Confirmation dialogs in Yesod - haskell

What is the simplest way to make a confirmation dialog in Yesod? In some cases, when a form is posted, I want to ask for confirmation before carrying out the action. I imagine this working by sending the user a separate confirmation page, and then processing the posted data if the 'Yes' button is pressed.
I think this should be possible, using functions like setUltDestReferer. The question is, what is the easiest/most typical way to do it in Yesod? Ideally it should boil down to a single function call in the handler, like requireAuth does.

If I understood this right, you want something that will
Render some confirmation page and abort further processing of the request.
Have the "Yes" button link back to this handler and set a flag.
If the flag is set, do nothing and continue with the request instead.
This immediately raises the question of how the original form data should be carried along. There are ways of solving this, e.g. by storing it in the session or by including it URL encoded in the "Yes" link.
The latter approach works, but can be a bit messy. The former can cause problems when users hit the back button, open links in new tabs and so on. This comes from the stateless design of HTTP.
Instead, it might be cleaner to create a new AJAX handler and add some JavaScript that
Calls the handler to check if confirmation is needed.
Shows the confirmation if that was the case.
If the user clicked "Yes", proceeds with submitting the form as you normally would.

I recommend you go with #hammar's approach, I think it's the best. If for some reason AJAX isn't an option, you can consider putting a hidden form on the confirmation page containing the form data submitted from the first page. This should be fairly trivial using runRequestBody.

Related

Xpages dropdown menu resubmission on SSJS submission using submit value property

Just for reference before mentioning the problem I would like to say that I have asked to same question on IBM Lotus forum(http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=2AD7C8F89D8930E685257BD50022A9E9) and I have not received any reply for the same in last 2 weeks.
So, I have a typical xpage dropdown menu with say around 40-50 leaf nodes, Every leaf node submits a specific value (using submitValue property) which is then evaluated and action is performed. However, the problem is that, after the action is performed if I try to refresh the page i get the browser notification for re-submission (I believe that it is some kind of programming error by me, however I don't know how to resolve it.)
One example to make it more clear:
I have a delete node inside the dropdown. It basically deletes the selected entries from the view(generated using repeat control) and then refreshes the view content. But at this point of time if I try to refresh the page then I get the notification of re-submission by the browser. If I accept it, then it tries to delete it again (which I prevent it but still this shouldn't happen) and if I don't accept it, it just doesn't refresh the page.
Any reply would be appreciated.
Thank you in advance. Hoping to hear some suggestions. (Please let me know if event he code is required)
I believe you need to implement the Post/Redirect/Get pattern to avoid re-posting on refresh.
Here's a solution by Tommy Valand for XPages for that pattern: http://dontpanic82.blogspot.dk/2010/06/xpages-avoid-saving-duplicate-documents.html

How to provide command line arguments using HTTP under Node

Is it possible to pass command line arguments using HTTP under Node.js? This seems like a simple thing to do but I can not seem to find out how or if it is even possible. I am struggling a little with the async nature of node so may be missing something fundamental here!
Thanks,
Will
You have a few choices of how to pass state info from one script to another. One of the simplest and most portable has been around since the beginning - when you get the user data posted from page1, send it along in hidden form elements of page2. Then a post of page2 will have the user input on the new form elements and automatically include the hidden form element values as well. Of course you can use the data in the page1 post to otherwise determine what goes on page2. And so on to page3, etc.
The other common choice is cookies. You leave a cookie on the user's browser when they view page1 and then query the browser for it in your code for page2. This is totally portable in modern browsers, but the user can turn off cookies and then it won't work.
Another option is session variables in your node.js scripts. These are pretty easy to work with, but some servers use cookies behind the scenes and they could be off. You might want to read up on that one.
None of those 3 require use of JavaScript on the browser which is required for the Ajax option. In this single page mode you can keep all the state info you want in the JavaScript code because the page never gets reloaded. That gets a little tougher for a beginner and there's also the possibility that Javascript is off. If you are developing a rich, interactive app, you can expect your users to have JS enabled. But for a website with a few pages to sequence to casual visitors it may not always be on.
So, I'd suggest you try the hidden form elements to get started. Something like:
<input type="hidden" name="whatever" value="data-from-page1-post" />
If you put that onto a form in page2, it will come back in the post.
Have fun...

