Scala Lift - Robust method to protect files from hotlinking - scala

I'm attempting to implement a way to stop hotlinking and/or un-authorised access to resources within my app.
The method I'm trying to add is something I've used before in PHP apps. Basically a session is set when the page is first called. The images are added to the page via the image tag with the session value as a parameter:
<img src="/files/image/image1.jpg?session=12345" />
When the image is requested the script checks to see if the session is set and matches the provided value. If the condition is not met the serving page returns null. Right at the end to the code I unset the session so further requests from outside the scope of the page will return null.
What would be the best implementation of this method within the lift framework?
Thanks in advance for any help, much appreciated :)

You could use a SessionVar for this purpose. In the SessionVar you’d store a Map[SessionImageId, RealImageId] and upon initialising the Session (i.e. when the page is first loaded) you’d generate some random SessionImageIds which you would map to the real image id. In your html you only expose the shadowed SessionImageId so no-one could trace back the image from the id. When the image is requested, you’d simply look up the real id in the Map.
Info: Exploring Lift, Lift wiki
Of course, if shadowing the ids is not important, you could simply use a SessionVar[Boolean].

Related

Wicket reporting same FileUpload object in subsequent requests

I have a panel used in multiple pages in an app we're developing. In this panel is a FileUploadField that uses AjaxFormSubmitBehavior (extended as FileUploadBehavior) on "change" to upload a file, which I then add to a list via ajax, update the view, clear the FileUploadField, and then allow them to select another file. And this is in fact exactly what happens in one of the pages using the panel...but not in another. In the non-working page, the first file selected is repeated over and over regardless of what file is picked after the first.
In the onSubmit of the behavior, we get the the FileUpload object which is supposed to be different between requests. I can see in the debugger that the FileUpload is the exact same object as the previous request, not merely carrying the same payload.
I'm scrutinizing the usage of the panel on the two pages and see no material differences. I can see the file control on the page DOES show the changed file name while I sit at my breakpoint on the server (so I suspect whatever is going wrong is on the java side). But I can't figure out why they behave differently or see where it's going wrong. The panels and pages are large and complex, so here's snippets of the relevant pieces.
FileUploadBehavior.onSubmit(AjaxRequestTarget) :
FileUploadField fileUploadField = (FileUploadField) fileUploadContainer.get("fileUploadField");
FileUpload fileUpload = fileUploadField.getFileUpload();
[...]
//clear file input after each request for next upload.
fileUploadField.clearInput();
target.add(fileUploadField);
I have a break right after this line and can see the first file gets repeated. The code that instantiates the field and behavior in the panel looks like:
FileUploadField fileUploadField = new FileUploadField("fileUploadField");
fileUploadField.add(new FileUploadBehavior("change", maxFileSize).setDefaultProcessing(false));
fileUploadContainer.add(fileUploadField);
The html tag:
<input wicket:id="fileUploadField" class="form-control" type="file" id="formFile" multiple>
I feel like the fact that it works in one page and not in another leads me to think the problem is outside the panel. The fact that the control in the browser shows the 2nd filename during test leads me to think it's on the java side. But nothing about the file event or definition happens outside the panel itself. The form elements are declared identically, and both have multipart enctypes when the pages render. Both successfully upload their first file. I'm kind of not even sure where to look for why wicket is re-using the FileUpload object in one page but not in another.
I should mention that we use Apache Wicket 6.26.
update: I looked into the source of FileUploadField, and it has an explicit check on whether FileUploads is null in it's internal property, and if so returns it without checking the actual request. I don't see any way to clear this value between requests. clearInput() doesn't affect it from what I see. I'm more confused by how this is working in one page than why it's not in the one where it doesn't now. I also don't know how to make the class 'reset' between requests.
Okay, figured this out. As martin-g pointed out, the fileUploads is set null in onDetach(), which I discovered about an hour after my update. The problem is that the onDetach() first tries to null out the model object. But that method was blowing up because there was no method 'fileUploadField' on the model attached to the form which was a compound property model. The page that worked does NOT use a compound property model for the form. For some reason, when this error occurred, it was being swallowed somewhere in the call stack and did not end up in my console log.
My solution was to provide a local model to the fileUploadField since that's not how I'm interacting with the control anyway (I'm using ajax and getting the FileUpload directly each time). That fixed it. It now works everywhere.

Is there a stable solution for loading images in SAP UI5 App?

Images folder contain many images like xxx.png, yyy.png, etc.
Image src="./images/xxx.png" works very well when I am testing and after deploying to SCP. But, the same doesn't work when I register the app to Launchpad and open it from there. Why does the images don't load?
I see the following the in the network:
Component.js is getting loaded from
https://xxxxxx-yyyyy.dispatcher.eu3.hana.ondemand.com/sap/fiori/workbox/Component.js?ts=1.0.143 with 200 status
But the images are trying to get load from
https://xxxxxx-yyyyy.dispatcher.eu3.hana.ondemand.com/images/xxx.png
https://xxxxxx-yyyyy.dispatcher.eu3.hana.ondemand.com/images/yyy.png which results in 404. Instead the hit should I have been on the following url.
https://xxxxxx-yyyyy.dispatcher.eu3.hana.ondemand.com/images/sap/fiori/workbox/images/xxx.png
I tried changing the Image src to src="./images/xxx.png" and src="/images/yyy.png". But, same old URLs are hit and results in 404.
Why does this happen so? Why does component.js and images are loaded from different root? I found many answers suggesting to use jQuery.sap.getModulePath("com.xxx.Component") but that didn't help me the least. It returned me https://sapui5.hana.ondemand.com/resources/com/xxx/Component which is of no use.
Old post but let me try to help you.
In order to retrieve files from your local project folder structure, you need to calculate the correct path to them. This is relevant for the FLP environment as apps get dynamic paths assigned when loaded.
sap.ui.require.toUrl is the magic function that should do the trick for you.
This function expects a path as input parameter and will translate it into a working path inside the FLP. See the method description.
Example
<Image src="{
value: 'your/name/space/images/xxx.png',
formatter: 'sap.ui.require.toUrl'
}" />
sap.ui.require.toUrl is replacing the deprecated jQuery.sap.getModulePath since UI5 1.58.
And since version 1.61, it is possible to pass static values to formatter functions via value in property binding as mentioned in the question Pass Static Value to Formatter Parameters in XML View.
If the formatter is no way to go for you, you can try to call the function within the controller and store the calculated path in a local JSONModel. I did not test this but the principle should be the same.
Good Luck!
P.S.; First Post. Any feedback on what to improve is very welcome :)

