there any tutorials out there that could help me out limiting what the user may query.?
Should i wrap the returned objects with a ObjectDto and when creating that i can verify that it do not include sensitive information?
Its nice that its up to me how i do it, but some tutorials would be nice with some pointers.
Code
controller
public IQueryable<Project> Projects()
{
//var q = Request.GetQueryNameValuePairs().FirstOrDefault(k=>k.Key.ToLower()=="$expand").Value;
// if (!ClaimsAuthorization.CheckAccess("Projects", q))
// throw new WebException("HET");// UnauthorizedAccessException("You requested something you do not have permission too");// HttpResponseException(HttpStatusCode.MethodNotAllowed);
return _repository.Projects;
}
_repository
public DbQuery<Project> Projects
{
get
{
var memberid = User.FindFirst("MemberId");
if (memberid == null)
return (DbQuery<Project>)(Context.Projects.Where(p=>p.IsPublic));
var id = int.Parse(memberid.Value);
return ((DbQuery<Project>)Context.Projects.Where(p => p.CreatedByMemberId == id || p.IsPublic));
}
}
Look at applying the Web API's [Queryable(AllowedQueryOptions=...)] attribute to the method or doing some equivalent restrictive operation. If you do this a lot, you can subclass QueryableAttribute to suit your needs. See the Web API documentation covering these scenarios.
It's pretty easy to close down the options available on one or all of your controller's query methods.
Remember also that you have access to the request query string from inside your action method. You can check quickly for "$expand" and "$select" and throw your own exception. It's not that much more difficult to block an expand for known navigation paths (you can create white and black lists). Finally, as a last line of defense, you can filter for types, properties, and values with a Web API action filter or by customizing the JSON formatter.
The larger question of using authorization in data hiding/filtering is something we'll be talking about soon. The short of it is: "Where you're really worried, use DTOs".
Wherever I look this is the correct way to add a Cookie:
HttpCookie Session = new HttpCookie("Session");
Session.Value = someguid;
Session.Expires = somedatetime;
Response.Cookies.Add(Session);
And wherever there is no explanation as to how to get Response into the current context. So I get this error:
The name 'Response' does not exist in the current context
What do I need to do to get the above code to work?
You may want to use System.Web.HttpContext.Current.Response if you sure that this code will be executed inside web application.
But I have life-proven practice (and Law of Demeter says the same) to pass Response as a parameter to a method where I want to use it.
I am using ASP.Net Web API with JSON.Net to serialize. I had to configure the serializer to handle ISO dates properly like this:
var iso = new IsoDateTimeConverter {
DateTimeFormat = "yyyy'-'MM'-'dd'T'HH':'mm':'ss.fffK"
};
GlobalConfiguration.Configuration.Formatters.JsonFormatter
.SerializerSettings.Converters.Add(iso);
This works fine when I am passing my objects down via the WebAPI. My problem, however, is that I have another place where I want to explicitly call the serialization:
#Html.Raw(JsonConvert.SerializeObject(Model));
In this case, it doesn't use the configuration I set up. I am aware that I can pass the iso converter into the SerializeObject call, but I prefer to avoid this and get a hold of a configured serialzer for obvious reasons.
Any ideas?
If you're going to do JSON serialization yourself, you have to pass the settings you want explicitly. There's no way around it. The best I can think of if you want to reuse the same serializer settings is to do something like this:
JsonConvert.SerializeObject(Model, GlobalConfiguration.Configuration.Formatters.
JsonFormatter.SerializerSettings)
I need to detect if a request cookie - value is different from a response cookie - value.
Its not as easy as:
if(cookiesArePresent)
{
bool isDifferent = HttpContext.Current.Response.Cookies[".ASPXANONYMOUS"].value == HttpContext.Current.Response.Cookies[".ASPXANONYMOUS"].value;
}
But I read that changing the Response.Cookies changes the Request.Cookies. That would mean they are always the same if HttpContext.Current.Response.Cookies[".ASPXANONYMOUS"] was changed. Is there an easy way around this?
http://chance.lindseydev.com/2009/04/aspnet-httprequestcookies-and.html
If you use Reflector to examing System.Web.Security.AnonymousIdentificationModule, you can see that the anonymous cookie is only read/written in PostAuthenticateRequest.
So, if you suspect something is wonky, write a simple HttpModule that reads the cookie during AuthenticateRequest and compare it to the value you get in AuthorizeRequest.
For more information about the request lifecycle see Exploring Web.config - system.web/httpModules by yours truly.