Editing a closed case

I have a ribbon button on the case entity that updates a single two-option field on the form via javascript. When this is used on a case that has been resolved/closed it returns an error as the form is now read only.
Is there a way in javascript that I could get it to re-activate the form, change the field and then put it back to the way it was before? I have tried to force the change on the form but even if i manage to make it appear that you can save it, it will return the error as the form record is still counted as de-activated, even though you can change the fields
Thanks
You should be able to use a SOAP call for this, its a little involved, I would suggest starting here. You have to generate XML that represents the request, the link provides some tools to do this.
I believe you will need to issue JavaScript versions of SetStateRequest (to open) and CloseIncidentRequest (to close).
On the other hand, which is a different approach entirely, is to disable the button when the record is deactivated, then users have to manually renable the record make the change and close again. This is closer to 'working with the system' which I have touched upon here, its a different situation but the principle still applies.

can you be hacked from commented out html form?

If I have an html form commented out using <!-- form -->
Which has some input fields that are not sanitized, can someone use those to do bad queries to the db? For example with firebug, can someone remove <!-- and use those input fields to do something nasty?
Depending on the script handling the form, a person can certainly create a local copy of that form without the comments. Indeed, if they know what the input names and semantics are, they can create their own form altogether. There's no good way of detecting whether or not a form submission is from your form or something else masquerading as it.
All the info you send to the user can be modified by him, so if you don't want him to see that info, don't comment it out, just remove it or comment out with php.
And if your database is able to receive 'bad' queries is that something is wrong coded, because an user can post his own data even if you don't send him any form to do so. You have to add server sided security (Authentication, checking user rights, sql injection...) even if your HTML don't allows it, because server side code can't be modified by user.
Not sure, but I'd check it this way: edit the HTML from the browser's element inspector and uncomment it. If then you can use it, you can be hacked.

Possible reasons for a browser executing GET rather than post

One of our most common error situations in a web application is that a user executes a GET request where the form should have submitted a POST.
I realize that the most likely case is that they got to the page (by way of a POST) and then clicked in the address bar and hit enter.
The question is, are there other less obvious ways that this could happen (print previews/back button, etc)?
We have never been able to consistently repeat the problems. The problems for different users and different pages nor do they happen very often (maybe once a week).
EDIT:
There is no data submitted with the GET request and therefore the processing page crashes out.
I was having a similar issue, although it doesn't sound like this was exactly yours. I had a form that was being submitted via ajax and shouldn't ever use the default submit. Now and then I was receiving errors from a GET done on the form. It shouldn't be possible to submit this form; however, certain versions of Safari for Mac were submitting it on enter. I just added a jquery form.submit() catch on it to prevent the default functionality. I also set the action to a page that wouldn't result in error (in case of lack of javascript).
As you said your problem is intermittent, so having a problem in form method set as get instead of post can be overruled but yes you are right, that if user presses enter in address bar it would be a get request and back button request always depends upon the last request made, if it was a post then any good browser will prompt you about resubmission and if it was get then no prompt, page will be bought back(may be from cache).
May be you can use Firebug (track requests in .net tab)or Fiddler and do some tests with different users/pages if you can reproduce it, its simply pressing enter in address bar.
Edit:
And also get is always supposed to 'retrieve information' so if browser is missing something or need something it will be a get but again check in IIS log for those get requests and try them in browser,if they contains query string for viewstate and eventvalidation, then they are really mis-formed request from post to get, if form method is not explicitly set to get.
I believe that an answer to the question "what are reasons for a browser executing GET rather than POST" does not help to solve the problem of receiving a GET on a form where you expect the a GET. But: To answer that question I would simply say that you receive an GET because the browser sends an GET and you can send a GET on any page where you can send a POST. On the other hand, if the user uses the form the browser sends a POST. Thus your server has to be prepared to handle the GET and it should handle the GET in the same manner as a POST with invalid parameters. My suggestion:
If you receive a GET, display the form again.
If you receive a POST with invalid data, display the form again and notify the user that he has to enter the data in a specific way.
Maybe a trivial answer, but that's what I would do. Don't know if it adds to the discussion.
Wrong, the most obvious reason why you get a GET instead of a POST is that because you're doing a GET instead of a POST.
A less obvious reason is you forgot to specify method="post" in one of your forms. The HTML standard specifies that the default method is GET, so if you want to POST, you must specify method="post" explicitly.
Scrutinize all of your tags and make sure all of them explicitly specify method="post".
EDIT: When you click on the address bar and pressed enter, yes it's true that the browser will GET a page, but your form wouldn't be submitted that way since the browser treats the URL similar to how a copy-pasted URL would be: a new session without any additional information sent to the server (except cookies).

Resources