Stopping Ember.js Controller

My question is very basic on one hand but on the other hand the general situation is more complex, plus I cannot really get any working sample.
I'm developing/maintaing a web-application which is currently in transition from GWT code base into Ember.js.
Most of the newer code already relies on Ember.js and I think it's really awesome.
The problem is we cannot use Ember Router as all the request are being handled by the GWT.
In order to enabled the application run in this unusual configuration we have special JavaScript files that create our Ember main objects (Controllers & Models) for us.
As you can imagine navigation between tabs is cumbersome and is handled by GWT who creates Ember objects when needed. We are in transit toward a brave new world Ember Router and all.
But in the meantime, this is the problem I'm facing right now.
The user clicks a link which opens a page that contains some Ember based table.
The data is retrieved form the server using some Ajax code. Upon success it spawns a forEach loop which tries to pushObject all the received date into our Ember based components.
My problem happens when the user quickly switches between tabs. In this case the first list of object has not finished rendering yet and suddenly there's a new set of objects to handle. This causes Ember to throw errors like:
"Uncaught Error: Cannot perform operations on a Metamorph that is not in the DOM. "
and
"Uncaught NotFoundError: An attempt was made to reference a Node in a context where it does not exist."
Is it possible to prevent the loop from trying to render?
I've tried checking if the controller in question is already inDOM and it is, is there a way to notify Ember this object is no longer valid?
Sorry for a lengthy question and lack of running sample.
I'd probably modify the switch tab code to only execute afterRender has completed, that way you aren't mucking with ember objects while they are being used.
Ember.run.scheduleOnce('afterRender', this, function(){
// call GWT switch tab routine
});
Thank you Daniel and Márcio Rodrigues Correa Júnior. eventually what I did is to add a patch that would check the current context of the application (in my case the currently selected tab). If upon receiving the AJAX response the application is in the correct context (meaning the user haven't change the tab) go on. Otherwise just ignore the response and do not try to render it.
Now it seems to be working

How to get request properties in routeStartup plugin method?

I'm developing a multilanguage application, and use routes with translated segments. For multilingual support I created special Multilingual plugin.
To use translated segments I need set translator for Zend_Controller_Router_Route before routes init. So only possible place for this in my plugin is routeStartup method, but there is one problem here - for determine right locale I need to use properties of request (Zend_Controller_Request_Abstract), like module, controller and action names, but they are not defined yet here in routeStartup method. They are already defined, for example, in routeShutdown - but I can't set translator for route there, because it have to be done before routes init.
So what can I do:
can I get request properties somehow in routeStartup
or can I re-setup translator later in routeShutdown
P.S: there is a question with exactly the same problem Zend_Controller_Router_Route: Could not find a translator, but proposed answers is not the option for me, because I can't just retrieve language code from url with Regex, I have much more complicated code to define right language code.
Thanks.
What about putting your code in preDispatch? That's what I personally do when I need to check if the person is logged in. Maybe you can move your code there too?

How to show previous url after user has canceled dialog with message from Activity#mayStop()?

In our app we need to check if the data is saved when we are in a particular place before navigating away from it. So the user should be able to negate a browser back button request. But by the time that the history value change event is received the url has already been changed. The History class doesn't seem to have a way to restore the url back. Anybody have any ideas?
In GWT 2.1 you get Activities and Places. And activity has a maystop method, which is exactly what you want, if I understand you correctly.
Use a window.onunload or window.onbeforeunload javascript callback to confrim/save state.
onbeforeunload example
I haven't actually implemented this behavior yet, but here is my plan and maybe it will work for you.
1) Each time you receive an onHistoryChanged event and decide to allow it, save the current historyToken in an instance variable somewhere.
2) Keep track of activity on the page that should block navigation. Use a data structure that can keep track of multiple activities, like multiple file uploads, multiple edits, etc.
3) When you receive a new onHistoryChanged event, if your data structure from #2 indicates that it's not safe to navigate, avoid changing the page and restore the historyToken that you saved in #1. I'm assuming that you can do this either by:
a) Calling History.newItem(oldHistoryToken, false) or
b) Calling History.newItem(oldHistoryToken, true) and keeping a flag to force the next onHistoryChanged to be ignored.
Again, I haven't actually implemented this so let me know how it works out.
If you have links that allow the user to leave the app and you want to prevent that as well, you'll need to also add an onbeforeunload.
Have a look at the PlaceManagerImpl class from the gwt-platform framework. Especially the onValueChange() method and the methods dealing with the onLeaveQuestion field.
Hope that helps.
In this issue report, t.broyer explains in his comment that such behavior was planned during design of Places framework. The most important part is:
mayStop was a mistake, or it should have only been called when unloading the app, not for internal navigation within the app.
So probably it's better to not use it at all...