I am writing a simple web page, which shows some widgets based on user permission. If user has EDIT permission, the page renders EDIT widget else EDIT widget doesn't shows up.
What is the best way to achieve this?
I, first called a service to get logged in user's permission and then set visibility: none or block based on the permission. But, I see that user can "inspect element" on browser and set visibility accordingly. However, on server-side, I am using #PreAuthorize annotation on DAO to control the user actions.
How to control visibility of UI widgets without user being able to make changes, maybe from server side?
Update : I am looking for JSTL equivalent in GWT
AFAIK there is no JSTL equivalent for GWT.
However there are some 3rd party (i.e. ArcIS) libraries that make display/hiding UI elements based on user permissions more convenient.
However no matter whether you do it manually or using a library you should make sure that you properly secure your backend side (as far as I can tell you are doing that by using method level security).
One important thing to remember when dealing with client side permissions/security:
You should never trust input/actions from the client/browser, because you are not in control of it. So you must always do security on the backend
In my opinion, it really does not matter if the user could theoratically inspect the edit button for example using Browser Dev Tools and make it visible, as long as the the edit action on the backend is properly secured. If you are really that concerned you can remove the elements (i.e edit button) from the DOM instead of hiding it, but it won't make it more secure.
I, first called a service to get logged in user's permission and then
set visibility: none or block based on the permission.
Well instead of setting the visibility none or block, assuming you are using JSP, use JSTL tag
<c:if test="${if the user has permission}">Show widget UI code</c:if>
If the page has n widgets for which the user doesn't has permission, why would you load the code for all the n widgets. It's non performant.
write a panel that shows it's contents based on security settings in the client code
add the widgets to be controlled inside the security panel
the panel will now control the appearance of the children based on security in your client code
As has been mentioned before, and has been recognized by you, client security is only visibility control and thus not sufficient to protect the app.
Related
If you go into amend Settings for a custom tab that you have created before, is there anyway to get the existing websiteUrl and contentUrl values in your configuration page?
The microsoftTeams.getContext method doesn't seem to make these Urls available (like it does entityId).
Thanks.
I think you'll need to persist this your side (e.g. in a database), and re-query them from your settings page. This is exactly why the "save" button won't become enabled until you're ready for it (by calling microsoftTeams.settings.setValidityState) - it's for your code to do whatever it needs before allowing the user to actually save any changes.
I´m at that point on my app, where the user Logged in, receive the data from the server and now i need to make same changes. One of the changes is change the button that appears on my Sidedrawer saying Log In to Log Out and vice-versa when the user Logs Out...I could talk about other changes but i think the main thing is...
How do I access the Sidedrawer content in order to change/add buttons. I already entered the app-root.xml and made same testing adding the navigatingTo="onNavigatingTo" function and also in the .js file just to see if it responds, but it doesn´t...
How do i perform this?
You can show/hide your button via visibility, text binding or via a structural directive like *ngIf (if using Angular). For example, take a look here - I am showing/hiding a button based on whether the user is logged in or not (here is the related code-behind code).
The above example is using an Angular directive and can be applied only in Angular based applications, but with the same logic, you can substitute ****ngIf*** with visibility and achieve the same in TypeScript or plain JavaScript app.
The easiest way to do it is put the frame inside drawer content area, then navigate frame to another page.
I am trying to build a tabbed application using Sticky States from UI-Router extras.
The contents of my tabs contain some directives that "register" themselves to a service. I would like to have, on initialization, a full registration so that the service knows all those directives. That means rendering the states in the background, without displaying them, as if the user manually clicked on all the tabs before starting to use the application.
Is there any way I can do this ? Thank you.
I am writing MVC3 web app I need to know at server side when user navigate from one web page to another. I do not need to know from what pages page to which just fact that user navigated. I could find this by adding Session variable to every Home Controller Actions but maybe there is better solution?
Use a global filter attribute for al your controller actions. You can set that attribute in the global asax. In that case you know when an action is hit.
You could try sending AJAX request bound to onbeforeunload browser event.
Basically, it happens on the client side, so the programming should also be in client. Javascript could be the way to go. Though it may deliver some inconvenience to the user.
I have a custom server control that loads data from a web service into a GridView. Works fine on my page. I want to be able to click on a row and pop a popupcontrol with more detail on the clicked row. I am using the client side events of the DevExpress gridview to handle the onclick. And from JavaScript I am calling a callbackpanel to access my custom server control to get properties to use in the popupcontrol. In the callback, the properties on my server control (which were previously set in order to display the data) are not set, yet any of the other standard controls on the page still have their property settings. Am I missing a setting in my customer server control that will persist my property settings into a callback?
There are a few methods for persisting values through a postback. The method you pick will depend on your exact situation, which you didn't elaborate enough. Personally, I think it sounds like a good place for AJAX...
Here's a great article with some options:
http://msdn.microsoft.com/en-us/magazine/cc300437.aspx
I've had very similar issues. The problem seemed to resolved by tweaking the timing of when the Data is bound.