I'm looking at some code which has broken the saving of changes of a List item in SP2010. In the constructor of the Event Receiver the HttpContext is being stored as a local variable then in the ItemUpdating at the end a query parameter containing the return url is retrieved and passed the SPUtility.Redirect(...). This has the effect of canceling any changes that were made in the edit form. So following so scenarios I've found online I'm storing the HttpContext as a static class object and redirecting in the ItemUpdated event and edits are now persisted followed by a redirect to where we are expecting.
I have a concern though with storing a specific user's HttpContext as a static on a class which will potentially be hijacked if another user does the same action between the time user 1 sets the context initially and prior to the redirect. User 2 will overwrite the context and there are potential issues.
The only other option I can think of as a quick way out would be to store a static Dictionary where the key is the user id then remove the entry just prior to redirecting so as to not leave stray HttpContext instances leaking.
So looking at the accepted solution from here the first response by servy42 states The fact that it works for a few trivial test cases at first doesn't make it a viable solution. but doesn't suggest a viable solution.
There's another option best approach may be changing Save Button in ribbon such that when clicked, a ECMA script first save your Item, then redirect to other page, or open other page in dialog. suggested further down but is that the only other way to go?
I'm fairly new to SP and just trying to navigate through the wealth of wrong ways of doing things with my limited knowledge, whilst unfortunately being stuck with SP2010.
Any thoughts on how to go about this?
============
Edit: Further info as requested
So there are two sites one say called A which will have a sub site called B. A has a List and adding an item to that list triggers event receivers which creates sub site B and other related stuff. If I modify the B "item" from the SharePoint list of Bs then I don't need to redirect and returning to the list is fine. If I'm looking and a neatly rendered Gantt chart on A listing the Bs the if I edit B after clicking Save we need to come back to A. If I'm on B there's an edit button as well so I want to return to B after editing and clicking save.
So we have the source= appended when we go to the edit screen. From some reading I've done it seems SharePoint will pick that up and redirect. One of the fields on the edit page is the relative url beneath the A site and if that changes then the redirect url will no longer be valid and throw a 404 so we replace the old B sub path with the newly entered value. But we then need code to redirect to the new location.
I am not quite sure whether i understand your requirements correctly. But i will give it a try. Just a quick summary of what i understood (correct me if i am wrong...):
You have a Root Web in a site collection with a list
Each entry in that list corresponds to a subsite which will be created on List Item creation (ER) below the Root Web as a subsite
List items can be edited from both the List in the root web as well as from the subsite it maps to
On editing from the subsite you want to return to the subsite after saving
My approach would be this:
Follow the steps described in this article SP Dialog and List Forms
Open a dialog on the subsite that links to the edit form of the root web.
After saving the user finds himself already where he should be
Hope this helps... Cheers!
Edit: Just read the requirement about changing of url. Create a custom Edit Form which you enhance with some js that passes values back to the origin site -> Parameters in dialogs. You may then react accordingly in the javascript callback and redirect to the new url.
Related
I created an extension with the extension builder.
On saving I get this message:
The object was updated. Please be aware that this action is publicly accessible unless you implement an access check. See https://docs.typo3.org/typo3cms/extensions/extension_builder/User/Index.html
How can I fix this issue? Yes I read the page but there are no useful hints.
Since the question is how you can "fix the issue": There is no issue, it is a warning, you can remove it and make your request secure. (As in the other answer.)
The "hint" on the page is actually very straightforward. The "issue", that a user is able to manipulate the url and make the server to execute a not wanted action.
Here is an example:
You have a list of users of your page and you can open thier public porfile for more information:
https://yourdomain.com/list/?tx_ext_plugin['action']=show&tx_ext_plugin['userId']=41.
So if I want to make some trouble, I change the action "show" to "delete" and may I am able to delete the poor user "41" from the db. That is bad.
https://yourdomain.com/list/?tx_ext_plugin['action']=delete&tx_ext_plugin['userId']=41.
So since it is you business logic typo3 offers no out of the box solution for this. That is why this warning from extension builder says, that you need to make actions to prevent misuse.
Regarding how to implemnt a better security here are some thoughts about the Access Control and some ideas what to implement in your actions:
1) FE
You can separate your actions into different plugins. So if you have a public list action it can not be modified to the plugin that responsible for the delete action. How is it possible? TYPO3 will look the page record in your database. And will render it, and if there is a plugin on the page with the signature "tx_ext_plugin" then it will get the sent parameters. In this case you have the possibility to add the different plugins to different pages so changing the signature of it for an attacker won't help, because:
If the delete action is not registered by the plugin, TYPO3 will
throw an exception.
If you are trying to change the whole signature the page won't be able to identify the plugin.
You can add the edit / delete plugin to pages where a user has to be logged in. You can even manage multiple usergroups. Like normal user can only edit its profile, but a premium user can make further changes. You can use in fluid a view helper IfHasRole that can show parts of your template for defined user groups. (There is an ifAuthenticated ViewHelper too)
You can take the extension "femanager" as an example. There is a controller "EditController", that covers actions like "update" and "delete". For example before making the update action there is a check if the logged in user has the same user id as the record which going to be changed. If you have a complex example you can make a check on the user group also.
2) BE
It is actually almost the same as frontend.
BUT instead of plugins / user groups assigned in page settings. You can use different mountpoints, so BE users can not see folders where they are not allow to edit / delete.
You have those two ViewHelper for the BE too. There names are: f:be:security.ifAuthenticated and f:be:security:ifHasRole. However ifAuthenticated is also for FE, in a BE context it does not make sense.
