I have a page where users can modify their own records in my database. This works well, but i'm trying to tidy up all the security flaws. As you can see from the code below, This page gets data using a querystring parameters. At the moment, anyone can change this query string and edit any record.
How do i incorporate a check using the "RequireAuthenticatedUser" and the matching UserID field in the PropertyInfo table?
Current code:
#{
Layout = "~/_SiteLayout.cshtml";
WebSecurity.RequireAuthenticatedUser();
var db = Database.Open("StayInFlorida");
var rPropertyId = Request.QueryString["PropertyID"];
var Propertyinfo = "SELECT * FROM PropertyInfo WHERE PropertyID=#0";
var qPropertyinfo = db.QuerySingle(Propertyinfo, rPropertyId);
}
Presumably, your PropertyInfo table also holds the property owner's user ID? If so, just include it in the WHERE clause and pass in the CurrentUserId value:
var PropertyInfo = "SELECT * FROM PropertyInfo WHERE PropertyId = #0 AND UserId = #1";
var qPropertyinfo = db.QuerySingle(Propertyinfo, rPropertyId, WebSecurity.CurrentUserId);
Related
I am updating a SharePoint list item using the ValidateUpdateListItem method of the client-side object model to prevent creation of a new item version. This basically works fine for all fields except the ones with person or group field type. Does anyone know what is the correct string representation of a user or group value to be used as FieldValue of an ListItemFormUpdateValue object? I have already tried everything that seems reasonable to me (user ID from User Info, login name, lookup-value like combinations of these data etc.) without any success.
I just ran into a problem where updating more than 12 person or group fields with item update caused it to throw an exception. Apparently this is caused due to the list view look up threshold in SP online (12 as of this date).
http://blog.vanmeeuwen-online.nl/2012/07/value-does-not-fall-within-expected.html
To work around that I used the ValidateUpdateListItem method to update the person or group ids. The trick is to assign it a json in the format of
[{"Key":"i:0#.f|membership|user#yoursite.onmicrosoft.com"}]
formValues.Add(new ListItemFormUpdateValue() { FieldName = "AssignedTo", FieldValue = "[{'Key':'i:0#.f|membership|user#yoursite.onmicrosoft.com'}]" });
For multiple values, it can be comma separated. Have not tried it with group but i think it should work.
Hopefully this can be useful for someone.
Unfortunately ListItem.ValidateUpdateListItem method does not support the update of user field value. For example, in the following example AssignedTo field will not be updated:
using (var ctx = GetContext(webUri, userName, password))
{
var list = ctx.Web.Lists.GetByTitle(listTitle);
var item = list.GetItemById(itemId);
var formValues = new List<ListItemFormUpdateValue>();
formValues.Add(new ListItemFormUpdateValue() { FieldName = "Title", FieldValue = taskName});
formValues.Add(new ListItemFormUpdateValue() { FieldName = "AssignedTo", FieldValue = userId.ToString() }); //not supported
item.ValidateUpdateListItem(formValues, true, string.Empty);
ctx.ExecuteQuery();
}
Instead consider ListItem.Update Method to update user field value as demonstrated below:
using (var ctx = GetContext(webUri, userName, password))
{
var list = ctx.Web.Lists.GetByTitle(listTitle);
var item = list.GetItemById(itemId);
item["Title"] = taskName;
var assignedToValue = new FieldUserValue() { LookupId = userId };
var assignedToValues = new[] { assignedToValue };
item["AssignedTo"] = assignedToValues; //multi-valued user field
item.Update();
ctx.ExecuteQuery();
}
case : Update field after select the customer name:
setting : 1 setting view that consist of database path :
DbServer: ServerOne/pcs
Directory: office
Database name : Customer.nsf
this xpages have a datasource inside, it call "document1"
// get the database path :
var vw3:NotesView=database.getView("Setting Path");
var doc3:NotesDocument=vw3.getFirstDocument();
var server:string = doc3.getItemValueString("DbServer");
var DName:string=doc3.getItemValueString("DbName");
var Directory:string=doc3.getItemValueString("Directory");
var DBName:string= Directory+"\\" +DName;
var db:NotesDatabase = session.getDatabase(server, DBName, false);
var vw:NotesView = db.getView("All Customer");
var doc:NotesDocument=vw.getDocumentByKey(document1.getValue("Customer"),true);
if (doc !=null) {
document1.setValue("Contact", doc.getItemValueString("Contact"));
document1.setValue("Telephone", doc.getItemValueString("Phone"));
document1.setValue("Fax", doc.getItemValueString("Fax"));
document1.setValue("Email", doc.getItemValueString("Email"));
}
Problem :
The field doesn't update and get the value from "customer" database.
