I have various Ember models which all need to send the same attribute to the server to identify which information they should modify, I know I could add a non-serialised attribute to each model and set it each time, but that seems messy.
The attribute is on the Application controller, and I want it to be sent whenever I save/get/update/etc a model.
Any ideas on how I might do it?
Related
I want to update a row of data in a database using Ajax and PHP; however, I'm struggling with the following issue: the field in the database to update (henceforth the id) is dependent on the page the ajax request is sent from.
I need to get this id to my PHP script that Ajax calls, however:
I don't want to set the id in a data attribute or hidden input on the page because these can both be manipulated by a malicious user.
Similarly, identifying the id using the referring URL is also prone to spoofing as $_SERVER isn't secure.
I can't set the id in a SESSION variable (or COOKIES) because the user could have multiple pages open and the SESSION would only hold the last page id that was opened.
The only solution I can think is to create a map of random tokens to id's in a table in the db and pass that in a SESSION variable (as per #3 above), then check the table for the token and grab the respective id that way. Seems somewhat convoluted though.
Are there any other options or thoughts? Thanks.
This is a problem related to OWASP Top10 A7 (Missing Function Level Access Control).
There might be no issue with putting your ID on the page so the page can send it back - you just need to validate that the actual save request is permitted for the user.
Just think, regardless of whether you put the ID on the page or not, the page does know the base url for performing the action, so they could go ahead and guess IDs anyway.
Simplify your logic. Pass some sort of indicator of what type of id is in use from the client to the server.
If you create overly complex application logic to address a security concern you will probably have more problems with your code than improvements in security.
Use SSL/HTTPS and a WAF (web application firewall - like mod_security).
I have a variable in my JavaScript which contains the id of the clicked row in the master grid. I want to pass it to the groovy service page that handles my child grid so that it can filter the rows based on that id. How do I do that?
The problem is that your javascript-based grid runs on the client, while the page is rendered server-side. Therefore, some communication must take place in order to instruct your application to filter rows based on what the user selects.
Grails uses the MVC architecture, this means that there is a controller that takes care of answering the requests generated from the client. To answer these requests, the Controller can make use of the Views (.gsp files). So when you call to the URL controller/index you may make use of an index.gsp view to render your page.
What you need to do is to make an ajax call to a controller method (e.g. controller/getFilteredRows) that gets as input the selected row (could be its id) and based on some logic fetches all the required information and sends them back to the client encoded for example using JSON.
Now the client knows the rows it has to display, hence you can update your grid.
With ember models as they are changed by user input, they are persisted over the application with the changed values (until a refresh of some sort to reload the data from the server). Now these models and their changes have not been saved to the server.
So I am wondering how I can check if models have been changed but have not been saved to the server yet.
Use case: To let users know that the following changes have not been saved yet.
I am just looking for some sort of boolean variable if one is available through ember or ember-data.
If not, some help would be appreciated to roll my own (I'm very new to ember).
You want the isDirty attribute.
In my app, the user creates a collection with a bunch of models. As I don't want to make a ton of requests to the server, I've created a custom function that saves these models in batch to the server. The server then responds with all the models including their id, and this is then set to the various models. All working well so far.
The problem I'm having now is that Backbone doesn't know that at this point all models are synced with the server. So at a later point in the app, when I call model.save() on each model, it sends each model to the server again (which should be only the ones that are changed since the batch operation). How could I let Backbone know that all models are synced? I was looking at the 'changed' and 'hasChanged' attributes, but am not quite sure if I should manipulate these (I guess not).
Backbone does not include the feature of tracking changed attributes since last sync with server.
The changed and hasChanged are not dealing with changed attributes since last sync with server.
You will have to create your own mechanism for tracking the state of your models:
Each model should have a hasChangedSinceLastSync flag.
Each model should bind (.on) to it's own change event and set the flag to true.
Override the sync method and set the flag to false once data is returned from the server (for read/create/update).
Backbone will make a HTTP POST to create your model server-side if the id attribute of you model is unset/null.
So what you should do is set this id attribute manually when the server returns them.
Also, if your id attribute is not id, you can tell backbone that it's another attribue.
Cf, the docs :
Manually set an attribute : http://backbonejs.org/#Model-set
The id attribute of your model : http://backbonejs.org/#Model-id
Reference to the sync method that is being called under the sheets when you save() a model : http://backbonejs.org/#Sync
Backbone.js makes a POST request when a new model is created and saved, but it doesn't consider the model to be saved (i.e, further saves result in PUTs not POSTs) until the model has an id.. how should the server return the ID of a newly created model so that backbone.js can set it (i.e, how should it respond to the initial POST)?
If backbone.js doesn't handle that, I assume the best way to do it is using the success handler to set the ID?
You have two options. The first is to return the same JSON structure for a POST request as you would a GET request for the show action (returning a single item.) This uses a single request.
From the documentation:
Set a hash of model attributes, and sync the model to the server. If the server returns an attributes hash that differs, the model's state will be set again.
The other option is to trigger a fetch on your collection after you save. This will take more than 1 request though and will always be less efficient.