Why do I need to turn off security validation? - sharepoint-2010

I'm working on building a webpart that creates a site, adds some lists based on user input, and sets the theme for the site. I can do this whole operation from a console app running on the server just fine, but when I do this from the webpart I get a secrutiy validation error when I try to set the theme. I can get around this by turning off security validation for the entire web app through central admin, but I'd rather not go down that route. This is currently what I'm running -
SPSecurity.RunWithElevatedPrivileges(delegate()
{
newWeb = web.Webs.Add(siteName, siteName, description, 1033, "STS#1", true, false);
newWeb.AllowUnsafeUpdates = true;
ReadOnlyCollection<ThmxTheme> managedThemes = null;
managedThemes = ThmxTheme.GetManagedThemes(newWeb.Site);
foreach (ThmxTheme theme2 in managedThemes)
{
if (theme2.Name == "oked")
{
theme2.ApplyTo(newWeb, true);
break;
}
}
});
I've tried several different flavors of this, but all with the same result. Thanks!

This can happen if you are doing update operation on GET request.
Did you check out this
http://blogs.technet.com/b/speschka/archive/2011/09/14/a-new-twist-on-an-old-friend-quot-the-security-validation-for-this-page-is-invalid-quot-in-sharepoint-2010.aspx

Related

Google Funding Choices Form Won't Load

I'm trying out Google Funding Choices, but I can't even get the base form to load, following Google's instructions to the letter. I've set up the relevant site and its consent details, configured a basic message for Ad Blocking, pasted in the code snippet output from the deployment instructions in the FC console, and I placed the following from Google's FC documentation before the FC tag, just to try getting the form to load, but this isn't working (and I'm using the url params ?fc=alwaysshow&fctype=ab):
<script>
// Make sure that the properties exist on the window.
window.googlefc = window.googlefc || {};
window.googlefc.callbackQueue = window.googlefc.callbackQueue || [];
// To guarantee functionality, this must go before the FC tag on the page.
googlefc.controlledMessagingFunction = (message) => {
user.isSubscriber().then(
function (isSubscriber) {
// Do not show the message if a user is a subscriber.
if (isSubscriber) {
message.proceed(false);
} else {
message.proceed(true);
}
}
)};
</script>
Thanks in advance for any guidance

lucene query filter not working

I am using this filter hook in my Auth0 Delegated Administration Extension.
function(ctx, callback) {
// Get the company from the current user's metadata.
var company = ctx.request.user.app_metadata && ctx.request.user.app_metadata.company;
if (!company || !company.length) {
return callback(new Error('The current user is not part of any company.'));
}
// The GREEN company can see all users.
if (company === 'GREEN') {
return callback();
}
// Return the lucene query.
return callback(null, 'app_metadata.company:"' + company + '"');
}
When user logged in whose company is GREEN can see all users. But when user logged in whose company is RED can't see any users whose company is RED.
I need to make this when user logged in, user should only be able to access users within his company. (except users from GREEN company).
But above code is not giving expected result. What could be the issue?
This might be related to a little warning note on the User Search documentation page
Basically they don't let you search for properties in the app_metadata field anymore. Unfortunately, this change was breaking and unannounced.
We had to make changes to our API so that we keep a copy of the app_metadatas in a separate database and convert lucene syntax to MongoDB queries, so that we can query by a chain of user_id:"<>" OR user_id:"<>" OR ....
One caveat though, you can't pass a query that's longer than 72 user_ids long. This number is so far undocumented and obtained empirically.
Also, you can't rely on Auth0's hooks to add new users to your database, as these don't fire for social logins, only for Username-Password-Authentication connections.
I hope this gave you some explanation as for why it wasn't working as well as a possible solution.
If I were you, I would look for an alternative for Auth0, which is what we are currently doing.
I finally ended up with this solution.
Used search functionality to filter users. I had to change below two files.
fetchUsers function in client\actions\user.js
changed
export function fetchUsers(search = '', reset = false, page = 0)
to
export function fetchUsers(search = '#red.com', reset = false,
page = 0)
AND
onReset function in client\containers\Users\Users.jsx
changed
onReset = () => { this.props.fetchUsers('', true); }
to
onReset = () => { this.props.fetchUsers('#red.com', true); }