I see a series of problems in your code:
Bind your input field to a scope variable, not to the document itself. It is a search string in the beginning, not part of the new document.
You don't check for the case that the customer wasn't found, so you never know if that was the issue.
I would rather use an URL and resolve instead of server / path / database (but that's a little style
So something like (typed off my head, will contain typos):
var vw3:NotesView=database.getView("Setting Path");
var vwe3 = vw3.getFirstEntry();
var db = session.resolve(vwe.entries[0]);
var vw:NotesView = db.getView("All Customer");
var doc:NotesDocument=vw.getDocumentByKey(viewScope.customer,true);
if (doc !=null) {
viewScope.result = doc.getUniversalID();
document1.setValue("Contact", doc.getItemValueString("Contact"));
document1.setValue("Telephone", doc.getItemValueString("Phone"));
document1.setValue("Fax", doc.getItemValueString("Fax"));
document1.setValue("Email", doc.getItemValueString("Email"));
doc.recycle()l
} else {
viewScope.result = "Not found!";
}
// ADD recycle() calls here!!!
Bind a display only field to viewScope.result, so you have a better idea what is happening. Your view must be sorted and indexed by customer name.
Of course you could use the OpenNTF dialog list control instead.
I have a notes form with a rich text field on it, called "Body". I've set the "Storage" property of the field to "Store contents as HTML and MIME".
Now, I am creating a new document with that form in the Notes Client.
However, if I try to access the rich text field's value in SSJS with NotesRichTextItem.getMIMEEntity(), it always returns null.
Am I missing something?
Thank you for your help in advance.
Update 2: 02/12/2015
I did some more testing and I found the cause, why it won't recognize the rich text field as MIME Type, but rather always returns it as RICH TEXT:
The cause is me accessing the database with "sessionAsSigner" rather than just using "database".
If I remove "sessionAsSigner" and use "database" instead, making the XPage unavailable to public access users, so, I am forced to log in, the code recognizes it as MIME Type and I can get a handle on NotesMIMEEntity.
Unfortunately, the XPage has to be available to public access users and I have to use sessionAsSigner.
When I open the document properties and I look at the rich text field, I can see that the "Field Flags" are "SIGN SEAL". My guess is, that's why sessionAsSigner doesn't work, but it is just a guess.
Any ideas?
Update 1: 02/12/2015
Here is the code I am using in my SSJS:
var oDBCurrent:NotesDatabase = sessionAsSigner.getDatabase(session.getServerName(), session.getCurrentDatabase().getFilePath());
var oVWMailProfiles:NotesView = oDBCurrent.getView('$vwSYSLookupEmailProfiles');
var oVWPWResetRecipient:NotesView = oDBCurrent.getView('$vwPWPMLookupPWResetNotificationProfiles');
var oDocPWResetRecipient:NotesDocument = null;
var oDocMailProfile:NotesDocument = null;
var oDocMail:NotesDocument = null;
var sServer = session.getServerName();
oDocPWResetRecipient = oVWPWResetRecipient.getDocumentByKey(sServer, true);
oDocMailProfile = oVWMailProfiles.getDocumentByKey('.MailTemplate', true);
oDocMail = oDBCurrent.createDocument();
//Set default fields
oDocMail.replaceItemValue('Form', 'Memo');
oDocMail.replaceItemValue('Subject', oDocMailProfile.getItemValueString('iTxtSubject'));
oDocMail.replaceItemValue('SendTo', oDocPWResetRecipient.getItemValue('iNmesRecipients'))
//Get body text
var oItem:NotesItem = oDocMailProfile.getFirstItem("Body");
var entity:NotesMIMEEntity = oItem.getMIMEEntity();
//Create email body
var tmp = entity.getContentAsText();
//Replace <part2> with part 2 of the password
tmp = #ReplaceSubstring(tmp, "<part2>", sPWPart2);
