It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I've read some articles about Role-based access control, but not clear enough to handle this case: how to implement "user can delete his own posts"?
For normal roles and permissions, when user do something, I can just check if the roles and permissions the user have, and determine if the user can do it.
But for "user can delete his own posts", I have to check if the posts belong to him or not. So I have to hard-code something, then it is out of the control of the control system.
Do I miss something and how to do it correctly?
It's not entirely clear to me what problem you are trying to solve. You always have to "hard-code" something since you need to define who can access what. Something is not out of the control system either if you decide it should be in, it really depends on your implementation.
For what you are trying to do, I would generally define an "owner" role then define an access such as:
"owner" can "delete" "resource"
So there has to be some programmatic part where you find out whether the user is indeed the owner or not. Usually, this can be done by associating each resource with, for example, an "ownerId" property. If userId == ownerId, then the role of the current user is "owner".
This requires support in the RBAC layer for "business rules". When such is available, it provides you the touch of dynamic decision that is needed.
Basically, the biz rule is a piece of code that is being run every time the permission is checked. This code is static but expect parameters to be handed to it. Here's an example (PHP shown):
// This code expect two given parameters: $params['owner_id'] and $params['user_id']
if ($params['owner_id'] == $params['user_id']) {
return true;
}
return false;
// This code assumes that returning true means 'permission granted' and returning
// false means permission not granted
You didn't state your underlying technology. That could help you get more accurate answers.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
Are the included and extending use cases make sense?
Basically yes, depending on what you are willing to achieve.
Include simply means that the included use case cannot exist on it's own and needs to by part of the use case, for which it is included and at the same time the basis use case won't be complete without the successful included use case.
This translated for your use case scenario will mean:
In order the user (write a name for the actor) to log in, he has to enter his User id, enter his password, the system has to parse the id and the password and display the main screen.
Extends can optionally add some other steps to the main functionality, in this case to the log in, which means that it's optional to display an incorrect log in screen (somehow verbose in your scenario). This will also mean that Display Login screen is also optional, which IMO is not the case and it has to be included in the main use case, but this is relative to what you are willing to achieve.
Advice: Learn the exact UML specification. You need to write the name of the actors, to write down <<include>> and <<extend>> and to define a system. I will suggest you to use an UML editor instead of Paint or something similar. Check What's the best UML diagramming tool?
You mixed usecase (Login) and actions of login process in one diagram.
Remove all usecases except for Login, and add activity diagram to desribe scenarion of login process.
If you create use cases at the granularity you are proposing, you will probably die under the weight of the documentation you will produce.
Here you have only one use case: Login.
In that use case you have different parts, and among those, the usual scenario steps, where you will find, for example:
1.Enter user id
2. Enter password
3. ...
you also have a section named Exception scenarios, where you will find, for example, the Failed Login details (error message, behaviour, ...).
An example of use case inclusion would be Modify Account, which would include your Login use case, meaning you cannot modify your account without login in.
An example of use case extension would be specifying different method of login in (OTP, digital signature, etc) which would all extends the Login use case.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I'm looking for a way to store a result set in my SQL Server database so it's faster to retrieve, if possible. The reason I want to do this is that I need the information quite frequently, but the data rarely changes so I believe it will improve my database performance a lot.
The only thing I was able to find was indexed views, which doesn't work for me since my query doesn't qualify for that kind of view.
My result set is derived from several sql queries, that will increase in time.
My backup solution is to have the program using the database to store it's own copy, so I can skip calling the database. But this will make my system more complex. I would rather have all my data calls in the database so it's easier to keep track of things.
Do any of you know a way store result sets on a SQL Server database?
I need the information quite frequently, but the data rarely changes
If the data is going to rarely change, then why not just use a SSI file based on the data in the database. You can always recreate this text file whenever the data changes.
When I did web stuff we served up all the data for all the web pages directly from database queries. We decided to change our model to use SSI files for all the database items that rarely changed. We built a "File Recreation" routine inside the backend admin that would automatically build and overwrite the SSI file when ever the customer changed one of those "rarely" changed database items.
This boosted performance on our servers, cut down on server round trips and spead up the display time. Truly a win-win.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
I have been looking to find answers to this question from past two hours. I haven't found even one single relevant post/book/answer. Could somebody explain the difference between server-side scripting and client-side scripting to me. I know that triggers are part of server-side scripting but really, whats the difference between the two. Could you please provide me with couple examples.
Thanks!
