I'm not sure what is the best practice.
I have some big and complex objects (NOT flat).
In that object I have many related objects - for example Invoice is the main class and one of it's properties is invoiceSupervisor - a big class by it's own called User.
User can also be not flat and have department property - also an object called Department.
For example I want create new Invoice.
First way:
I can present to client several fields to fill in. Some of them will be combos that I will need to fill with available values. For example available invoiceSupervisors. Then all the chosen values I can send to server and on server I can create new Invoice and assign all chosen values to that new Invoice. Then I will need to assign new supervisor I will pull the chosen User by id that user picked up on server from combobox. I might do some verification on the User such as does the user applicable to be invoice supervisor. Then I will assign the User object to invoiceSupervisor. Then after filling all properties I will save the new invoice.
Second way:
In the beginning I can call to server to get a new Invoice. Then on client I can fill all chosen values , for example I can call to server to get new User object and then fill it's id from combobox and assign the User as invoiceSupervisor. After filling the Invoice object on client I can send it to server and then the server will save the new invoice. Before saving server can run some validations as well.
So what is the best approach - to make the object on client and send it to server or to collect all values from client and to make a new object on server using those values ?
Think in terms of complexity of your business processing.
What you need is the client creates a new invoice. To do this, the client provides several different input parameters, calls the process and gets the response. This is your first scenario. Simple and clear.
On the other hand, the second approach involves a communication protocol - give me this, I give you something as a response, then give me something else. This sounds unreasonably complicated. You'd have to carefully inspect what happens when the communication breaks at some point. Should a distributed transaction be involved? If yes, do you really need such complexity?
I would opt then for the first scenario. You don't unnecessarily complicate the contract between the client and the server.
Related
I am creating a hopping website, and when someone creates an order and checks out, I want the following information to be sent to me, via email or some other method. There are a few pieces of data I would like to send (see below). The website is also static fyi.
I would like to send The Price they spent - a string, a list of all the items(I have an array of objects containing the data), and the shipping type - a string.
I also don't mind how the data is sent, as I'm the only one who needs this info.
Thanks!
I'm building a to-do list and one of the problems I'm facing is verifying that the correct to-do is checked off. I thought of using unique IDs for each and every to-do but a user can simply change the ID to that of another task. What can I do to make sure that the user does not temper with the checking off of tasks?
My flawed process:
User checks off task --> get task ID --> match ID on the backend
EDIT:
All the tasks are created beforehand. And user does not have the ability to create new ones.
If this is ever touching your backed server, you should always assume your users are sending you garbage data or trying to hack your system.
In short: Always Validate Inputs from an untrusted source.
Some languages, i.e., C#, offer model validation as part of the processing pipeline, so some initial model validation by the time it reaches your action/controller.
In this case, the user sends you an ID and an action to do with the task:
{
Id: "15f52b9f-3a09-4e56-adcf-c837ca4c92eb",
Status: "completed"
}
You should validate:
The Item Exists.
The item belongs to the user
The user has permission to edit this item
The status is a valid type (they could send you "blah" as a status)
If any of these fail, you send an error message to the user (or 400 error and a message telling them whats wrong)
Edit: After reading some comments below:
There is one simple rule. Never trust the user, the user input or anything you cannot 100% control.
In the world of web, never trust anything in, around, or sent from the browser. The user has complete control over it including cookies, DOM, localstorage etc.
When handling user input, always validate it on the server no exceptions.
You can always double validate, i.e., validate on the client side and on the server side, but the client side is limited to basic business rules of the data or data format (example, MM/DD/YYYY format for dates or numbers must be less than 1000)
You can do them on the front end, but you STILL need to validate them on the back end.
Seeing as the tasks are created before hand then each should be handed a unique Immutable ID. To implement this in Javascript use:
Object.freeze()
According to Mozilla Developer Network:
The Object.freeze() method freezes an object: that is, prevents new properties from being added to it; prevents existing properties from being removed; and prevents existing properties, or their enumerability, configurability, or writability, from being changed, it also prevents the prototype from being changed. The method returns the passed object.
A link to the documentation is here
The way it works not is that when I call for:
client.record.getRecord('a_new_record');
it will call the server with action 'CR' (see http://deepstream.io/docs/constants.html#Actions for reference) but I only want the client to be able to read and not create a record, even if it doesn't exist.
The reason for this is that I don't want the client to be able to create unlimited records. I want to control this on the server instead.
I can split the action received if it is 'CR', then create the specific record if it doesn't exist and then the client can request the record but I don't really want to hack it this way.
So the question is: Is there a way to send only 'R' when the client tries to fetch a record, or does it have to send 'CR'?
I solved this by using an RPC instead that creates a document in the database and then respond with the newly created ID. That way the client can get the new record directly by its ID.
I'm designing a client-server system, and i need to understand how to check if the client's data is correct when they send operations and requests. In this particular case, i've got a browser and a javascript client that gets data from longpolling and updates a series of objects wich get binded to html elements, pretty much MVVM.
The steps are something like this:
start polling
get full data
convert the json into a javascript object
update every html object tied to the data
The user can fire an event at any time and works with the latest updated local model.
user fires event
event + full data(all objects converted to json) is sent
Problems are: It's very rough and possibly slow, heavy on the client and the server.
My objectives are to reduce the data transfer to a minimum, and avoid client side corruption/attacks.
How should i go about this?
My objectives are to reduce the data transfer to a minimum
Send only the data that's changed, but the highest cost in AJAX is the request, so unless you are sending a lot of data, it may not make any noticeable difference.
and avoid client side corruption/attacks
Impossible. Your code is running in a browser, the user can do whatever they want.
My objectives are to reduce the data transfer to a minimum
Some things to try:
Reduce the number or frequency of client events that send an update
Send only what data has changed
Compress the data you send
bundle several events into a single request
and avoid client side corruption/attacks.
To avoid attacks, you need to validate all input on the server. You should write your validator without knowledge of the client. You can assume nothing about what combination of data you can get--instead you should assume that someone is hand-crafting requests with a text editor and sending them with CURL.
To avoid corruption (really a "lost update"), use conditional PUTs or POSTs with the if-none-match or if-unmodified-since headers.
There is the store with direct proxy. I want to create new record. Direct proxy sends it to server and recieve sended data width NEW ID. I want to insert this ID in the grid, but...
Added record shows for a moment and then It become nulled (all field are null). I see null id and nothing more. How to update that record (or do any action) to see it in the grid correctly with new id?
I don't think you need to anything special to insert record to the grid. The way ExtJs base store/proxy classes work is this - when store send update to the remote server it will try to parse new records from the response. And it should automatically replace existing records in your store object (which to this moment will already have new record, but without Id and with phantom = true).
So you need to make sure that response you're receiving from the server does contain new record and that your proxy is configured properly to parse it from the response.