I have an MVC app that is basically one page with a bunch of AJAX calls that parse returned JSON and then using jQuery will populate the page. So, for example, if I call /API/Users/List it will return some JSON and then I'll parse that and dynamically create an li element for each user. Then, I put an edit link next to each user name and hook it up to do the necessary editing (jQuery with another AJAX call).
What I'm curious about is how I would go about showing/hiding the edit link based upon role. I have a strongly typed view and can populate hidden fields with user info (<input type=hidden name=UserID value=jsmith /> <input type=hidden name=Role value=Admin />), and of course, can always validate the user in the Controller that the edit action posts to, but, I'd like to know if there is a way to ON THE CLIENT verify that the hidden field hasnt been tampered with so that someone doesn't save the file offline, change the hidden field for Role and then now they can see the edit links when they are not supposed to.
In this contrived example, not much harm comes from being able to see the edit links if they cannot do anything, but there are some calls where I pass the role to an API call and it returns data that is flagged as "private" in the database that shouldn't be seen without the correct privileges.
So, basically, the question becomes "is there any way to exchange data between the ASPX page and the JavaScript that then calls the API without it being just stored in a hidden field that could be tampered with?"
Thanks,
You should not pass the role as a parameter of an ajax call.
The action method itself should determine the role of the user.
Related
I am trying something different to check if it is feasible. Otherwise best alternative way is to send data using querystring.
I have a html page which has list of students. when user clicks on perticular student for edit, this html page should take student ID and redirect to another html page, which will load respective student details for editing.
Here, I want to send data using "POST" method to hide studentID from URL (querystring), so I created a hindden form (method="POST" action="edit.html")on list html and put one hidden field under it. on lcik of edit button on list, I am setting value to hidden field & submitting form.
Now this redirects properly to edit html page and also when I see this flow in chrome developer tool, I can see this form value under headers sections - Form data. Now I am trying to fectch this form data on edit html page load e.g. in JQuery under document ready function or simple in javascript.
with alternative option if I create hindden form (method="GET" action="edit.html") then the hidden field value which I am setting is showing up in query string and also in chrome developer tool, it is showing under headers - query string parameters. This query string parameters can easily be accessed using location.search and then play around and will get expected value.
Here id I have taken just example, however in actual scenario, I need to send multiple values or may be objects which I dont want send thrugh query string. So I thought to submit form with POST method and retrive values on next HTML page load thrugh javascript on jquery.
HTML
<form style="display: none" action="jquerywebapidoestudenteditpoc.html" method="post" id="formEdit"> <input type="hidden" id="id" name="id" value="" /> </form>
JQuery
$(document).on("click", ".edit", function () { var id = $(this).data("id"); $("#id").val(id); event.preventDefault(); $("#formEdit").submit(); });
If anyone came accross this situation or implemented it in very appropriate way, would be very good.
In other words, I would like to implement is:
list.html will post data to server (.NET Web API)
At same time list.html will redirect to edit.html
On load of edit.html, response from server will be loaded on page.
Query string is part of the "identifier" of the subsequently loaded page (or any other resource). As such, it is accessible from the page. Data sent in the body of a POST request are different - they are meant for the server only and are inaccessible from the subsequently loaded page.
However, if you wish to make the data sent using POST available to the next page, you can always inject it into the page manually. Using PHP (as an example), it could look something like this:
<script type="text/javascript">
var postData = <?php json_encode($_POST); ?>;
</script>
If you just want to pass data from one page to another and leave the server out of it, you may either use GET (query string) for exposed communication or use cookies for "hidden" communication.
Bsically, what I understood after going through lot many blogs ans sites, I have to have a client controller (javascript based) which will take care of which view has to load and post data.
This I was able to achieve using AngularJS, where I can configuration can be done for routing and by same, I can post data & receive its whatever output on another view/ form (so called page).
e.g.
$routeProvider.when("/orders", {
controller: "ordersController",
templateUrl: "/app/views/orders.html"
});
AngularJS Rocks !!!
Say, I have a simple form on my website having three fields : name, password and email.
I have to get these information from the users, and keep in my database.
Then redirect to another website and send all these information using post.
I also have to know whether the user was successfully redirected to that site(HTTP STATUS 200).
Here's how I'm doing it:
For Point 1, I'm simply submitting the form.
After the data has been successfully saved in my database, I'm rendering the following form with hidden fields. This gets submitted and user gets redirected to anotherwebsite.com
<form id="form_id" action="https://www.anotherwebsite.com/form" method="POST">
<input type ="hidden" name ="name" value ="$name">
<input type ="hidden" name ="password" value ="$password">
<input type ="hidden" name ="email" value ="$email">
</form>
<script> document.getElementById('form_id').submit(); </script>
Problems:
I don't think my strategy to achieve point 1 and 2 is correct. I need a better solution. Submitting the form, then rendering a page with hidden fields and submitting it again to redirect to another site just doesn't feel right.
