How can I remove a parameter from the HttpContext.Request.Params collection?
I added it on the client as a form of "can't add a header to an iframe request" but now I want to remove it from the collection so it doesn't bother others sniffing the pipeline. I don't have to remove it, but I would like to.
I'm writing an ActionFilterAttribute and using the OnActionExecuting to test if it exists, so figured I would see if I could remove it as a matter of not polluting the pipeline any more than is necessary to send my request.
Related
I am trying to allow front end user to delete a file they have uploaded.
#docs() tells me that $page.lead.files has a method called .remove() that accepts either an Int or an Object.
I keep getting a response of "false" when using this method. I am trying to pass and ID or Object of a file within $page.lead.files object.
Debugging...
User: https://spinsurance.admin.kademi.com.au/manageUsers/116783806/#summary-tab
Page: https://crm.spinsurance.co.nz/leads/148615383/
Source: https://spinsurance.admin.kademi.com.au/repositories/spcrm/version1/theme/apps/leadman/components/texteditor?fileName=leadDetailTabContentComponent.html
Under section on page called: Uploaded Files.
Click big red Delete button. (I don't mind if this file gets deleted)
Thanks for your help in advance.
The Lead.files property is a persisted list. Its not a good idea to try to modify the database using that approach.
Note that lead files are exposed as http addressable resources, which support the http DELETE method
So the simplest approach is to delete from the browser using ajax
Eg
DELETE /leads/123/myfile.pdf
we've implemented a new AJAX based search on our website. We're adding the parameters and their values with # tag at the end of the main URL, when user makes further refine by applying additional filters.
This was done to enable our users to share the URL of what they were viewing. It's actually now achieved in a way that the page gets redirected and the content is generated first for the base URL. Using a Javascript function which executes onload looks at the parameters in the # tags and makes another AJAX hit.
Questions:
Why browsers are not sending the # thing to the server. i.e.; # part is not even received by the HTTP Server. It's interesting actually, browsers are not sending them at all
What is best way to get the # values? I'm looking at more of to avoid the double hit that we've implemented right now. i.e.; content is loaded already and then making another AJAX call to apply the refines.
The # value is an instruction to the browser to look for a named anchor in the document it is to load from the server. It is interpreted and actioned by the browser. The server can do nothing with it, so there's no point in sending it. If you're trying to use this for some other purpose then you'll run into difficulties - as you have found.
There is a mechanism for sending data to the server: the querystring. Append your parameters to the URL prefixed by a ?, in the form variablename=data, with successive variables separated by a &.
I have a GET action for creating records. Because the page is somewhat dynamic, I don't use a model to hold the data. I go off to do some OAuth, only to return to the create screen later on. In order to pass the data back, I am redirecting with a query string. I parse the query string in the GET action, and then show the view. The thing is, the query string is showing up in the browser. This displays pseudo-sensitive data.
Since I am only using the query string for transferring data, I am wondering if I can throw the query string away to prevent it from showing up on the browser.
Otherwise, is there a way to go to another action without redirecting? I've found, if I call the "other" action method directly, it tries to find the view of the original action. I can explicitly change the return View(viewModel) line to return View("create", viewModel) but that seems really dirty.
You should consider changing the action to accept POST requests. At least this will prevent the sensitive information from appearing in the browser. For extra security, your site should be served via SSL.
The other thing you can try is encrypting the sensitive values or the entire query string. The only problem is that this, too, will be preserved in the browser's history unless you require users to log in.
It looks like your action method is trying to do too much. Authentication/authorization is a separate concern which should not be part of the action method. It is better to move the authentication work in to an action filter.
Create an class that extends authorization attribute and override its OnAuthorization method to do your authorization work.
This frees your controller action method to accept POST requests.
Is it possible to prevent direct access to an action in symfony. The action is only accessible by "forward" only. So basically, a way to see if the request is coming from another action.
I'm trying to achieve this because the first action handles plenty of verifications then if it fails, it stays on that action. If it succeed, it will forward to an appropriate action; this action needs to have safe inputs (validated from the first action). In order to keep the code DRY, the second action doesn't need to re-verify all the inputs again.