You have also the possibility to identify the id and userGroups of the BE user and you can make your own checks before you let an action run.
You have also the possibility to turn on / off a module for a certain BE group.
+1: It is nothing to do with any action but just to list it too. There is also the possibility to allow / disallow field for BE Users by editing a record through the List mode in the BE.
Extension builder creates dummy actions to update and create records. Those example actions do not contain any security checks, whether the caller actually is allowed to do so.
So it is your job to add adequate access control to those methods. E.g. make sure the current user (be it Frontend or Backend) is actually allowed to update the model in question.
I'm not sure if it's possible to do what I'm hoping, but maybe I'll get lucky. It has to do with setting form fields in a SharePoint 2010 list, using InfoPath forms.
Basically, I have one list with requests from several vendors. Each vendors has their own requests page which is a Web Part Page with one web part: a list of submissions with a custom view applied that filters it only to them. This is a (clunky but functional) way to ensure each vendor only sees their own requests. To submit a new request, they click on the "Add Item" link at the bottom of the list web part. At this point, a customized InfoPath form pops up, and they add their request.
In the form, one of the fields is "Vendor". What I would like to achieve is to have the InfoPath form read something on the page which tells it which vendor's page it was called from and pre-select that vendor (I could then disable the control so they couldn't change it). I am happy to alter the calling page as needed, or to configure the InfoPath form (can you custom-configure GET or POST values or anything to define a field that way?).
Any help would be very appreciated.
Good Day!
I have a project on Sharepoint 2010 which requires the following:
1) Under the document settings, there is a "send to" option, I need to be able to add a location to that "send to" which will access a custom form.(Thinking ASP form?) but the question will be how to add that form to the options..
2) This custom form must be able to display the file structure of another site collection's document centre(There are about 19 document libraries in that site collection) and the user will be allowed to select the location to add that document to.
I'm thinking something like reading through the site collection's document libraries and building a file structure from there.. (Will this work? worried about performance as it has to read every time the form loads)
3) After confirming the location, it will direct the user straight to the submit document form(Sharepoint 2010 OOB) of that folder.
I'm hoping there's a certain URL I can pass through that will link it straight there! or at least pass a string value that accesses the folder
Thanks guys for reading through!! : D I know its quite lengthy..
This blog post looks like it might explain how to do what you're looking for.
http://sharepoint.microsoft.com/blogs/GetThePoint/Lists/Posts/Post.aspx?ID=22
You can pass it to a "In Transfer" Document Library that has an event handler or workflow acting upon it that triggers when an item is added, allowing you to add forms and such as needed.
In my page (which displays a list of information), I call a webapage that gets user information and then calls a webservice and a a stored proc for a database on a page (the stored proc inputs or updates a row of data in the db). WHen I click submit, the page is supposed to completely reload the first page with the new updated data and display it to the user. Well, the data does submit to the db, and service, but my page reloads with the old information for some reason, even though I make a call to the entire action that generated the first page. If I navigate back to the home page and then go to the page in question, the data does appear. Should I be waiting or something to call this action again or something?
I do in fact have
[OutputCache(CacheProfile = "ZeroCacheProfile")]
attribute peppered on my actions and in my web.config. Am I missing something? Are there any catches places where I should be carefull when doing this?
I actually recall the entire action that creates the first page.
If you're returning a view directly from the post it may be using the old data. Try redirecting to the GET action to show the results.
This seems to work right now.
Random number = number Random();
RedirectToAction("Action", "Controller", new { value1 = number.Next(0, 100)});
I will go with it for now.
I'm a relative MVC noob coming from WebForms. I think I have a pretty good grasp of MVC with a couple exceptions, and I think I may have broken the pattern. I'm gonna try to keep this short, so I'm assuming that most of what I am asking is relatively obvious.
Let's say I have a news site with articles. In that case, a URL in the form of mynewssite.com/Articles/123 works just great because I don't care who views which article. The user can change the ArticleID in the URL to whatever they want and pull up that article. In my case, however, I only want the user to be able to view/edit data entities (articles, or whatever) that belong to them. To achieve this, I am using their UserID (GUID) as a foreign key in the database, and displaying a list of their data for them to choose from. Here comes the problem... when they click on the link that is created by Url.Action("Edit", New With {.id = item.id}) (I'm not using ActionLink because I need to add HTML content inside the link), the id shows up as a querystring parameter. I could add a route for it, but the id would still show up in the URL for them to tamper with. The obvious implication is that by tampering with the URL, they could view/edit any entity that they want.
What am I missing?
Is there a good way to pass the parameters without adding them on the URL? I know that I could put them in a form on the page and submit the form, but that seems cumbersome for my example, and I'm using jQuery.ajax in places that seems to conflict with this idea.
I could also check their UserID against the data in the Edit method, but that also seems cumbersome, too.
Is this question too broad? Please let me know what specifics you need. Thanks.
Even in Winforms, you would have to add special logic on each request to filter only the articles that the user owns. I don't see why MVC should be any different. Sure, you can use web.config to deny access to given url's, but not when you use a single page that takes a parameter of what data to show.
Your best bet is probably to filter this at the database level. By adding a where clause that includes the user id, then the app will return a "no records found" sort of error, and you can do whatever you want with it.
You could use forms authentication. This way when the user authenticates an encrypted cookie will be emitted which will contain his username which cannot be tampered with. Then you could verify whether the currently connected user has authorizations to edit this article.