I have no clue to achieve the 3rd point.
Based on your question you might try this approach:
create a form with name, password, email fields in a file ( HTML ).
Submit the form to server.
On the server side get the data (including the form attribute in a variable) and save it to database.
then redirect to the given website ( using the variable you've stored in step 3 ).
You can easily know the status ( 202 or any error) using any of server side scripting language.
If you are sending the user to another website, the only way to know that the user was successfully redirected is for that website to notify you in some manner. Once the user leaves your page (and that's what a redirect is - it tells the browser "leave this URI and go to this URI instead"), the scripts on that page stop running, so they can't collect any further information.
If you just need to know that the information was submitted successfully, your script could POST the data in the background, wait for a 200 response, then redirect after the information has been submitted. But that may not meet your requirements, since you still won't know if the redirect succeeded.
Another possibility which does allow you to know whether the page on the other site loaded correctly would be to open it in a new browser window/tab instead of redirecting. This is the only way to keep your page active (and, thus, your scripts able to run) while loading another page. However, it introduces other issues, like what to do with the original page. (Leave it open in the background (likely to confuse the user) or close itself after seeing that the new URI has loaded (could cause undesirable visual artifacts as one window/tab opens and then the original one closes; destroys browser history)?)
If at all possible, having the final destination site notify you when the transaction completes is almost certainly the best way to go.
To achieve point 3 you need to use cookies if you are actually trying to implement a login-cum-membersarea system. Othewise, you simple need a redirect inside a condition statement.
my $cgi = CGI->new;
if (condition) { print $cgi->redirect('https://www.examplesite.com/file.html') }
for a general way of doing point 1-2, you can look at the tutorial here:
http://practicalperl5.blogspot.com/
I'm trying to create an online store, and this is my first HTML endeavor (I've got the basics but that's all).
Basically, I need to know the code required to save a customers selection when they click a checkbox.
Then I need to be able to search for that data on a cart page and pull up the value.
Here is the code for one of my checkboxes:
<li><INPUT TYPE="Checkbox" Name= "printoptions" Value ="79.99">18” x 24” - $79.99*</li>
If they select this checkbox, what coding do I need to be able to get that value to show up on a separate page?
Unfortunately using HTML alone you cannot save information as HTML is just a markup language and can only display information.
In order to do something with the data you will need to use another language such as PHP, Ruby or Python.
In order for the data to be saved in any way, it needs to be either sent to a server where the information will be stored in a file or database (server side), or the data can be saved into a cookie (client side), or it can be kept displayed on the next page using either POST or GET.
In PHP you need to define an "action" and a "method" for the information to be saved in anyway. For example, if you wanted to POST the information being input to the next page, you would put:
<form action="process.php" method="post">
I recomend using tizag.com to learn PHP as it teaches you the basics and enough to create a web form.
Good luck.
Let's say I have an input box, on the client-side, I want to access the value of this input box and check if it exists as a record in a model. If so, I want the data to be shown. However, I want this to be done without clicking a submit button/reloading the page.
Can someone show me some sample code?
Sample code is very much frowned upon in these parts, I can give you an outline of what you could do. Use jquery to get the value of the input box, and submit this using an ajax request to some url. Map that url to a controller action that checks to see if that record exists in the db, and return some json that indicates whether it does or not. Then in your javascript, when the data is returned, you can display that to the user.
I want to pass javascript object/ variable from page to another. so that i can use data for some fields, i want this values to be hidden and not visible while i my passing value from one page to another
I have already seen many examples of pass via http parameters, i dont want that and also session variables manage on server side, cause nothing has to be manage on sever side for that page.
i want to pass value as a hidden field or value to next page. how to pass it to new page when i open new page via
window.location="website/nextpage.jsp";
Also a note, i am beginner, so please sorry if the question seems to vague.
You can:
Use hashes in the url by reading the window.location.hash. Similar to GET requests, but does not need the server for passing. However, the parameters are visible in the url.
Using cookies. Have JS "plant" the cookies on the previous page and read them on the receiving page.
You could use DOM storage as well. Similar routine as cookies, plant and read.
Assuming you do not want to use session variables, cookies or local storage:
You can not "hide" a parameter so that your website user will not be able to see it.
If you submit data via a POST request - you can use hidden form elements.
<form method="post">
<input type="hidden" name="state" value="{YOUR PARAMETER}" />
If you use window.location - you will have to do it with a GET request
window.location="website/nextpage.jsp/param/{YOUR PARAMETER}";
I don't know about JSP specifically, but using a form with POST method hides data from (standard) users.
why dont you use html5's localStorage and sessionStorage for the purpose. for more help visit here