I was having the similar problem as mentioned in the below link, Select and Display the table in oracle APEX mail body. I followed the mentioned steps and it worked!! .
Now, I just want to extend the same question and wanted to know, Is it possible to manipulate the the database through click on the button in the mail?
If I crate the html Button APPROVE, It should be able to manipulate database table.
Suppose, APPROVE performs delete operation: delete ename from emp where dno=10.
VERSION : ORACLE APEX 4.2
If you are sending an HTML email to a user and you want that user to interact with the system from the email, you could generate an HTML form that submits to a particular URL (some APEX page with some set of parameters) that actually implements the DELETE.
Assuming that the client email application would allow the user to submit a form, which would generally be a security issue and would probably not be possible from some clients, you'd probably have security issues to worry about on the server side. I'd assume, for example, that you don't want to allow any random person that works out the URL to call to be able to delete whatever row you want from your system. You probably want to require that someone is logged in before you'd allow them to delete a row. And you probably want to make sure that they have permission to delete that particular row.
It's certainly possible that you could work around both the client and the server side permission issues by doing something like creating a unique token that expires after a short period of time and gets passed in with the form to verify that the user has permission to delete that particular row. But by the time you're building that sort of infrastructure or sending users to a login page, you're probably better off just creating links in your email that point to a page in your application and letting users go there to request the actual delete. That's going to work more reliably than a form that submits a request and it will probably involve less work for you.
Related
I've been trying for few days and couldn't really find answers about what I'm trying to do.
Take the example of a registration where a link to confirm your email is sent, and then when the link is clicked the account is confirmed.
I want to achieve this to do a kind of validation for announcement publication.
I tried taking the example of the symfony verify email feature, but in this case it's using the authenticated user when the link is clicked. In my case, the person clicking the link doesn't have an account on the website and shouldn't be authenticated.
How could the mail link, when clicked, change a booleon in the database, like 'is_confirmed' from 0 to 1 without needing a user authenticated?
Thanks
You're still going to need to authenticate, but you'll do it with a one-time token instead of a userid and password. For each message:
Generate a unique unguessable string, like a UUID v4.
Generate an expiration timestamp for however many minutes/hours/days in the future you want the token to be good for.
Save the token and the expiration timestamp in the db so it's associated somehow with the record in question. This might mean adding two columns to an existing table, or creating a new join table.
Generate an email to the recipient, including a link that has the token embedded in it, like http://example.com/approve?token=whatever or http://example.com/approve/whatever
Create the /approve page. Configure it to not require any traditional Symfony authentication. It should then:
Look up the token that was provided.
Verify that the associated timestamp isn't expired yet.
Perform whatever process you want to occur.
Wipe the token and the expiration from the db.
I want to create a rest end point but I am not sure what is right way. For example I want to expose endpoint to create account but there are multiple account type like:
Normal account with property name, description, and current balance
Credit Card account with property name, description, current balance, grace period, billing date and current outstanding. Now the confusion is, Shall I create two endpoint for each of account type? or Shall I create single end point with all the property.
Shall I create two endpoint for each of account type? or Shall I create single end point with all the property.
How would you do it on a web site?
You might have a single create-account form; you collect the information that you need from the visitor, the form is submitted to the server, and the server looks at the form details to determine what kind of account to create. Create the account, and send back a response to the browser announcing where the web page describing the account is. And that's fine.
You might do the same thing with multiple forms; through a series of links you guide the visitor to the form that best fits their circumstances, and then the remaining work is the same as above - the form is submitted, the server looks at the form details to determine the account to create, the account is created, the server sends back a response to the browser announcing where the web page describing the account is. And that's also fine.
You could do the same thing with multiple forms, but have each of the forms submit using a different target URI; you could even have each form submitted to a different host! Again, the actions taken by the host receiving the form are the same - do the work, return the result announcing where the new web page is.
