Newbie question, go easy on me :)
I've been struggling with reconciling the concept of designing entities of my system according to the RESTful model and with actually organizing the flow of my site in such a way that it's logic and makes sense to both me and the customer. Let me give you an example:
Let's hypothetically say I'm implementing a site for sharing movies in real life. You got a model for movies, and you got a model for users (with some auth / authz thrown in). I imagine it would be pretty straightforward to treat the movies as a REST resource and let users browse through them, and then you could have a series of relationships (joint table(s)) that would represent ownership, borrowing, and lending. So far so good.
Now, any site out there will have a concept of a user dashboard where you can see the current full state of the user and information related to him. Is the dashboard somehow a REST resource as well? I'd imagine it can't be because it really is very specific to each individual user. Where do I place it then? Do I just create a controller called UserDashboard and perhaps route the root (mysite.com/userdashboard) to a default action from the UserDashboard controller which can, for example, given the user id, display all of that user's relationships in the system?
Is that Rails way? Am I somehow breaking the RESTful paradigm that way?
Thank you!
You can go two ways with this:
You can create an entity that represents the dashboard of your user and store seperate data in that entity, or you can create an action on the controller that represents the dashboard. Both would meet the REST standard as you'd uniquely identify a Dashboard by going to either /Dashboards(db_id) or by going to /users/4/Dashboard, either URI identifying a unique entity.
Related
I am hoping to create some secure areas of my MVC application, I understand how users can register, login etc with the out of the box views controllers etc.
One thing that seems to be lost on me is a way to manage these users after they register. Some things I would like to be able to do:
Assign roles to users
C-R-U-D users
C-R-U-D roles
Is this all functionality I have to build myself or am I just missing something here? Everything I have found lends itself to writing code to do all these things, but it seems as though these are standard enough that they should exist.
it's very simple. if you take a look at your auto-generated DB for users, you will see that it already contains tables for roles etc. so everything was already prepared for generic use, you just need to define the basics and use it.
You can first try to play with it a bit by adding values manually to the DB tables, just to get the feel of how it works.
define a role
assign users with that role
now depending on your use, whether you'd like to allow\block access to action or entire controllers just set this for example above a action or class [Authorize(Roles = "Admin")].
in addition to (3) you can also make decisions in the server side (C# and cshtml) according to the user roles, by using:
var userManager = new UserManager(userStore);
if(userManager.IsInRole(user.Id, "Admin")){...}
read more in this link, it goes over the CRUD actions - define and use.
I’m currently building an ASP.NET MVC 5 EF6 blogging web application.
I have two databases and contexts :
-a database for the actual data of my application (blog posts, blog categories, tags, etc) .
-a database for authentification and membership purpose (users and roles).
I am able to authorize a given user the right to add/edit/delete blog posts, using the authorize attribute in the BlogPostcontroller :
[Authorize(Roles=”Administrator,Author”)]
and it works pretty well..
MY GOAL : let’s imagine I want to grant an user the right to add/edit/delete a subset of all the blog post or blog categories (let’s say only to the “Cooking” and “travel” blog categories).
I started to think about creating a navigation property between the user and the blog category entities, but apparently foreign keys between two separate databases are not supported by the entity framework.
Do you guys have an idea of a walk-around for this problem?
Your help will be much appreciated.
This is what you need.
http://typecastexception.com/post/2014/02/19/ASPNET-MVC-5-Identity-Implementing-Group-Based-Permissions-Management-Part-I.aspx
Basically, the privileges is what you will need to configure and associate user roles.
If you want to keep your authorization data separate from your business data, i.e. in 2 separate databases where one contains user information and permissions and the other contains your blog data, then what you actually want to achieve is externalized authorization. That's actually a great intent. After all, do you keep authentication information with your application data? Of course you don't.
Different frameworks give you externalized authorization capabilities. For instance, in .NET, you have claims-based authorization.
You can also take a generic approach and use XACML, the eXtensible Access Control Markup Language. XACML uses attributes (it's an attribute-based access control model as opposed to simply role-based) and combines them into policies & rules to define what can happen. For instance, with XACML, you can write the following rule: A user can edit blog posts he/she owns.
