Here's the scenario. I am developing a one page app:
Most of the operations are achieved through ajax.
The page should show different components in different user login state (admin, normal user, visiter...)
There's so many animations in the page.
Does it mean that it would be necessary to check whether the user has logged in or not each time he clicks a button (some buttons can expand to a menu, whose components are partly shown according to the login state)?
Are there any better possible solutions?
Yes, you should. Only the server knows who should and should not do certain actions. It's mandatory to do checks on the server-side. Never trust the client.
Yes, to be secure you need to make the server authoritatively decide what the client can and CANNOT do. Because javascript is run client side, anyone can modify it and make it run how they want. The server is what you control, and you must use this to ensure that any requests by the client are valid and then follow through on or reject them accordingly.
Servers should almost always be authoritative in this way.
It is probably a good idea to use a UI object (with for example menu options) based on user privileges. Your server side code can return some JSON which includes only menu options that the current user can see and you use that object to construct the front end for that user. So if a user clicks a button to expand a menu you don't have to check anything just display what was returned from the server initially.
You should check permissions every time someone performs a "meaningful" operation in the system such as rename an object or request some data or delete something. This check can be easily built in into your backend API...
Related
I am currently redesigning a website and looking for a solution on how to add a paid version of the site.
For example, say I have a <select> drop-down box with 20 elements inside. However, I want 15 of these 20 elements to be disabled unless the user has a paid account. At this time, that is the extent of what I need to differentiate between free/paid versions.
I'm planning on adding the ability to register an account and log in, as well as some type of payment processor (recommendations are appreciated for this! - currently looking at using Django/Python). I just don't know how to best go about managing two different levels of the website, and allowing those additional options to paid members.
I'm working with calculators that are pure Javascript. Using Bootstrap for the page design. As far as anything else goes, I'm open.
To do that, you'd have to add a field with a default value of NULL to your database, let's call it "subscription", into your users table. Then, everytime a user login to your website, fetch the subcription value and write it into a session variable. The last thing you have to do to ensure free members aren't allowed to perform any actions the subscribed members can is checking the content of the session variable while :
building your html, or you could check it on the client side with javascript right after the premium element has loaded (this is for user experience only since a client can remove any html attribute whnever they want)
and
while recieving the data of the premium element on the server side, accept it if the user is premium, reject it if they're free (again, just checking the session variable should do the job).
So as you can see, it's much more about preventing free users to gain access at the paid members options than allowing paid members to browse a completly new version of the website designed specifically for them.
I will try to give you a blunt idea maybe this might help you.
So lets say a user has paid for your service you can flag a token in yours app's backend if a particular user is paid or not. So whenever the user logs in your app next time you can get the status of the logged user.
Once you get the status of the logged user you can enable or disable ui elements.
I hope this made some sense.
The Dynamics documentation is just awful and I couldn't find an answer to this simple question:
In the web version of the CRM, is it possible to register a web page that can be toggled by the user and that itself has an internal state (updated regularly by an interval set with setInterval) that will persist even if the users closes the page (not the entire CRM, just the sub-page)?
We need the user to provide some information for a CTI integration, and this background process to keep alive the CTI session by polling an API while the user session is active. In addition, we need to reuse the component where the user provides the CTI information to be notified if the session fails and restore it or close it if necessary. The real purpose for this is to make a screen pop (push content information about the incoming call to the agent) which I know can be done using Xrm.Utility, although doing it with a REST API method would be much better, RouteTo Aciton looks like the best method to do this, but I'm not sure it will proactively show the item in the user's browser.
I'm not sure this question is as simple as you suggest, it seems relatively complicated, and involves an integration. I'm not suprised the Dynamics documentation doesn't provide an answer for this specific and unique scenario.
I don't believe there is any single feature within Dynamics that will meet this requirement.
You could use a HTML web resource or a web page from a seperate web site iframed into CRM. I think the possible use of these depends on your expected user experience; I believe the user would need to have the page loaded at all times showing these controls (e.g. user is looking at a dashboard) - I don't see how the controls could interact with the user client side otherwise. You could show the controls in multiple places however.
Xrm.Utility is one way to open a record, but it can also be done by Open forms, views, dialogs, and reports with a URL.
RouteToAction looks like it just adds a record into the user queue, the user would need to refresh the queues to see the changes. I don't believe there is any way for a server side REST API call to natively redirect the user.
You could add JavaScript to do this, however you might struggle to add the JavaScript into every page of CRM.
Where I have worked on a CTI integration in the past (assuming you mean computer telephony integration), we always had some other component doing the screen pops - the client's all had a desktop app installed as part of the telephony solution.
Perhaps you could look into browser notifications, or a browser plugin?
I am working on a web application where many people are supposed to connect and one is going to act as an admin. The users can only proceed to the next stage if the admin has allowed the access.
At the moment, I am wondering how should I realize the access control.
In the first version, I was doing an ajax get request when a user clicks the next button, and then if a specific word is present, I proceed. The admin was supposed to modify the page manually. Now I would like to automate it and make it more user-friendly (as the admin does not go to the code manually modifying).
My idea is, there is going to be radio boxes which by clicking, the admin can allow or disallow access. However, to achieve this, my idea was to make an ajax post request to the server when admin selects one and then modifying some keyword in a hidden page. Is this approach feasible or am I completely wrong?
Thank you for your time.
Does the users login first to proceed e.g how they access the system ? A user whom access you wanted to restrict must have something unique associated to it. And you can have his/her data updated upon access update through radio buttons. Any particular user connects to the system only his/her access rights are checked into the system
Okay, so I found a solution to my problem.
First, the hidden page which is only used as a "signal" telling if the users can proceed, renders yes or no. When the Admin selects yes/no radio button, then the app does an ajax post request to my server, saves the value and renders the hidden page with it.
I want force users to first click on some links and then go to a specific address. How can I terminate traffic sources that are direct in the second page? Or is there any way to only accept requests that are from specific a url?
Note: if there is something wrong, I want the page not to be viewable.
Thank you
What you could do is use the document.referrer property, and check weather or not the url matches the first page. Something like this, perhaps:
if (document.referrer !== 'http://www.google.com')
{
window.location.href = 'http://www.google.com';//redirect to first url
}
As Bergi pointed out in his answer: this kind of functionality is really better left to the server side. Though suggesting cookies is, as far as I'm concerned, not the ideal way of doing this, since cookies can be turned off client side, or WCS, tempered with.
Depending on which server side technology you're using, it might pay off to read up on all tools you have at your disposal to play with the request the user sends to your application, and take appropriate actions accordingly.
You should set a cookie in the first page that the user is allowed to view the second one.
Then your serverside application would check the cookies before delivering the second page, and otherwise redirect or show an error message.
You should not do such things via JavaScript (which includes the jQuery library), elsewhile everybody who disables JS could view the page.
I want to create a popup which is easy, but here's thing, I want to hide it if you become a paid member, and I want it to appear again if you don't subscribe the next month, I am using the paypal button html code and not the ipn, the paypal button is in the account section of the site, well if you want I can put it in the pop-up and i can use the ipn if i have to, instead of the html code just want someone to guide me on how it's done
You're going to need some sort of user authentication to see if someone has purchased your product or not. This should be handled with a server-side language (PHP, Ruby, etc.) and you can change the layout of your page based on whether the user has authenticated or not.
If you don't have any server-side code, you could use cookies that are saved when you receive a successful callback from PayPal, but that isn't going to be very reliable because they won't be found if the user changes browsers or computers.
If you dont want to use a back-end then use cookies. If they have correct values stored in the cookie, use javascript to hide or change the elemts on the page