Suppose I have a RadioButtonList control:
<asp:RadioButtonList ID="rdbSubscriptionType" runat="server">
<asp:ListItem Value="Eval" Selected="True">Evaluation</asp:ListItem>
<asp:ListItem Value="Monthly" Enabled="false">Monthly Subscription (not available yet)</asp:ListItem>
<asp:ListItem Value="Yearly" Enabled="false">Yearly Subscription </asp:ListItem>
</asp:RadioButtonList>
A malicious user can indeed submit to the server with a POST action a ListItem with Enabled = "false". I would like to forbid this behavior.
On server side I can simply check:
if( rdbSubscriptionType.SelectedItem.Enabled == true)
but I am not sure whether a malicious user can change the enabled status of the control also from client side, with Javascript or similar techniques. Is there any best practice to perform this validation?
You need to think about the business rules that suround the decision to make something "disabled".
If the only check you're doing is based on what comes back from the front end, you're in trouble. Anyone can use FireBug to change a html value and have it posted to the server.
In your serverside code, what business rule do you follow to determine if the user submitting the form is authorised to perform any given action?
You say in the html that they're not allowed to do a monthly subscription. On what business basis do you decide this? Once you're clear about that you can put it into code and check when the form is posted.
No, the .Enabled property can't be changed with JavaScript, you're fine with what you have (test this for yourself to confirm). That said, there is a more thorough way of setting this up:
Use a separate model to populate the rdbSubscriptionType items collection (enabled, value and display text), then on the server side, compare against that model, not against the asp:RadioButtonList control itself.
Related
Multiple required fields from bulk edit form are not displayed. The labels for that fields appear on form but the textboxes don't appear. I think this happens because we have scripts that run for that fields. I tried to edit customizations.xml and to put BehaviorInBulkEditForm = "Enabled" but it is not working. Is there another way to enable javascript?
As per the Form XML schema, the BehaviorInBulkEditForm attribute goes on the <event> element, careful you're not putting it somewhere else.
The valid values, as per Microsoft KB 949941, are:
Enabled
If you use this value, the field is enabled. Additionally, the code for the event is run when the event is called.
Disabled
If you use this value, the field is disabled.
EnabledButNoRender
If you use this value, the field is enabled. However, the code for the event is not run when the event is called.
I would recommend to stay away from unsupported customizations which will eventually break in future updates.
If it’s worth, then move all the logic to post-update or pre-update plugins which is fail proof server side implementation rather than client side js route.
I'm developing a form with Symfony2 : several text inputs and one file input (for one picture). I have defined some asserts (maxLength, minLength...) in my entity in order to check the form (isValid).
My problem is : if the user puts bad data in text input (text too long or too short...), he still can submit the form, and error and printed but the user have to re-choose his picture.
As I think it's impossible to keep the picture in the form after bad validation, I should maybe check the form in client side (javascript), before submit.
So, is there an automatic way to do this (to forbidden submit until data are correct)? Can we get the assert minLength, maxLength value in twig ?
Thank you !
Ben.
You can use js validation before submitting the data, using some js form validation tools, but this way you need the replicate the validation logic from the server, so if validation rules changes, you need to modify on both server and client side. I recommend this method to reduce the traffic between client-server.
If you don't want this, use ajax form submitting (example here). You still validate the form using symfony, but the page won't refresh, so you won't lose the attached file. But this generates additional traffic to server, and you also need to implement error displaying using javascript.
The specific case I've got in mind is as follows: an AjaxFormComponentUpdatingBehavior("onchange") is added to a TextField in a form. The behavior verifies the text for certain conditions (either the model object or the form component model, doesn't matter), based on which it might display a message (or hide it, if it has already been shown).
The problem is, there are also validators added to the TextField. One of the possible (and likely) scenarios consists of the user typing in, first, a value that causes the message to be displayed by the AJAX request. If, then, he/she types in a value that doesn't pass validation, the message should disappear, but it does not.
Apparently, either the onUpdate() method for the AJAX behavior is not called at all, or I am failing in my attempts to insert a check for non-validated entries (I have tried to test for both null values and empty strings, to no avail; I have no idea what exactly Wicket's validators do to models when data is invalid).
I am wondering if someone who actually understands validators (or AJAX, actually) has any ideas on where the problem could be.
I can post edit and post code if someone tells me this is not a general issue tying validators and AJAX, but most likely a programming mistake. I still believe the former and thus I'll refrain from posting code sections, in order to keep the discussion on an API/theoretical frame.
Thanks.
When using an AjaxFormComponentUpdatingBehavior, if any of the IValidators fail their validation, onError() will be called instead of onUpdate(). Wicket will effectively prevent invalid user input from reaching the IModels in your components, so the component's ModelObject will not be changed at all. The invalid input will probably remain available by means of getInput()/getConvertedInput() (not sure if it will in an AJAX scenario, it sure is in a traditional form submission).
However, take into account that IFormValidators are not executed when using this mechanism. If you've got any, you might be interested in overriding getUpdateModel() so that AjaxFormComponentUpdatingBehavior will not bring maybe-invalid user input into your IModels, and set modelobjects manually when you're certain user input is valid.
Regarding your specific case, you could perform all the required logic in onError() (or rely on Models that will grab data from somewhere else), and just add the components that need refreshing to the AjaxRequestTarget. This is probably what's missing in your scenario.
We've got a few emails that get sent out by our ASP.NET MVC 3 application.
In one of the emails, we want to add "Did you find this helpful?" to the footer of the email.
If they click "Yes", some action needs to be taken in the database.
What approach should i take for these links?
I don't really like the idea of doing a GET (e.g when they click the link), which then adds something to the database. GET's should never update state. Is there a way i can make it do a POST instead?
I'm using ActionMailer to perform emails, if that matters.
EDIT:
To be clear, i'm how asking "how" to implement the MVC side of things. I know i can create an action which takes the id, etc and saves to the DB, but i'm asking about what is the correct approach from a REST-style point of view.
You can create a form and do a POST in an email but it wont work with certain mail clients. Here is a reference from 2007 that shows where it works and where it doesn't:
http://www.campaignmonitor.com/blog/post/2435/how-forms-perform-in-html-emai/
ETA: A POST would of course fit the REST pattern but probably not a good option in your case. Since you are presumably just incrementing a counter for helpfulness, having this URL exposed shouldn't cause much of a problem.
I've just been reading the article on MSDN about remote validation. This is great, but it only shows validating a specific property value.
Is there a way I can pass other values from my model into the validation for a particular property? For example, let's say that a user wants to cancel a number of items off an order - they should be prevented from entering a figure greater than the original order amount.
Thanks
No, you can't.
Brad Wilson:
At this time, only property level
validators can emit client-side
validation (as that lines up much
better with the idea of input
validation in the form of the
browser... there is no "model" to
speak of, from the browser's point of
view).
Stuart Leeks:
I don't believe you can hook up client
validation with IValidatableObject
Well, i am nit sure if you mean this, but you can use AdditionalFields with your RemoteValidation attribute.
Remote Validation in ASP.Net MVC 3: How to use AdditionalFields in Action Method