how safe is to pass the 'user' to javascript Ajax in laravel? - javascript

I already asked about this situation but when you pass the data directly to the view like this:
you get the user with $user = Auth::user(); and then send it to the view with return view ('somepage')->with('user',$user); the browser will get all user data in the view (uername, password, user_id etc..).
And found out it should be safe. Now I am thinking what if you instead are passing it to a script that is in charge of updating the view?
Like this:
return Response()->json($user);
You are firing a json in the wild that gets into the script as data, so can a third party have access to that json data too?

No, you DO NOT want to pass any sensitive data to a script or through JSON. Both of these resources would be viewable from the client side.
You can however, remove the sensitive data from your object before serializing it to JSON and passing to the browser.
In your Eloquent models, add a $hidden property - this property is an array of attributes that will be removed when serializing the model to JSON.
So, your User model will look like:
<?php
namespace App;
use Illuminate\Database\Eloquent\Model;
class User extends Model
{
/**
* The attributes that should be hidden for arrays.
*
* #var array
*/
protected $hidden = ['password'];
}
Then, the password will be removed and not accessible from the client.
Docs: https://laravel.com/docs/5.2/eloquent-serialization#hiding-attributes-from-json

Related

How do I pass a variable to JavaScript using Laravel in order to broadcast on a private channel?

I am building an app in Laravel 9.42.2 and have set up Laravel Echo and Soketi to broadcast events. I can successfully send and receive broadcasts on public channels, but I can't figure out how to broadcast on a private channel.
According to the docs I can do this with the example code below:
Echo.private(`orders.${orderId}`)
.listen('OrderShipmentStatusUpdated', (e) => {
console.log(e.order);
});
What I don't understand is where the ${orderId} is passed to the JavaScript. I can create the private channel on the backend in PHP, but I don't know where the front end should be receiving the variables it needs to fill in the placeholders in the listener.
Options I have considered:
Query the database at the front of every response and send a list of all possible ID's back to the user to store for use as needed (i.e. get all orderId's related to the user as an array and use a loop to create a listener for each of them). I'm concerned this would add a lot of unnecessary trips to the database and overhead to the page load times for something that might not be needed.
Add a line in the Controller to parse the orderId to json just before calling the event dispatch. Not sure why this feels wrong, but it does.
You can do via this tricks.
The orderId can be a part of your page url or can be represented by a hidden element in your template, for example:
<input type="hidden" id="orderId" value="{{$orderId}}" />
In case you choose hidden element, just get its value and pass to the Echo.private() method.
var orderId = document.getElementById('orderId').value;
window.Echo.private(`orders.` + orderId)
.listen('OrderShipmentStatusUpdated', (e) => {
console.log(e);
});

Rendering View with Data from Zend Controller for Angular JS

I am in need of this unique requirement where my backend is PHP with Zend Framework in MVC pattern and frontend is Angular JS, I need to pass data from the backend to the Angular JS controller and render the view at the same time.
As far as I know if the backend class inherits Zend_Controller_Action, it returns only View and not data and if the backend class inherits Zend_Rest_Controller, it returns only data and not view.
Is this right and is there a way to render the view as well as return the data without using the $this->view->data concept.
For returning JSON data all you need is the JSON Action Helper
public function someAction() {
// create an array with your data
$data = array();
// to add some view data
$data['html'] = $this->view->render('/path/to/script/script-name.phtml');
// essentially you can load and render any script and I am
// not 100% sure but without a path it would render the default
// action script in view/scripts/controller-name/action-name.phtml
// Send the JSON response. Both methods do the same
$this->_helper->json($data);
$this->_helper->json->sendJson($data);
// NOTE both methods terminate and return the data
// i.e. the follow should not been seen
echo "This should not be seen!";
}
This helper will set the appropriate headers and simply return a JSON object. If you have some error handling in your action and need to return codes other than 200OK you can also fetch the response object $this->getResponse() and set those values.
There are other variations where you would set layout to noRender and contexts but that's all handled already by the JSON helper.

How do I use javascript variable to filter Model in cshtml

I have a javascript function that will calculate and return a status, then I want to use it to filter my model. But it seem it doesn't allow me to do this in cshtml file.
var status = GetStatus();
if (status != 'All')
{
data = #Html.Raw(Json.Encode(Model.Where(p => p.ConfirmedStatus == status)));
}
else
{
data = #Html.Raw(Json.Encode(Model));
}
You cannot use JavaScript to filter model data that you passed to your View in this way. The model data is bound to the view on the server, before it is sent to the client. This means that you cannot use LINQ inside of a JavaScript function like you have posted above because the server is already done with the file and sent it on to the client. After the model data is bound, the entire view is sent to the client which is where JavaScript is processed.
There are other options such as partial page rendering (making an AJAX call to get the filtered data back to the server) or you could look at some jQuery plugins that filter data inside of a table such as http://jquery-plugins.net/jquery-filter-table-plugin. It really depends on your use case.

crm 2011 get the default view id

Is there a way in CRM 2011 to get the default view id for a custom entity? Using JavaScript I want to dynamically generate a HREF but I don't want to hard code any part of the URL. I know how to get the Server URL and Org name in the link below but not this portion "etc=2&extraqs=%3f_gridType%3d2%26etc%3d2%26id%3d%257b"
http://dev:5555/MyOrg/main.aspx?etc=2&extraqs=%3f_gridType%3d2%26etc%3d2%26id%3d%257b
You can query public views just like any other entity in CRM. The entity name is SavedQuery and there are properties for returnedtypecode (Entity Name), isdefault, and querytype (the type of query it is).
So with that in mind you can make a query to the OData or Soap endpoints from JavaScript to get the default query for any entity type.
Take a look at: http://msdn.microsoft.com/en-us/library/gg334266.aspx
You should be able to use something like:
var defaultViewId = Xrm.Page.getControl("<lookup field name>").getDefaultView()

Getting data with Breeze that is "Ignore"d in the database

I am building a SPA and are using BreezeJS for data management. Now I want to be able to set processed data on my model class that are not present in the database and send it up the client. The problem is that breeze also ignores these properties.
public class MyModel{
public int Id{get; set;}
public string Name{get; set;}
public string ProcessedData{get; set;}
}
...
Ignore(model=> model.ProcessedData);
I realize that Breeze uses the same metadata as my datacontext, but there should be a way to override it.
The ignored properties is sent by the controller as json, it's just a matter of making breeze parse it as I need it to.
I haven't confirmed this but I think that if your are sure that the data is being returned from the server then you can add "unmapped" properties with the correct names to the Breeze client and it will materialize these as well. See the "unmapped" discussion here: http://www.breezejs.com/documentation/extending-entities .
Or you could try this ( I haven't actually tested this) AFTER the metadata has already been returned.
var dp = new breeze.DataProperty( {
nameOnServer: "ProcessedData",
dataType: "String",
isUnmapped: true
});
myEntityManager.metadataStore.getEntityType("MyModel").addProperty(dp);
and then try your query.
Note: only "unmapped" properties can be added to the EntityType after the EntityType has been itself added to a MetadataStore.

Categories