//Set content of Body field as MIME type
var body = oDocMail.createMIMEEntity();
var stream = session.createStream();
stream.writeText(tmp);
body.setContentFromText(stream, "text/html; charset=iso-8859-1", 0);
//Send email
oDocMail.send();
As I mentioned before, I've also tried:
var oDBCurrent:NotesDatabase = sessionAsSigner.getDatabase(session.getServerName(), session.getCurrentDatabase().getFilePath());
var oVWMailProfiles:NotesView = oDBCurrent.getView('$vwSYSLookupEmailProfiles');
var oVWPWResetRecipient:NotesView = oDBCurrent.getView('$vwPWPMLookupPWResetNotificationProfiles');
var oDocPWResetRecipient:NotesDocument = null;
var oDocMailProfile:NotesDocument = null;
var oDocMail:NotesDocument = null;
var sServer = session.getServerName();
oDocPWResetRecipient = oVWPWResetRecipient.getDocumentByKey(sServer, true);
oDocMailProfile = oVWMailProfiles.getDocumentByKey('.MailTemplate', true);
oDocMail = oDBCurrent.createDocument();
//Set default fields
oDocMail.replaceItemValue('Form', 'Memo');
oDocMail.replaceItemValue('Subject', oDocMailProfile.getItemValueString('iTxtSubject'));
oDocMail.replaceItemValue('SendTo', oDocPWResetRecipient.getItemValue('iNmesRecipients'))
//Get body text
var entity:NotesMIMEEntity = oDocMailProfile.getMIMEEntity('Body');
//Create email body
var tmp = entity.getContentAsText();
//Replace <part2> with part 2 of the password
tmp = #ReplaceSubstring(tmp, "<part2>", sPWPart2);
//Set content of Body field as MIME type
var body = oDocMail.createMIMEEntity();
var stream = session.createStream();
stream.writeText(tmp);
body.setContentFromText(stream, "text/html; charset=iso-8859-1", 0);
//Send email
oDocMail.send();
Try calling sessionAsSigner.setConvertMime(false)
You get the MIMEEntity from the document, not from the Richtext item. See an example here (starting at line 103): https://github.com/zeromancer1972/OSnippets/blob/master/CustomControls/ccSnippets.xsp
You should set the session to not convert MIME to RichText.
Add this at the start of your code.
session.setConvertMime(false);
I'm having a play around with the client side object model and apps for SharePoint Online. I can retrieve the information from a Person and Groups field using a FieldUserValue object, however, how can I determine from this if the value entered is simply a user, or a SharePoint group?
As far as I can tell, the FieldUserValue only has a LookupId and LookupValue as its properties, which doesn't specify if it is a group or not. Have I gone the wrong way about this and is there a much better way of querying the field and checking if the value is a user of SharePoint group?
Thanks
You could determine whether the user field value is User or Group by getting Content Type of List Item in User Information List:
public static string GetUserFieldType(ClientContext ctx,FieldUserValue value)
{
var userInfoList = ctx.Site.RootWeb.SiteUserInfoList;
var userInfo = userInfoList.GetItemById(value.LookupId);
ctx.Load(userInfo,i => i.ContentType);
ctx.ExecuteQuery();
return userInfo.ContentType.Name;
}
Usage
Assume a List contains single-valued User Field, then:
using (var ctx = new ClientContext(webUrl))
{
ctx.Credentials = CreateSPOCredentials(userName, password);
var list = ctx.Web.Lists.GetByTitle(listTitle);
var listItem = list.GetItemById(itemId);
ctx.Load(listItem);
ctx.ExecuteQuery();
var userVal = listItem[fieldName] as FieldUserValue;
var type = GetUserFieldType(ctx,userVal);
var isUser = type == "Person";
var isGroup = type == "SharePointGroup";
}
In an odata webapi call which returns a PageResult I extract the requestUri from the method parameter, manipulate the filter terms and then construct a new ODataQueryOptions object using the new uri.
