I'm very new to MVC 3. My client needs an admin page where she can edit basic email templates like "Dear %FirstName%, Your order has been placed" which I will create. When an order comes in, it will automatically then send an email to the person, using her template.
What I'd like to be able to do, is automatically match up the fields in the template (like %FirstName%) with the model fields of the order, i.e. Model.Order.FirstName when sending the mail. I could obviously use a helper class to manually go and regex things, but I'm looking for a Razor-esque method for this.
I've looked (briefly) at MvcMailer and RazorEngine for this, but can't quite work it out, as those tools seem to rely on a .cshtml file.
Does anyone know how to achieve what I'm trying to do? Any suggestions are appreciated!
You should consider looking at Fluent Email, which now supports razor syntax.
http://lukencode.com/2011/04/30/fluent-email-now-supporting-razor-syntax-for-templates/
Related
I have Umbraco 7.5 and I need to know how to create normal MVC pages for adding new data to my site.
Lets say I have a Doctype "Node" in back-office. I want to let some people be able to add/edit some nodes without going through back-office. How can I do it?
I've tried to create add my view and controller (the MVC way), but apparently Umbraco hijacks all routing and my controller won't hit at all.
I've googled the matter (which is hard since I am not looking for Umbraco forms :| )and I've found this. But I prefer not to add my form as a part of other page. I mean, does it make sense to create a page in back office from type "something" and then on its template I do my add/edit form of another type? Seems strange, right?
I appreciate any ideas/ solution to this matter
You have a couple of options here. You can create a physical page for the editor to sit on, and add the editor as a SurfaceController action (basically an MVC Partial with Postback, that is still part of the Umbraco pipeline). Your form can then use the Content Service API to update the details. The advantage of this method is your code will have access to all of the Umbraco methods and templating out of the box. You could also use WebAPI controllers for the form if you want to do it all client side with JS requests.
You could also use route hijacking: https://our.umbraco.org/documentation/reference/routing/custom-controllers this allows you to have your own custom controllers for Umbraco routes, rather than using the default Umbraco ones. This is a bit more work to set up.
Finally, you can also tell Umbraco to ignore certain paths entirely, and you could run your controllers on those paths. The disadvantage here is that as the routes are being ignored by Umbraco, you don't automatically have access to all the useful Umbraco templating etc.
I've used the first method recently, and it works fine. The only caveat is that allowing users to edit nodes will fill up the version table quite quickly if a lot of users are editing a lot of nodes (every time a node is saved, a version is created). If you're going down this route, you may want to investigate something like Unversion: https://our.umbraco.org/projects/website-utilities/unversion/ which helps to keep old versions more manageable in situations like this.
I am facing an issue using Umbraco 7.0. My requirement is that I need to create a contact us form page and from that page an email will be sent to admin. I thought of creating .Net User Control for achieving
this functionality.
However, in Contact Us page, there is a field like "Functional Area" that client wants a drop down and in that he wants, Option to define drop down list via Umbraco.
Could anyone please guide me how to achieve the same.
Rather than using the old User Control method, you would be better off writing one using Razor which can use a Model populated with content. There is a nice example here of something very similar that you can extend
http://www.diplo.co.uk/blog/2012/5/24/creating-an-umbraco-form-using-pure-razor.aspx
We have a grails-groovy(right now version 1.3.7) based application with Oracle 11g database.
We have to make it OWASP complaint so we are thinking of all possible security enhancements/plugins.
The main issue is here:
We have a create email template feature in our application where a user can create a new email template and save it. The Use has to write code manually in this template page to create the template. (The implementation is done we need to secure it!)
The code consists of
1) groovy code
2) grails tags
3) SQL select queries (we can restrict the user to readonly so that no Insert and Delete etc are available)
4) HTML tags
The template is used by the application where it compiles, executes and applies the template to emails before sending them out.
I know about markup-sanitizer plugin and the HDIV api and thinking about them, but how Can I secure this feature more?
I guess this is a feature where you have to trust your users. From my point of view, you can't sanitize this kind of markup - there are too many ways how to inject malicious code. (See book "Writing Secure Code")
When it comes to OWASP, you always have to analyze the threat: how likely is an attack and how much harm can be done. If only admins (which you trust) have access to this template engine, then I guess the risk is low.
Otherwise you have to create a template generator instead of a free-form templates. But even this sounds from your description to be a big effort since you would need an SQL query builder and some kind of template builder.
So I guess you should try to redefine the requirement in such a way that a secure implementation is possible.
I'm an asp.net mvc 3 newbie, I'm developing a site that allow user customize their layout and use razor template engine. Thay could direct edit the template file.
How to retrict user from only allow uses some explicit helper in a template. I dont want user access other dangerous server functions, and only use what I added.
Thanks
There are two cases:
You trust your users: in this case you shouldn't be worried as they won't break your site
You don't trust your users (most probable): in this case giving them the possibility to directly modify the templates seems a risky affair. You will need a pretty solid sanitizing tool that will filter all other helpers that you don't want. It's just too broad. Giving them the possibility to write markup would be OK with for example some WYSIWYG editor like WMD but giving them access to server code is asking for trouble.
What's the best way to validate password and confirm password fields in a strongly-typed view?
Password Field Code:
<label for="BaseUser.PasswordHash">Password</label>
<%= Html.Password("BaseUser.PasswordHash", Model.BaseUser.PasswordHash)%>
<%= Html.ValidationMessage("BaseUser.PasswordHash", "*")%>
I don't know how to deal with confirm password field in mvc's way. Or just use javascript to validate?
This kind of UI validation rule might be done in the controller (contrary to my original answer). Download the Nerddinner.com source code, look at the AccountController.Register method where the ValidateRegistration method is called to see a specific example.
There's a complete walk through of the nerddinner.com site available as a FREE PDF download at http://tinyurl.com/aspnetmvc
but it doesn't go into the detail for your specific question in the walk through so just check out the source code as indicated above.
If you want to progressively enhance the user experience then you could layer the jquery validation plugin in the view to also validate client side.
Remember the danger with only performing the validation on the client via javascript is that all someone has to do is turn off javascript to avoid your business rules and bypass one layer of your "defense in depth" at stopping security attacks such XSS and Sql Injection.
I javascript is the way to go. If you want your validation routine on the server (what is it, anyways? standard mvc?) as well, then fine.
But why force a roundtrip for something as easy as "your passwords don't match". And if somebody wants to "hack" (e.g. turn off javascript) so that they can submit two passwords that don't match, then fine.
To do it on the server, you'd have two separate fields and if they don't match then you throw the error.