I have the following code to display the currently logged in user in my application. The strange thing is intermittantly on odd occasions while the user is browsing from one page to another the username of the logged in user changes to another user who is in the database. Logging out and logging back in then displays the current username.
<? if ($sf_user->isAuthenticated()){?>
<div id="welcome">
You are signed in as <strong><?php echo sfContext::getInstance()->getUser()->
getGuardUser()->getName()?></strong> Logout
</div>
<div class="clear"></div>
<? } ?>
Any ideas what could be causing thing?
I can confirm both users were logged in on the same day but at different locations.
Use $sf_user in your views instead sfContext
Like:
<? if ($sf_user->isAuthenticated()){?>
<div id="welcome">
You are signed in as <strong><?php echo $sf_user->getName()?></strong> Logout
</div>
<div class="clear"></div>
<? } ?>
Related
I have the following code which loops through a list of countries and creates a href links
<div class="container" th:each="country: ${countryList}">
<a th:href="${country.countryAbbr}"><div clss="row" th:text="${country.country}"></div></a>
</div>
The current page url is "localhost:8080/directory", and the generated url is showing as
"localhost:8080/us"
How can I make the url show as "localhost:8080/directory/us"
I want "us" to be added to the current url of the page.
Try create the following code in your Controller class.
#RequestMapping(value="/", method=RequestMethod.GET)
public String rootGet() {
return "redirect:/directory";
}
You can use ServletUriComponentsBuilder:
<div th:with="urlBuilder=${T(org.springframework.web.servlet.support.ServletUriComponentsBuilder)}"
class="container" th:each="country: ${countryList}">
<a th:href="${urlBuilder.fromCurrentRequest().path(${country.countryAbbr}).toUriString()}">
<div clss="row" th:text="${country.country}"></div>
</a>
</div>
Give a try to this one
<div class="container" th:each="country: ${countryList}">
<a th:href="#{${country.countryAbbr}}"><div clss="row" th:text="${country.country}"></div></a>
</div>
Using # usually resolves the default context but I am not aware of your environment.
For example, if you had Tomcat .war file, and your application would be hosted at localhost:8080/myApp, you would want result /myApp/us rather then /us. # would do that trick.
If above is not relevant for you, use this one:
<div class="container" th:each="country: ${countryList}">
<a th:href="#{'/directory/' + ${country.countryAbbr}}"><div clss="row" th:text="${country.country}"></div></a>
</div>
The situation is that I have a layout application.gsp that defines the layout for all the pages except the login page. Inside the layout is a header that should display the name of the current logged in user (Spring Security plugin). The problem is that if the user just registers or uses oAuth for the first time (same as registering) then when he logs in he will see and empty spot instead of a username because the layout was rendered before the username was available. If he logs out/logs in again he will of course see his username.
P.S. Moving the header outside of the layout is not an option, because it will cause massive code duplication.
Is there a way around this?
I will answer my own question for future generations trying to solve the same problem.
The trick is in using a decorator design pattern and the badly documented g:pageProperty gsp tag.
views/layouts/application.gsp:
....
<li class="dropdown menu">
<a href="#" class="dropdown-toggle"
data-toggle="dropdown"><g:pageProperty name="page.username"/></a>
<ul class="dropdown-menu">
<li>Preferences</li>
<li>
<a href="${resource(file: 'j_spring_security_logout')}"
class="navbar-btn btn-danger btn">Logout</a></li>
</ul>
</li>
....
views/index.gsp:
....
<body>
<content tag="username">
<g:username username="${username}"/>
</content>
....
taglib/UsernameTagLib.groovy:
class UsernameTagLib {
def springSecurityService
/**
* Check if the username is already available, else inject newly created username into the layout
*
* #attr username REQUIRED that was received from the newly registered user
*/
def username = { attrs ->
String currentUsername = springSecurityService.getCurrentUser()?.username
if (currentUsername) {
out << currentUsername
} else {
out << attrs.username
}
}
}
The newly created username is passed to views/index.gsp when the user is finished through the whole oAuth process.
controllers/OauthCallBackController.groovy
....
def facebook() {
Token facebookAccessToken = (Token) session[oauthService.findSessionKeyForAccessToken('facebook')]
if (facebookAccessToken) {
String username = oauthCallBackService.facebook(facebookAccessToken)
render view: '/index', model: [username: username]
} else failure()
}
....
Basically the username travels upwards until it reaches the layout, which allows me to use the username in the layout header and propogate it on all the pages that need the layout.
You can check it with SecurityTagLib helper of Spring Security Core.
In your application.gsp you can have:
...
<sec:ifLoggedIn>
<!-- Display user field with sec:loggedInUserInfo tag -->
Welcome Back <sec:loggedInUserInfo field="fullName"/>
<!-- Check if user have all specified privileges -->
<sec:ifAllGranted roles="ROLE_ADMIN,ROLE_SUPERVISOR">
You've ROLE_ADMIN AND ROLE_SUPERVISOR privileges.