Then why not doing simply a private method? The second action is sort of a plugin, it's decided on the fly where it's going from the first one, that action has its own set of other future action/template. It makes more sense to simply forward instead of trying to handle plenty of cases that Symfony already takes care of.
There are multiple ways to achieve this.
1) Make sure your action isn't accessible by the routing. If you have wildcard routes this will be harder, but you can always add a route which would point the url for your action to a 404 page. Add something like this to your routing.yml:
disabled_action:
url: /disabledController/disabledAction
params: { module: default, action: error404 }
2) Check the action stack upon executing your action. The action stack let's you know from which action you were redirected. You can access it within your action using $this->getController()->getActionStack(). If the getSize() is bigger than 1 (in a default configuration) you we're forwarded.
Use referrer parameter available in request
$request->getReferer() will give you full url of previous action
I'm curious why you're trying to achieve this. Are you looking to have multiple points of access that forward to this action? What if you simply defined a private method (which by default aren't web-accessible) and called it directly from another action?
Why are there GET and POST requests in AJAX as it does not affect page URL anyway? What difference does it make by passing sensitive data over GET in AJAX as the data is not getting reflected to page URL?
You should use the proper HTTP verb according to what you require from your web service.
When dealing with a Collection URI like: http://example.com/resources/
GET: List the members of the collection, complete with their member URIs for further navigation. For example, list all the cars for sale.
PUT: Meaning defined as "replace the entire collection with another collection".
POST: Create a new entry in the collection where the ID is assigned automatically by the collection. The ID created is usually included as part of the data returned by this operation.
DELETE: Meaning defined as "delete the entire collection".
When dealing with a Member URI like: http://example.com/resources/7HOU57Y
GET: Retrieve a representation of the addressed member of the collection expressed in an appropriate MIME type.
PUT: Update the addressed member of the collection or create it with the specified ID.
POST: Treats the addressed member as a collection in its own right and creates a new subordinate of it.
DELETE: Delete the addressed member of the collection.
Source: Wikipedia
Well, as for GET, you still have the url length limitation. Other than that, it is quite conceivable that the server treats POST and GET requests differently; thus the need to be able to specify what request you're doing.
Another difference between GET and POST is the way caching is handled in browsers. POST response is never cached. GET may or may not be cached based on the caching rules specified in your response headers.
Two primary reasons for having them:
GET requests have some pretty restrictive limitations on size; POST are typically capable of containing much more information.
The backend may be expecting GET or POST, depending on how it's designed. We need the flexibility of doing a GET if the backend expects one, or a POST if that's what it's expecting.
It's simply down to respecting the rules of the http protocol.
Get - calls must be idempotent. This means that if you call it multiple times you will get the same result. It is not intended to change the underlying data. You might use this for a search box etc.
Post - calls are NOT idempotent. It is allowed to make a change to the underlying data, so might be used in a create method. If you call it multiple times you will create multiple entries.
You normally send parameters to the AJAX script, it returns data based on these parameters. It works just like a form that has method="get" or method="post". When using the GET method, the parameters are passed in the query string. When using POST method, the parameters are sent in the post body.
Generally, if your parameters have very few characters and do not contain sensitive information then you send them via GET method. Sensitive data (e.g. password) or long text (e.g. an 8000 character long bio of a person) are better sent via POST method.
Thanks..
I mainly use the GET method with Ajax and I haven't got any problems until now except the following:
Internet Explorer (unlike Firefox and Google Chrome) cache GET calling if using the same GET values.
So, using some interval with Ajax GET can show the same results unless you change URL with irrelevant random number usage for each Ajax GET.
Others have covered the main points (context/idempotency, and size), but i'll add another: encryption. If you are using SSL and want to encrypt your input args, you need to use POST.
When we use the GET method in Ajax, only the content of the value of the field is sent, not the format in which the content is. For example, content in the text area is just added in the URL in case of the GET method (without a new line character). That is not the case in the POST method.