Testing drag and drop with behat and mink

I'm trying to emulate drag and drop UI behaviour in a behat test. So far with no success, despite mink allegedly supporting that interaction.
Weirdly enough it was hard for me to find any relevant blog posts about the subjects. Ones I've found (this and http://www.pix-art.be/post/testing-drag-and-drop-with-behat-and-guzzle
) did not help me much. Especially the latter one.
Does anyone have any suggestions on how to approach the problem or has experience with actually testing that interaction?
you can find an working example in the ownCloud test code, it does move files into folders via drag-and-drop:
public function moveFileTo(
$name, $destination, Session $session, $maxRetries = STANDARD_RETRY_COUNT
) {
$toMoveFileRow = $this->findFileRowByName($name, $session);
$destinationFileRow = $this->findFileRowByName($destination, $session);
$this->initAjaxCounters($session);
$this->resetSumStartedAjaxRequests($session);
for ($retryCounter = 0; $retryCounter < $maxRetries; $retryCounter++) {
$toMoveFileRow->findFileLink()->dragTo(
$destinationFileRow->findFileLink()
);
$this->waitForAjaxCallsToStartAndFinish($session);
$countXHRRequests = $this->getSumStartedAjaxRequests($session);
if ($countXHRRequests === 0) {
\error_log("Error while moving file");
} else {
break;
}
}
if ($retryCounter > 0) {
$message
= "INFORMATION: retried to move file $retryCounter times";
echo $message;
\error_log($message);
}
}
from: https://github.com/owncloud/core/blob/47396de109965110276deb545a9bd09f375c9823/tests/acceptance/features/lib/FilesPageCRUD.php#L243
First it finds the NodeElement of the file that has to be moved, then then NodeElement of the destination and calls $fileToBeMovedElement->dragTo($destinationElement)
Because it proved to be flaky there is an retry loop around the dragTo function. To test if the drag-and-drop operation worked the code checks if any AJAX calls were set off or not (in this particular app this drag-and-drop operation sets off an WebDAV request)

JS not loading php into div, website specific behaviour

I have two joomla applications se up with exactly the same versions, the same global configuration settings, and I set up a test application with the following function to load a php into a div on a specific page..
function getDiv(str) {
var id = document.getElementById("appselector").value;
if (id == "") {
document.getElementById("scoffitcategoryedit").innerHTML = "";
return;
}
else {
if (window.XMLHttpRequest) {
// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp3 = new XMLHttpRequest();
} else {
// code for IE6, IE5
xmlhttp3 = new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp3.onreadystatechange = function() {
if (xmlhttp3.readyState == 4 && xmlhttp3.status == 200) {
document.getElementById("scoffitcategoryedit").innerHTML = xmlhttp3.responseText;
alert("WTF");
}
};
xmlhttp3.open("GET","index.php?option=com_jumi&fileid=23& format=raw&" + str + id, true);
xmlhttp3.send();
}
}
I know its a little long winded, but the problem is that the script works fine in one website, but not in the other. Both of them are loading the same versions of jquery (which as you can see I don't like using), and both have the same templates. The only clue I seem to have found is that when I have text links elsewhere on the site attached with query statements pointing to self (index.php?blastr=bla&drivelstr=drivel), the browser shows index.php/ prepended to the link mentioned above.
I debugged the script and in the non functioning website it hangs on the xmlhttp3.send line.
I know people espouse the beauty of jquery's load() function as a replacement for this, but I cant get it to work (probably because the templates are using jquery versions higher than 1.8.1 when it was deprecated). So i'd rather stick with base js.
Any ideas about this inconsistent behaviour ?
This should be a comment but can't yet :(
I would check your configuration file for this line:
public $live_site = '';
and see if there is something in the failing site besides ''.
I found out what it was, I must have actually installed two different versions of the Jumi application in my websites. one website had a file under components/com_jumi/views/application named view.raw.php while the other did not. This meant that the format=raw in the index.php string could not be interpreted and caused a null response.
I simply copied the file into the other website where it was missing and everything then worked fine. But thanks for the response.