In XACML, you have the notion of an authorization engine called the Policy Decision Point (PDP). That PDP links together all the information it needs to make decisions. In your case, it will use the 2 separate databases and create the relationships on them.
Now, if your use case is simple, using XACML might prove too much. In that case, just use claims-based authorization.
Can anybody tell me the difference between controllers and actions in ruby on rails?
I fetched this definition from the official rails guide:
A controller's purpose is to receive specific requests for the application. Routing decides
which controller receives which requests. Often, there is more than one route to each
controller, and different routes can be served by different actions. Each action's purpose is
to collect information to provide it to a view.
I am confused.
Please, make it as simple as possible since I am newbie!
Thanks!
Controllers are just Ruby Class files which have a series of instance methods inside
Basic Explanation
Rails controllers are basically files where actions (methods) are kept
Each time you access a Rails app, you're sending a request to the system. The various technologies inside Rails route that request to a certain action, where your code can use the passed data to perform some sort of action (hence the name). The actions are kept inside controllers to give the application structure
So if you access http://yourapp.com/users/new, it tells Rails to load the new method in the users controller. You can have as many actions in the controllers as you want, but you have to tell the Rails routes system they are there, otherwise they won't be accessible
Proper Explanation
Rails Controllers are just Ruby Classes, storing a series of actions
The "actions" (instance methods) work on passed data (params) to create objects that can either be passed to the model, or used inside other methods
Whenever you send a request to Rails (access a URL), it first uses the ActionDispatch middleware to send your request to the correct Class (controller) instance method (action), and then your code does something with that data
Your job as a dev is to connect the right controllers with the right models, presenting the right data the user at the right time
DISCLAIMER: I don't write code in Rails (never did). I write Sinatra modular applications and use the MVC model.
You first need to clarify the MVC model. The MVC is an approach to programming web applications (in RoR) or user interfaces in general. So MVC stands for Model-View-Controller. I will try to explain a bit, but in order to understand this, you need to practice and play with it.
The Model: If you remove the layers of abstraction, it's your database scheme. The way your application interconnects in order to retrieve information.
The View: The way these informations are retrieved elaborated and served. Essentially is what you, or the client, see in the browser.
The Controller: The controller is what interacts with the program to produce a requested view or to alter a model. You request a view when you access a chart with statistical information, and you alter the model when you input DATA on it. In Rails ecosystem, ActionController is a class with a set of predefined methods to help you perform easier and quicker standard Controller actions like update a form, etc.
So the Action Controller allows you to alter data to your models (the db), or request a route to view your data, etc.
Action is not separated from controllers, it's basically what controllers do :-). Everything else is static.
If you feel that these concepts are still hard to grasp, try building a very basic modular application in Sinatra, and you will have a ground level view of how things work.
Explanation by Analogy (simple explanation without getting too technical)
I work in a busy office. I bark out orders (i.e. 'requests') to my staff to get em to do stuff.
e.g.
Sometimes I want a document so I can read it.
“Ngozi, pass me the ABC.ASX EOFY results please?”
Yes sir!
Sometimes I ask my staff to edit an existing document:
“Sunita, can you edit that report on the state of the union address?”
“Sure!” is the response.
I organise my staff based on the type of work they do
But I have a little problem.....I have 10,000s of different types of documents. Sometimes I want to get: (I) sports results and other times I want: (ii) the evening news, while still at other times I want: (iii) a collection of Donald Trump's latest 4 am Tweets.
So I created a new system. I have a staff member directly responsible for each type of thing.
Ngozi handles ASX (Australian Stock Exchange) Financial Results. And when I want Ngozi to do something (i.e. perform some type of action) then I tell him what to do.
Sunita works mainly on politics. Sometimes I”ll ask her to something (e.g. write up a report – this is one type of 'action', or I'll ask her to bring me a certain document – another type of action - and she'll do it. I like to get Sunita to work on politics and Ngozi to work on financial results. It's best to keep their responsibilities separated.).
