In my application I have a file upload (actually multiple file uploads), and I managed to do it without using a gem/plugin like (Ex: carrierware).
But when my form validation fails it loads the from data with error messages, but not the values in file_fields. My client wants to keep the values as it is when form validation fails.
I have search a bit and found out that for security reasons, its not allowed to set values to file fields. So can someone proposed me a possible workaround for this (to keep the selected file path when a form validation fails)
Please note that I'm not using Ajax form post here, this is simple default HTTP post
I'm running on ruby 1.9.2 and rails 3.0.0
thanks in advance
It is not possible to do with what you are asking. Due to security reasons, the value of the upload field can not be set, or even styled with some browsers.
The best bet:
Upload the file before the validation, then discard if the user cancels.
Use ajax, or a fancy form of uploading. (Store path in hidden field, and then upload with some form of ajax/flash.)
Related
I have a beginner question about produciton mode in vuejs. I'm using the minified version of vue and i have a Question. How can i avoid accessing and changing the value of data by using DOM here an example: for accessing -> document.getElementsByClassName('VueInstance')[0].__vue__.$children[0].$data.foo and for changing document.getElementsByClassName('VueInstance')[0].__vue__.$children[0].$data.foo = "bar" ? Its there any possibility to do it ?
You can't.
Client-side JavaScript isn't secure by design, i.e. user has full control over the script that runs in user's browser. Considering that a user has enough access rights locally, the code always can be read and modified. Security measures that are applicable to client-side code only make this process more complicated.
Never trust anything from the client. The client can change whatever they desire, and can even edit the data that's going to the server. If you wish to ensure they can't do something, then you will have to put checks on the only thing they can't change
How to prevent the user from changing values in the HTML or the JavaScript
Can react state be tampered with to bypass security measures?
I have a document library that has some fields as compulsory but when I upload them sensenet does not required the fill of that fields.
This is working only on the edit function
The problem with this feature is that on the built-in UI you cannot actually fill any fields when you upload a document. So if you had any compulsory fields (and we validated them) you would not be able to upload documents at all, the system would deny that.
Currently I do not know an out-of-the-box solution for this, you would have to create a custom upload UI (of course using the built-in simple upload functionality) that makes sure the user fills the compulsory fields before uploading the doc.
If you think this is something we should look into, please create an issue on github.
I'm trying to a CSRF protection to an existing MVC4 web application which uses DevExpress grids. I've added the Html.AntiForgeryToken() into the forms on the aspx pages (which contain ascx as partials containing the grids) and can see the __RequestVerificationToken and it's value clearly in developer tools when a save is called.
I've tried commenting out all my ValidateAntiForgeryToken attributes bar one - I went with the delete post method for simplicity (And also to eliminate the DevExpress grids messing with it) and I still keep coming up against this error:
There was a HttpAntiForgeryException
Url: http://localhost:54653/Users/Delete/f86ad393-0039-44e8-beed-a66dbab9266e?ReturnURL=http%3A%2F%2Flocalhost%3A54653%2FUsers
The exception message is
The required anti-forgery form field "__RequestVerificationToken" is not present.
Does anyone have any idea why this might be happening? Could it be that the error is non-descriptive and it's actually that the token doesn't match rather than that it doesn't exist? In previous answers to this question people just say "oh, you have to add the token," which is obviously not helpful here.
Are you submitting the form manually through Ajax? If that's the case, you need to pass the anti forgery token as another parameter with the name "__RequestVerificationToken".
Point 1 : Make sure if your application is has https secure protocol. Please load in https.
Point 2 : In case of DevExpress you have to call in the below pattern.
ViewContext.Writer.Write(Html.AntiForgeryToken().ToHtmlString());
After struggling with this for days I had a thought - maybe the browser is stopping the cookie being written. I did a search for dev servers and cookies not being written, and found that with Chrome and IE10 and up that there's problems writing the cookies.
I downloaded Firefox and tried it with that and it worked instantly. I then reapplied all the validate attributes to the all the controller methods and the all worked, every single one of them! Even the DexExpress postbacks seem to be working correctly.
I'll carry out more exhaustive testing, but for now, I think we're there.
Not exactly. If MVC AntiForgeryToken is already defined on page where you are using MvcxGridView and you want to protect grid actions you should send this token back to server during grid client side begin callback event.
settings.ClientSideEvents.BeginCallback = "function(s,e) { e.customArgs[\"__RequestVerificationToken\"] = $('input[name=\"__RequestVerificationToken\"]', $(s.GetMainElement())).val(); }";
If one has to perform business rules related validations and some cross field validations; on data entered in html-form-fields on screen, how can it be done?
Does the Moqui framework provide any inbuilt-support for this?
Is there any guide/tutorial available for this?
Update:
Hi David, thanks for your time. Below is the detailed requirement for validation.
1) Need to show the validation message on submit (before the request is sent to server) rather than after the request is processed on server.
e.g. When I open a dialog/screen to create/update some record, than I pass invalid number(e.g. 'abc') value in field and click submit;
the FORM gets submitted and the response (on next screen) is:
The value [abc] is not valid for type [java.lang.Long] (for field xyz) etc.
So, how can the FORM-submission be prevented and how to show message to user before submitting and on the same screen not on next screen? (ie.
how to implement validation similar to javascript validation at field/FORM-submit level). And this may be required not only on
just one screen but on many other screens may have thier own screen specific different validation rules for various fields.
Traditional way of adding bunch of .js files in header/footer doesn't look right; because how all the FORMs would know(without making
some changes to how the FORM gets generated) which js-function to invoke and when? And also I don't want to make any custom change in
framework which may not be compliant with any future upgrade of moqui or may require lot of re-work to integrate it smoothlessly for future upgrades.
2) Cross field validation i.e. filed1 is to be validated based on result of some calculation of values in field2 and/or field3 etc. How can this
be done on client-side?
I am quite new in YII just 2 weeks and I am getting a hang on it, but I have an integration I have to do, which includes submitting form data to an enternal site, as well saving said data in my DB, after which i am automatically redirected to the said site and after performing some actions they send some data back, which should be displayed and saved in my DB as well. Any help would be grossly appreciated. Thanks
You will need cURL for the remote request: http://www.php.net/manual/en/curl.examples-basic.php.
Yii does not have this functionality by default, but you can create a component for it, which makes a post request to the remote site using cURL.
Depending on the format of the returned data, you will need to decode/unserialise it.
You can create a CDbCommand to store it directly into the database or assign values to an Active Record model and store that into the database.