</sec:ifAllGranted>
<!-- Check if user have at least one specified privileges -->
<sec:ifAnyGranted roles="ROLE_ADMIN,ROLE_SUPERVISOR">
You've ROLE_ADMIN OR ROLE_SUPERVISOR privileges.
</sec:ifAnyGranted>
</sec:ifLoggedIn>
<sec:ifNotLoggedIn>
It's public content, anonymous user.
</sec:ifNotLoggedIn>
...
You can also use: <sec:ifNotGranted roles="ROLE_USER"></sec:ifNotGranted>
If you are using Spring Security Core plugin, you can reauthenticate user in your controller.
springSecurityService.reauthenticate user.username
On a site it offers the option of changing your last name, to confirm this it sends a confirmation link to your email.
My question is, how do i figure out how the request is made (if it's POST or GET)? I monitored with live http headers, tamper data, fiddler and burp suite but all have shown there is 0 traffic. When i check my email, i have received the confirmation link.
Here is the html source code of the change lastname button:
<form>
<div class="m-lastname-updated">
<div class="m-h3">One more step</div><p>We have sent you a confirmation email. To change your last name click the sent link in your email!</p>
</div><div class="m-field m-lastname"><div class="m-h3">Last Name</div>
<span class="m-error"></span>
<input type="text" maxlength="100" class="m-input" name="lastname">
<p>Your last name is never shared</p></div><button style="display: inline-block;">Change</button>
</form>
Thanks to anyone who can help me understand how this request is made.
The url this is available on is in this example, http://example.com/profile/.
When a form is submitted, the request is done by default with method="GET" if the method is not specified as method="POST".
To see this, form example, if you use PHP script lastname.php as action:
<?php
echo "<pre>
\$_GET:";
print_r($_GET);
echo "</pre>";
echo "<pre>
\$_POST:";
print_r($_POST);
echo "</pre>";
?>
<form>
<div class="m-lastname-updated">
<div class="m-h3">One more step</div><p>We have sent you a confirmation email.
To change your last name click the sent link in your email!</p>
</div><div class="m-field m-lastname"><div class="m-h3">Last Name</div>
<span class="m-error"></span>
<input type="text" maxlength="100" class="m-input" name="lastname">
<p>Your last name is never shared</p></div><button style="display: inline- block;">Change</button>
</form>
You will see something like this:
$_GET:Array
(
[lastname] => mygod
)
$_POST:Array
(
)
$_GET is filled while $_POST contains no elements.
My functionality is I have a list of users. When I click on any of the users to edit his information a new window pop up.
I change some values and click on save. Now values are saved correctly but 'saved successfully' message is not displayed.
My controller code is
if(user.save(flush:true)){
user.messages = "${message(code: 'user.saved')}"
flash.userInstance = user
render ...
}
and in gsp I print message like this
<div id="messages">
<g:if test="${userInstance?.messages}">
<div class="message">${userInstance?.messages}</div>
</g:if>
<div>
Here Call does not go inside g:if condition hence message is not printed.
This was working well in grails 1.3 but fails in 2.2. Why is that so?
This example works for me. Maybe you have some validation errors, try to debug your code.
if(user.save(flush:true)){
user.messages = "${message(code: 'user.saved')}"
flash.userInstance = user
render ...
}
and in gsp
<div id="messages">
<g:if test="${flash?.userInstance?.messages}">
<div class="message">${flash?.userInstance?.messages}</div>
</g:if>
<div>
I am currently developing a web app in Grails and I am looking for a way to hide a menu based on the current user logged into the solution.
To give you a bit of background this is what I have setup
A web app with a User Model and Roles model that are mapped
Login functionality that restricts certain controllers based on the users access.
I have menus that are display on each of the pages.
I know how to restrict a controller to only allow users with access to view it but I want to now restrict a menu like the one below from being seen unless the right user is logged in, how can I do this? Does it have something to do with rendering that element from the controller??
<div class="nav">
<ul class"nav">
<li>
<g:link class="Tester" controller="Testing" action="test">
<g:message code="Tester" args"[entityName]" />
</g:link>
</li>
<li>
<g:link class="Tester2" controller="Testing" action="test2">
<g:message code="Tester2" args"[entityName]" />
</g:link>
</li>
</ul>
</div>
The spring-security-core plugin provides a taglib that may help you here
<sec:ifAnyGranted roles="ROLE_TESTER">
<div class="nav">
...
</div>
</sec:ifAnyGranted>
Ian answered your question well but we should add here to secure the server side controller/actions as well such as:
// At the controller level
#Secured(["hasRole('User')"])
class Testing
// action specific
#Secured(["hasAnyRole('SuperUser', 'Support', 'InternalUser')"])
def test() {
...
}
Otherwise the links are just hidden from view but could still be executed by anyone.
HTH
If you are not using spring-security-core plugin following can be implemented
<g:if test="${userHaveRightRole}">
<div class="nav">
...
</div>
</g:if>