Thw browser doesn't care, it's just collecting form inputs using standardized form processing rules, and then submit the result using the meta data in the form.
You'll want different code responsible for creating each of the different kinds of accounts (the "separation of concerns" idea), but it doesn't much matter if the routing of the request to that code is done purely mechanically (because you are using different URI) or "by hand".
I'm looking to make something similar to google docs where everyone can update the form (with multiple input fields) at the same time using REST api, the form data will be stored in database, is it possible?
I can have the form to send an update request whenever user make a change, but I still can't quite figure out what the logic to retrieve data/update form field content and resolve conflict when users are editing the same field.
Best way to use SignalR for realtime communication as well as pushing the updates to other users belonging to the similar group (may be call it as users of a same form). SignalR will provide all the underline infrastructure in place.
I am building an GWT application with lot's of forms. I am using gwt-platform with its dispatch module.
The next step in my mind is to prevent double-submits ON SERVER SIDE. The problem is that I don't know how to do it exactly...
I thought of something like this:
When application loads the server gives some generated token to the client
The server stores the token inside HTTPSession
When the client submits a form it will send the token from (1.) along with the form
The server checks if the sent token == token inside HTTPSession
In the answer to the client it will send a new token
Is it safe to store the token inside HTTPSession? Or should I simply create a HashMap on the server that maps from SESSION_ID to generated token?
Or maybe there is already an implementation of that in GWT or gwt-platform or somewhere else?
Thanks
The question you'll have to ask yourself first is: What is the kind of problem scenario you want to avoid?
The user accidentally (or out of frustration, ...) clicking a button twice.
A resource that is available only once (like a reservation for a certain seat in an airplane) being consumed twice.
Don't just say "I want to avoid both". Even if you do, you'll have to deal with the two problems separately.
Problem 1
This is better solved on the client side (e.g. by disabling the button once it is clicked).
It can also be solved on the server side (by checking sequence numbers or tokens or maybe the hash code of the contents, ...), but I don't really see the point. If the user really wants to submit twice (e.g. by manipulating the JavaScript such that the button doesn't get disabled), then just let them: Problem 1 is not about security.
Problem 2
This must (except in very specific situations) be solved on the server side. It's chiefly about security. But when you think about it, this problem can't be solved by double-submit prevention! Why not?
Let's look at our example: A seat in an airplane must be reserved only once. This can be violated in multiple ways:
By double-submit.
By the same user submitting at the same time e.g. from different browser windows.
By mutliple users trying to reserve at the same time.
The clean way to solve the problem is to check for availability of the seat atomically with reserving the seat. It doesn't really matter, if a violation was caused by double-submit (accidental double-submits are covered by problem 1).
... and Problem 3
If you have implemented some auto-resubmit mechanism, then you might also encounter a third kind of problem:
Let's say the user wants to add an item to his shopping cart. The client submits, and doesn't receive a response from the server before time-out. So it sends again automatically. The server however receives both messages, and tries to process them both - so it adds the item twice to the shopping cart.
The best solution to avoid this in my opinion is generally not to use actions like "add one item to the cart", but "set the target count of items to 1". Again, you could also work with sequence numbers etc.
I am building app that will serve some content to the users via my private server. At the server-side I would like to identify user, so that I don't serve same content twice to the same user. How can I identify user(s)?
One way is DeviceID, but user can have multiple devices...?
Is the only way to have my own user IDs for my application (registration). I don't like this as it adds extra complexity to the app.
I know it's a hard task, but maybe facial recognition (from the webcam) could help in logging in users, since it doesn't imply any relation between user and device.
For example, face.com offers a free web-based API for facial recognition.
Although, Ishu's answer (username/password) is the easiest and most standard way to do identify users.
Make an id for user's and also a login page in the app. save his id with in you content table for send that content for that user. if that content entry already having his id then don't send to him otherwise send to him.
I don't think there is another option. You must use user id nothing else.