(The PageResult methodology is based on this post:
http://www.asp.net/web-api/overview/odata-support-in-aspnet-web-api/supporting-odata-query-options )
Here is the raw inbound uri which includes %24inlinecount=allpages
http://localhost:59459/api/apiOrders/?%24filter=OrderStatusName+eq+'Started'&filterLogic=AND&%24skip=0&%24top=10&%24inlinecount=allpages&_=1376341370337
Everything works fine in terms of the data returned except Request.GetInLineCount returns null.
This 'kills' paging on the client side as the client ui elements don't know the total number of records.
There must be something wrong with how I'm constructing the new ODataQueryOptions object.
Please see my code below. Any help would be appreciated.
I suspect this post may contain some clues https://stackoverflow.com/a/16361875/1433194 but I'm stumped.
public PageResult<OrderVm> Get(ODataQueryOptions<OrderVm> options)
{
var incomingUri = options.Request.RequestUri.AbsoluteUri;
//manipulate the uri here to suit the entity model
//(related to a transformation needed for enumerable type OrderStatusId )
//e.g. the query string may include %24filter=OrderStatusName+eq+'Started'
//I manipulate this to %24filter=OrderStatusId+eq+'Started'
ODataQueryOptions<OrderVm> options2;
var newUri = incomingUri; //pretend it was manipulated as above
//Reconstruct the ODataQueryOptions with the modified Uri
var request = new HttpRequestMessage(HttpMethod.Get, newUri);
//construct a new options object using the new request object
options2 = new ODataQueryOptions<OrderVm>(options.Context, request);
//Extract a queryable from the repository. contents is an IQueryable<Order>
var contents = _unitOfWork.OrderRepository.Get(null, o => o.OrderByDescending(c => c.OrderId), "");
//project it onto the view model to be used in a grid for display purposes
//the following projections etc work fine and do not interfere with GetInlineCount if
//I avoid the step of constructing and using a new options object
var ds = contents.Select(o => new OrderVm
{
OrderId = o.OrderId,
OrderCode = o.OrderCode,
CustomerId = o.CustomerId,
AmountCharged = o.AmountCharged,
CustomerName = o.Customer.FirstName + " " + o.Customer.LastName,
Donation = o.Donation,
OrderDate = o.OrderDate,
OrderStatusId = o.StatusId,
OrderStatusName = ""
});
//note the use of 'options2' here replacing the original 'options'
var settings = new ODataQuerySettings()
{
PageSize = options2.Top != null ? options2.Top.Value : 5
};
//apply the odata transformation
//note the use of 'options2' here replacing the original 'options'
IQueryable results = options2.ApplyTo(ds, settings);
//Update the field containing the string representation of the enum
foreach (OrderVm row in results)
{
row.OrderStatusName = row.OrderStatusId.ToString();
}
//get the total number of records in the result set
//THIS RETURNS NULL WHEN USING the 'options2' object - THIS IS MY PROBLEM
var count = Request.GetInlineCount();
//create the PageResult object
var pr = new PageResult<OrderVm>(
results as IEnumerable<OrderVm>,
Request.GetNextPageLink(),
count
);
return pr;
}
EDIT
So the corrected code should read
//create the PageResult object
var pr = new PageResult<OrderVm>(
results as IEnumerable<OrderVm>,
request.GetNextPageLink(),
request.GetInlineCount();
);
return pr;
EDIT
Avoided the need for a string transformation of the enum in the controller method by applying a Json transformation to the OrderStatusId property (an enum) of the OrderVm class
[JsonConverter(typeof(StringEnumConverter))]
public OrderStatus OrderStatusId { get; set; }
This does away with the foreach loop.
InlineCount would be present only when the client asks for it through the $inlinecount query option.
In your modify uri logic add the query option $inlinecount=allpages if it is not already present.
Also, there is a minor bug in your code. The new ODataQueryOptions you are creating uses a new request where as in the GetInlineCount call, you are using the old Request. They are not the same.
It should be,
var count = request.GetInlineCount(); // use the new request that your created, as that is what you applied the query to.