This could actually mean a couple of different things, but the explanation that is probably most relevant to you (based on your mention of triggers) is that server-side scripting is SQL that is precompiled and stored in the database in the form of triggers, functions, stored procedures, views, etc while client-side SQL (also known as dynamic SQL) is SQL that is contained within the application.
Some of the reasons for implementing server-side SQL include performance (the database can precompile and optimize the SQL), security, and maintenance (it is much easier to modify a stored procedure than to recompile and re-release your application).
The primary reason that we have found for implementing dynamic SQL is to handle situations in which are not easily handled through server-side SQL, usually involving variable-length where statements.
I don't think you can say there is really such thing as "client-side SQL". There might be SQL commands/statements generated by a client application, but they are executed directly on the Database Enginer to persist and be logged.
In other words a client application might issue this:
select *
from SomeTable
If it is successful, that SELECT will be executed on the database server, not the client application even though that's where it was generated.
Now you might be trying to distinguish where SQL code is generated. A client application might generate the bulk of the Data Manipulation Language (DML) code (i.e. INSERT/UPDATE/DELETE) and be performing OLAP (SELECT). The server will generate the SQL and events for things like triggers. The database engine, with a trigger, will see that an action was taken on a database, object, or the server itself and then this event will "trigger" the database engine to execute another piece of SQL code. That would be server-generate SQL.
I think I understand your question, but please let me know if there is something else or I didn't answer it correctly.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 12 years ago.
Okay so im writing a program for my vegetarian girlfriend that does two things from the main menu. 1: add foods with attributes like name, iron content, protein, sodium etc. 2: use the foods that have already been stored and use them to make a balanced meal. What im having trouble with is, how do i save the attributes when storing the foods ? i have knowledge with c++ so i understand how classes work and was wondering if there is something similar in Visual Basic. I would also like to know how to save the foods so that they can be used again when the program is closed and then reopened. Thanks in advance. I am VB noob but i do have some c++ knowledge.
Well, you'll need the data to be persistant, so that, when she closes and reopens the application, previosly entered data is still there.
The best and simplest approach to do that, IMHO, is to use a database, since, databases are great at just that - storing data. However, that will add some complexity to your application. I would recomend to take a look at SQLite, using a .net driver. That will give you all the benifits of a database, and will take away at least some of the complexity.
Yes, VB.net have advance OOP capability. Just instantiate the class and play with it.
class Food
public dim food_name as string
public sub save()
'wirte code to save the class data
end sub
end class
'Use it as
Dim food as Food
food =new Food()
food.save()
To store the data u can use Database like Acess/Sql server or simply u can store them in plain text and xml.
in my suggestion use XML to store the data
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 12 years ago.
I want to know if you have ever performed injection on a website using SQL injection for ethical hacking.
What tricks/techniques have you have used (especially mysql)?
I've used the standard trick on login forms:
user: admin
pass: ' OR '1'='1
Not directly, but sometimes I do LIKE searches with wildcards (%) even though the search page does not say it supports them.
If you intend to perform ethical hacking or penetration testing of applications using MySQL, you'll find the OWASP Testing Guide, specifically the section on MySQL to be of immense value, apart from the generic Testing Guide for SQL injection.
Note that this does not make any assumptions about the framework or langauge in use - PHP, Java (including Java EE, Spring etc.), so it is pretty generic in how SQL injection may be attempted against an application. The actual techniques involved in getting the user inputs to the database access layer of the application, indeed will vary from one application to another. Applications that parse HTTP requests, will of course, require all inputs (URL parameters, name-value pairs in the POST body, HTTP headers) to be suspect. Having a different source of input (say XML or JSON instead of simple HTTP requests) will require you to feed in SQL in appropriate manner that will be understood by the application's parsers, eventually resulting in transportation of SQL to the layer where database queries are executed.
Nice infomation about techniqs for
Example :
statement = "SELECT * FROM users WHERE name = '" + userName + "';"
pass userName = ' or '1'='1
SELECT * FROM users WHERE name = '' OR '1'='1';
SQL injection
Type of it
1.2 Incorrect type handling
1.3 Vulnerabilities inside the database server
1.4 Blind SQL injection
1.4.1 Conditional responses
1.4.2 Conditional errors
1.4.3 Time delays
You just remimded this, I hope you'll find it fun:
http://xkcd.com/327/ ;)
Yes I have used the basic methods like everyone else, but always on my own websites
' OR '1'='1
I even joined a site where you can learn the basics of hacking in a website, they have put up a serie of website specially made to show the vulnerability of the website (of course you are not shown how to do it but you have to find it out for yourself). And no I feel no guilt whatsoever as I do not use it to harm other peoples website but only myne.