How do I get data from a background page to the content script in google chrome extensions

I've been trying to send data from my background page to a content script in my chrome extension. i can't seem to get it to work. I've read a few posts online but they're not really clear and seem quite high level. I've got managed to get the oauth working using the Oauth contacts example on the Chrome samples. The authentication works, i can get the data and display it in an html page by opening a new tab.
I want to send this data to a content script.
i'm having a lot of trouble with this and would really appreciate if someone could outline the explicit steps you need to follow to send data from a bg page to a content script or even better some code. Any takers?
the code for my background page is below (i've excluded the oauth paramaeters and other )
` function onContacts(text, xhr) {
contacts = [];
var data = JSON.parse(text);
var realdata = data.contacts;
for (var i = 0, person; person = realdata.person[i]; i++) {
var contact = {
'name' : person['name'],
'emails' : person['email']
};
contacts.push(contact); //this array "contacts" is read by the
contacts.html page when opened in a new tab
}
chrome.tabs.create({ 'url' : 'contacts.html'}); sending data to new tab
//chrome.tabs.executeScript(null,{file: "contentscript.js"});
may be this may work?
};
function getContacts() {
oauth.authorize(function() {
console.log("on authorize");
setIcon();
var url = "http://mydataurl/";
oauth.sendSignedRequest(url, onContacts);
});
};
chrome.browserAction.onClicked.addListener(getContacts);`
As i'm not quite sure how to get the data into the content script i wont bother posting the multiple versions of my failed content scripts. if I could just get a sample on how to request the "contacts" array from my content script, and how to send the data from the bg page, that would be great!
You have two options getting the data into the content script:
Using Tab API:
http://code.google.com/chrome/extensions/tabs.html#method-executeScript
Using Messaging:
http://code.google.com/chrome/extensions/messaging.html
Using Tab API
I usually use this approach when my extension will just be used once in a while, for example, setting the image as my desktop wallpaper. People don't set a wallpaper every second, or every minute. They usually do it once a week or even day. So I just inject a content script to that page. It is pretty easy to do so, you can either do it by file or code as explained in the documentation:
chrome.tabs.executeScript(tab.id, {file: 'inject_this.js'}, function() {
console.log('Successfully injected script into the page');
});
Using Messaging
If you are constantly need information from your websites, it would be better to use messaging. There are two types of messaging, Long-lived and Single-requests. Your content script (that you define in the manifest) can listen for extension requests:
chrome.extension.onRequest.addListener(function(request, sender, sendResponse) {
if (request.method == 'ping')
sendResponse({ data: 'pong' });
else
sendResponse({});
});
And your background page could send a message to that content script through messaging. As shown below, it will get the currently selected tab and send a request to that page.
chrome.tabs.getSelected(null, function(tab) {
chrome.tabs.sendRequest(tab.id, {method: 'ping'}, function(response) {
console.log(response.data);
});
});
Depends on your extension which method to use. I have used both. For an extension that will be used like every second, every time, I use Messaging (Long-Lived). For an extension that will not be used every time, then you don't need the content script in every single page, you can just use the Tab API executeScript because it will just inject a content script whenever you need to.
Hope that helps! Do a search on Stackoverflow, there are many answers to content scripts and background pages.
To follow on Mohamed's point.
If you want to pass data from the background script to the content script at initialisation, you can generate another simple script that contains only JSON and execute it beforehand.
Is that what you are looking for?
Otherwise, you will need to use the message passing interface
In the background page:
// Subscribe to onVisited event, so that injectSite() is called once at every pageload.
chrome.history.onVisited.addListener(injectSite);
function injectSite(data) {
// get custom configuration for this URL in the background page.
var site_conf = getSiteConfiguration(data.url);
if (site_conf)
{
chrome.tabs.executeScript({ code: 'PARAMS = ' + JSON.stringify(site_conf) + ';' });
chrome.tabs.executeScript({ file: 'site_injection.js' });
}
}
In the content script page (site_injection.js)
// read config directly from background
console.log(PARAM.whatever);
I thought I'd update this answer for current and future readers.
According to the Chrome API, chrome.extension.onRequest is "[d]eprecated since Chrome 33. Please use runtime.onMessage."
See this tutorial from the Chrome API for code examples on the messaging API.
Also, there are similar (newer) SO posts, such as this one, which are more relevant for the time being.