If you go into amend Settings for a custom tab that you have created before, is there anyway to get the existing websiteUrl and contentUrl values in your configuration page?
The microsoftTeams.getContext method doesn't seem to make these Urls available (like it does entityId).
Thanks.
I think you'll need to persist this your side (e.g. in a database), and re-query them from your settings page. This is exactly why the "save" button won't become enabled until you're ready for it (by calling microsoftTeams.settings.setValidityState) - it's for your code to do whatever it needs before allowing the user to actually save any changes.
Related
I am writing a simple web page, which shows some widgets based on user permission. If user has EDIT permission, the page renders EDIT widget else EDIT widget doesn't shows up.
What is the best way to achieve this?
I, first called a service to get logged in user's permission and then set visibility: none or block based on the permission. But, I see that user can "inspect element" on browser and set visibility accordingly. However, on server-side, I am using #PreAuthorize annotation on DAO to control the user actions.
How to control visibility of UI widgets without user being able to make changes, maybe from server side?
Update : I am looking for JSTL equivalent in GWT
AFAIK there is no JSTL equivalent for GWT.
However there are some 3rd party (i.e. ArcIS) libraries that make display/hiding UI elements based on user permissions more convenient.
However no matter whether you do it manually or using a library you should make sure that you properly secure your backend side (as far as I can tell you are doing that by using method level security).
One important thing to remember when dealing with client side permissions/security:
You should never trust input/actions from the client/browser, because you are not in control of it. So you must always do security on the backend
In my opinion, it really does not matter if the user could theoratically inspect the edit button for example using Browser Dev Tools and make it visible, as long as the the edit action on the backend is properly secured. If you are really that concerned you can remove the elements (i.e edit button) from the DOM instead of hiding it, but it won't make it more secure.
I, first called a service to get logged in user's permission and then
set visibility: none or block based on the permission.
Well instead of setting the visibility none or block, assuming you are using JSP, use JSTL tag
<c:if test="${if the user has permission}">Show widget UI code</c:if>
If the page has n widgets for which the user doesn't has permission, why would you load the code for all the n widgets. It's non performant.
write a panel that shows it's contents based on security settings in the client code
add the widgets to be controlled inside the security panel
the panel will now control the appearance of the children based on security in your client code
As has been mentioned before, and has been recognized by you, client security is only visibility control and thus not sufficient to protect the app.
I'm using Sitefinity 4.2. I have created a masterpage, with content placeholders, which I am using as a template when creating a new page. I then have several different custom user controls, which I drop into the different placeholders, and set the parameters for them through the control edit forms. This standard scenario works fine.
As our end users are not very sophisticated, I would like to create a new scenario in which, when a new page is created via the admin console on the basis of my masterpage, different controls are programmatically inserted into the various placeholders, and values for control properties are set. All the end user then has to do is to tweak the property values on one or two controls, and he's done.
Any ideas on how I would go about doing this?
For what you're describing, I'd suggest utilizing page templates. You can specify a master page to use and also drop widgets in to the placeholders you've established. Users can then create new pages based off of this template and your settings will carry over.
Widgets that you configure in a template can't be modified outside of it so you'll want to leave any that the user should be able to change, from the page editor, out.
You can create a page template by going to Design->Page Templates in the admin section.
I need a way of being able to do the following:
A web application has a variable called 'setting'.
When a user first connects to the application, setting should have a value of 'default'.
Setting can be changed in any page.
If a user middle-clicks to open a page in a new tab, that page's setting should be a copy of the current page's setting (a copy, not a reference to it).
If a user opens a new tab and types in the web app's URL, then that page's value of setting should be 'default'.
If a user left clicks a link, then the new page should have the same value for setting as the referring page (the same value, not a copy).
Implementation:
I can obviously do this with a nasty url hack (...?setting=foo), but this gets nasty when there are many settings.
Is there any 'per-tab' storage available on browsers.
Theory:
The theoretical underpinning for this behaviour is the concept of a subsession. All subsessions belong to the session. Subsessions have a parent, if their tab was opened by a middle click. If their page loaded by typing a URL in an empty tab, then the subsession has no parent. Settings can be stored in subsessions, and is a setting is not present in a subsession, the parent's value is used instead.
Has anyone got any ideas on how to do this nicely?
Are there any sites which already behave this way?
Thanks,
Chris.
I think this would work for you: http://www.xul.fr/en/html5/sessionstorage.php
I have written a solution to this issue at:
https://github.com/chrisdew/subsession
It is obviously in early development and may contain bugs.
We have a requirement where support for different users in different tabs of a browser window. How can we achieve this in Spring 2.5? The application is based on Users, where users will have their own agents and articles. An internal user should be able to login to different user accounts in different tabs at same time and manipulate their data. Any help is much appreciated.
A browser's cookie store does not distinguish between different windows or tabs when deciding what cookies to send. So a cookie based approach won't help.
My suggestion for an alternative would be to have a hidden "userName" parameter that is passed back and forth as a URL query parameter for all requests from a given tab or window. You could finesse the setting of the parameter in browser requests by using some Javascript to add a hidden parameter to each of the HTML forms in the page just loaded. The parameter value would be snarffed from the query string of the current page URL. You'd just need to make sure that all pages included stuff in the header to load the JS and run it when the page load completed.
Generally speaking, no, because all of the tabs within the browser window share the same cookies.
One way to do it would be use multiple domain names all pointing at the same app. Each domain name would have its own set of cookies. You would need to have some way of switching to a new domain name after you open a new tab.
How about, have a set of bookmark toolbar bookmarks, each corresponding to a different domain name. Control-click on the bookmark and it opens in a new tab. You could provide the users links in your navigation to the different domains that they can drag onto their toolbar.
Depending on what browsers your users are using you could get even slicker - in some browsers Javascript window.open() opens a new tab. You could have the JS compute the new domain name before the window.open().
I have a custom server control that loads data from a web service into a GridView. Works fine on my page. I want to be able to click on a row and pop a popupcontrol with more detail on the clicked row. I am using the client side events of the DevExpress gridview to handle the onclick. And from JavaScript I am calling a callbackpanel to access my custom server control to get properties to use in the popupcontrol. In the callback, the properties on my server control (which were previously set in order to display the data) are not set, yet any of the other standard controls on the page still have their property settings. Am I missing a setting in my customer server control that will persist my property settings into a callback?
There are a few methods for persisting values through a postback. The method you pick will depend on your exact situation, which you didn't elaborate enough. Personally, I think it sounds like a good place for AJAX...
Here's a great article with some options:
http://msdn.microsoft.com/en-us/magazine/cc300437.aspx
I've had very similar issues. The problem seemed to resolved by tweaking the timing of when the Data is bound.