Request variable in dotcms - webrequest

Please find my requirement that needs to be done in dotcms-
1) I need to create a Map object for each request.
2) Across different widgets or containers i should be able to add data or get data from the Map object.
Can you please provide me a solution or idea to fulfill the requirement.
Thanks in advance

You can use the standard HTTPServletRequest methods, even from velocity:
$request.setAttribute("foo", "bar")
$request.getAttribute("foo") would print "bar"
$request.getParameter("foo") would get a GET or POST parameter "foo" and
#set($map = ${request.getParameterMap()}) would get the whole map.

Related

Understanding how to access objects in lua

The closest i've gotten to figuring this out, came from this post Understanding how to access values in array of tables in lua which actually has the most useful information i've seen. However, I'm still running into a minor issue that I hope someone could help me make more sense of it.
As the title states, I'm trying to access an object in lua. I've learned that dot notation doesn't work, so the alternative is to use [] brackets. I have this object here that I can't seem to access.
[1] = ▼ {
["CopperOre"] = ▼ {
["Counter"] = 0,
["Earned"] = 0
}
}
This was a paste from the ROBLOX studio console, for those who are familiar with it. This object can easily be seen by calling the object name print(obj)
However, I can't seem to access anything inside of the object. obj.CopperOre returns nil, same with obj['CopperOre']
How exactly do I access the parts of the object?
You are forgetting to pass the index into the obj array to access the object stored there.
So to properly access the CopperOre table, you need to reference it like this :
print(obj[1].CopperOre)
-- or
print(obj[1]["CopperOre"])

How to access object field in qaf step from stored variable

In my previous question I was looking for a way to access and store return value of the function in qaf step. I was provided with the following:
When create new user using "{'name':'user1','password':'user123'}"
And store into 'newUser'
Then system should have user '${newUser}'
Now, I'd like to know how to get value from object/collection stored.
If it is a simple object named newUser which has field Id. How would I pass Id on next step?
And, if return is List, how to get by index from stored list?
Resolved issue on my own. If anyone faces same unknowns, here is how I solved it.
For requirements to work around response data, parsing same stored objects in properties by specific fields or collecting data from other structures such as Maps or Lists, create common functions with #QAFTestStep annotation to get data for class member name, map by key or list by index and so on... Add those in common steps and then write stepname text in gherkin format with parameters specified. Let me know if someone needs help, always ready to help out...

What is available for limiting the use of extend when using Breezejs, such users cant get access to sensitive data

Basically this comes up as one of the related posts:
Isn't it dangerous to have query information in javascript using breezejs?
It was someone what my first question was about, but accepting the asnwers there, i really would appreciate if someone had examples or tutorials on how to limit the scope of whats visible to the client.
I started out with the Knockout/Breeze template and changed it for what i am doing. Sitting with a almost finished project with one concern. Security.
I have authentication fixed and is working on authorization and trying to figure out how make sure people cant get something that was not intended for them to see.
I got the first layer fixed on the root model that a member can only see stuff he created or that is public. But a user may hax together a query using extend to fetch Object.Member.Identities. Meaning he get all the identities for public objects.
Are there any tutorials out there that could help me out limiting what the user may query.?
Should i wrap the returned objects with a ObjectDto and when creating that i can verify that it do not include sensitive information?
Its nice that its up to me how i do it, but some tutorials would be nice with some pointers.
Code
controller
public IQueryable<Project> Projects()
{
//var q = Request.GetQueryNameValuePairs().FirstOrDefault(k=>k.Key.ToLower()=="$expand").Value;
// if (!ClaimsAuthorization.CheckAccess("Projects", q))
// throw new WebException("HET");// UnauthorizedAccessException("You requested something you do not have permission too");// HttpResponseException(HttpStatusCode.MethodNotAllowed);
return _repository.Projects;
}
_repository
public DbQuery<Project> Projects
{
get
{
var memberid = User.FindFirst("MemberId");
if (memberid == null)
return (DbQuery<Project>)(Context.Projects.Where(p=>p.IsPublic));
var id = int.Parse(memberid.Value);
return ((DbQuery<Project>)Context.Projects.Where(p => p.CreatedByMemberId == id || p.IsPublic));
}
}
Look at applying the Web API's [Queryable(AllowedQueryOptions=...)] attribute to the method or doing some equivalent restrictive operation. If you do this a lot, you can subclass QueryableAttribute to suit your needs. See the Web API documentation covering these scenarios.
It's pretty easy to close down the options available on one or all of your controller's query methods.
Remember also that you have access to the request query string from inside your action method. You can check quickly for "$expand" and "$select" and throw your own exception. It's not that much more difficult to block an expand for known navigation paths (you can create white and black lists). Finally, as a last line of defense, you can filter for types, properties, and values with a Web API action filter or by customizing the JSON formatter.
The larger question of using authorization in data hiding/filtering is something we'll be talking about soon. The short of it is: "Where you're really worried, use DTOs".

Using what to create cookies

Wherever I look this is the correct way to add a Cookie:
HttpCookie Session = new HttpCookie("Session");
Session.Value = someguid;
Session.Expires = somedatetime;
Response.Cookies.Add(Session);
And wherever there is no explanation as to how to get Response into the current context. So I get this error:
The name 'Response' does not exist in the current context
What do I need to do to get the above code to work?
You may want to use System.Web.HttpContext.Current.Response if you sure that this code will be executed inside web application.
But I have life-proven practice (and Law of Demeter says the same) to pass Response as a parameter to a method where I want to use it.

need session variables in valueUnbound?

I am using valueUnbound method of HttpSessionBindingListener to release lock(an entry from the database), before session is about to expire:
#Override
public void valueUnbound(HttpSessionBindingEvent event) {
String user = (String) event.getSession().getAttribute("currentUsr");
removeLock(user);
}
When the lock is set, I am setting up the username as a session variable.
I need this "username" in my remove lock method. But the getAttribute is throwing an exception:
java.lang.IllegalStateException: getAttribute: Session already invalidated
I need help in getting the session variable?? or is there any other way to get the username?
No, since session has been invalidated.
Although, I figured out the solution, I am setting the attribute via servlet context in
valueBound method and getting it through the : event.getSession().getServletContext().getAttribute("cUser");
it works fine. Thank You EJP
I got your point EJP, you are right , I am making it complex, I can get it from event.getValue() . +1 to your answer, Thank You.
Although, I figured out the solution, I am setting the attribute via servlet context in valueBound method and getting it through the : event.getSession().getServletContext().getAttribute("cUser");
So.. You are storing session scoped data in the application scope. Do you realize that this way the data is shared among all visitors of the webapp? Visitor X would then see the attribute set by visitor Y which has visited the website at a later moment. It makes the problem only worse.
Anyway, as to the concrete problem, as the exception message is trying to tell you, the session has already been invalidated at that point. There are two ways to solve this:
Make currentUsr a property of the class which is implementing HttpSessionBindingListener, so that you don't need to grab it as a distinct session attribute.
Use a HttpSessionListener instead. The sessionDestroyed() method is called right before invalidation, so you should still have access to all attributes.

Resources