And Freddie works on anything pertaining to Queen.
Etc. etc.
The meaning of the analogy?
In this case, the controller would be the person – who's responsible for handling certain types of requests. And the “action” would be the particular specific thing that I want done:
e.g.
getting a document or
edit something or even
creating a new document.
Hope that clears things up.
I'm creating a new ASP.NET MVC application. So far I've used the Account controller for actions related to a user's account -- Login/Logout, Activation (like Register, but I use Register for other actions in the site so I've renamed it), Add/Update Contact information. Up to now, though, I've been concentrating on the administrative user views.
I'm at the point where I'm going to start creating the various views that non-administrative users will see. These are rather limited compared to the administrative interface. My inclination is to create a new set of views and associated controller in the User "family" instead of using the Account views/controller. Is this a good idea or should I stick with the Account controller? My feeling is that since this is for ordinary users it should be a separate controller since Account would apply to both ordinary and administrative users.
EDIT: After reading the first couple of responses, my refactored question is:
Do you consider the Account controller to be for administrative actions related to the user's account or for all actions on the user's account? Would you distinguish between membership/role related views/data and application related views/data to the extent of creating a new controller.
Related, but doesn't directly answer my question: ASP.NET MVC Account Controller usage guidelines?
I don't think there's a right or wrong answer here, so I'll give you my opinion.
Technically, either solution (extending the Account controller or creating a new controller) will work just fine.
So I think this is more a question of how the users perceive the functionality. I think it's a good idea to follow the convention that the URI dictates the controller (or vice versa, if you prefer).
If, for example, you'd like to have the "administrative" actions on a separate path, then that should be a separate controller. You might want to do this, for example, if you use an IIS module for authentication or if it makes your log analysis easier.
On the other hand, it might be the case that the users perceive account functions and administrative functions as part of the same family of actions, except that some users have additional features. If so, then that suggests that should be on the same path in the URI and, hence, part of the same controller.
Summing up, I think this is a question you should ask your user representative instead of folks on this site. :)
Update: Regarding your updated question, I would say that it is fairly natural to put an action for changing a user's password on the Account controller, and that action could be invoked by the user herself, not just an administrator. So I wouldn't presume that the Account controller is strictly for administrative tasks. On the other hand, your example of the fund-raising performance is well outside of the scope of membership-related things, so it is not clear that it belongs on Account, either. I'm still leaning towards, "ask your user representative."
In ASP.NET MVC you will usually create controls based on data types rather than access types. For example:
Instead of 2 /Controllers/UsersControl.cs and /Controllers/Admin/UsersControls.cs it is easier to use one common controller for both admins and regular users - /Controllers/UsersController.cs (by setting different [Authorize] attributes and views).
I would keep existing AccountController.cs for encapsulating account related functionality. And just add new UsersController.cs for the rest Users related functionality (which could have methods like OnlineUsers etc.)
I'm new to ASP.NET MVC and all tutorials, samples, and the like I seem to find are very basic.
Is it possible (and if yes, a good design) to have routes like so:
.../Organization/10/User/5/Edit
.../Organization/10/User/List
In other words; can the urls mirror your domain model?
Possible, yes, with a route something like:
"~/Organization/{orgId}/{Controller}/{id}/{action}"
Whether it is a good design or not I couldn't say for sure, only that it seems rather complicated to me.
If you have multiple User tables, one for each company, it might make some sense.
Unless there is absolute necessity, keep routes decoupled from object model relations. Otherwise you will have to rewrite routes on every change in model.
"If you have multiple User tables, one for each company, it might make some sense."
Why only then?
"~/Organization/10/User/5/Edit"
... gives me the organization context at all times.
I didn't say so in my first question, but I've written an action filter that authorizes according to the rule that the logged on user must belong to the organization of the current action (hence not being able to see/edit/whatever user(s) of another organization).
I'm not saying that it's the best solution, but if not implementing this cross-cutting concern (aspect) as an action filter knowing the org id (via the action params), how would you solve the authorization issue elegantly?
As I initially stated, I'm new to the world of MVC and very excited about the answers.