I have a edit page that looks at record_id's in the url.. I don't want the user to see any record id, that way they can't replace it with another and edit another record....
Anyways, my url is like:
http://www.mywebsite.com/folder/folder_detail_edit.php?recordID=3980
I would like it to just display:
http://www.mywebsite.com/folder/folder_detail_edit.php
Is this possible regardless of the recordID???
You should use the http post method to send this data to the server, this way, it won't be visible in the url.
Take a look here
The central problem is not that the record ID is visible and thus can be replaced but that your application allows your users to modify all records. That’s an authorization problem. And hiding the ID does not solve that since the record has to be identified somehow.
You should better implement some authorization mechanism so that your users can only access and modify those records that they are allowed to.
Related
We currently trying to design some REST api for our webservices. We have two resources, 'record' and 'expedition'. As far as we know, a record can be associated with multiple expeditions, and an expedition can be associated with one record (but not necessarily).
When we create an expedition, and we want to "attach" it to a record, we have come to two solutions :
POST /expeditions?recordId=xxx
POST /records/xxx/expeditions
and a POST /expeditions WS to create expeditions independently.
My colleague suggested the first approach, but I found the second the most usual way to do so. I have not found articles on the web presenting the first approach as a good or bad design.
So, which solution is the good one for you ? Which kind of consideration can help us to choose ?
Thank you.
Which kind of consideration can help us to choose ?
Think about cache-invalidation.
HTTP is about document transfer. We obtain information from the server by asking for a copy of a document; that request might be handled by the server itself, or it might be handled by a cache that has a valid copy of the document.
We send information to a server by proposing edits to documents - POST being the most common method used to do that (via HTML forms).
When an edit is successful, it follows that the previously cached copies of the document are out of date, and we would really prefer that they be replaced by the updated copy.
General purpose cache invalidation is kind of limited; in particular, it doesn't support arbitrary invalidation of documents. Only the target-uri, Location, and Content-Location are invalidated.
Therefore, when we are designing our resource interactions, we want to consider this limitation.
That usually means that the request that we use to change a document should have the same target-uri as the request to read that same document.
(Yes, that means that if we are going to have different kinds of edits to the document, all of the different edits share the same target-uri, and we disambiguate the edit by looking at other parts of the request -- for instance by parsing the body.)
POST /records/xxx/expeditions and a POST /expeditions WS to create expeditions independently.
That's not required - the server is permitted to apply changes to more than one document; HTTP constrains the meaning of the request, but does not constrain the effects.
That said, general purpose caches won't magically know that both documents have been edited. To some degree, part of what you are choosing in your design is which document needs to be refreshed now, and which ones can be out of date for a time (typically until the cached representation reaches its max age).
For the special case where your response to the successful edit is going to be a copy of the updated representation of the resource, you have a little bit more freedom, because use can use the Content-Location header to identify which document we are returning in the response, and that header is automatically invalidated.
POST /foo/bar
...
200 OK
Content-Location: /foo
In this sequence, general purpose headers will invalidated their cached copies of both /foo and /foo/bar.
(of course, there are still issues, in so far as we don't have a mechanism to return both the updated copy of /foo and the updated copy of /bar in a single response. So instead we need to look into other ideas, like server push).
Design the URL paths in a way that the resources can easily be retrieved.
Query string/parameter present in the URL mentioned in the first approach is typically used to locate a resource and perhaps a little counter intuitive to me.
The second approach, perhaps this would work as you are creating an expedition under an associated record xxx i.e. /records/xxx/expeditions. But it could get challenging in a scenario where an expedition is not related to any record.
Another alternative thought here is to link the expedition and record through the payload i.e. have the record id XXX within the POST payload during the "expedition" resource creation. POST /expedition => This operation would return you an expedition id in response as the resource newly gets created. To retrieve the data, you could then use GET /expedition/XXX/record where XXX is the expedition id and you retrieve the record corresponding to XXX. You don't need to mention a record id in this case. You either get a associated record or you don't(in case there is no record tied to the expedition). To retrieve the expedition itself, the URL could be GET /expedition/XXX.
I have been able so far to create a new civi Mailing object and populate it, but confusingly I can't see a parameter in that to specify the mail destination group.
For context, I am dealing with Civi using pure REST api from a remote server. I have a solution to getting a custom template onto the server; the new problem is setting a schedule and delivery group, and initiating the send. I am using the python-civicrm library from github as the intermediary on the client.
I presume send happens as a result of setting the schedule -- i.e. I don't need an API call to say 'send mailing'? Is setting 'sheduled date' == 'now' safe or should I set a date of 'now + 1min' or similar?
So that leaves setting the delivery group. We already have groups defined in the DB, and I want to specify the group by name (and preferably be able to verify in advance that a group name is a valid destination, perhaps by doing a group name -> id lookup).
I think there might be a parameter to Mailing create 'groups' which can have keys 'include' and 'exclude'; at least, that's what the web form seems to do. However it's not mentioned in the REST api implementation.
Can anyone offer pointers?
I think you will find all you need in the following link :
Example of api call that is using the group include/exclude : https://gist.github.com/xurizaemon/6775471
Discussion about implementing mailing as an api - http://forum.civicrm.org/index.php?topic=24075.0
Otherwise, if it doesn't work, i suggest that you :
help adding this api in the CiviCRM Core - you could have some help on this on irc #civicrm (and have a look at https://issues.civicrm.org/jira/browse/CRM-11023)
OR create an extension with the api you need. It will be automatically available for REST. If you haven't created an extension yet, i suggest you go to the page http://wiki.civicrm.org/confluence/display/CRMDOC/Create+a+Module+Extension. It's quite straightforward with civix installed.
The table you need to check in the database is civicrm_mailing_group
To confirm, the problem was that (a) I needed to use groups[include]=array(ids) as mentioned by samuelsov, but also (b) I needed to use the json={...} form of request through REST, because the HTTP params syntax doesn't support nested data.
I don't have any code to show, because I'm not sure how to approach this. I am sending a user from one view to another where we will be doing CRUD OPERATIONS, I need to have a way of knowing what the last view I came to before the CRUD OPERATION so that I can send my user back to that view. I would also like to use this for redirection once someone has logged in. I want to have a way of setting the view I want them to get sent back to so that they can log in from any page on the site and it will remember that page instead of just dropping you on the home page.
I would accept a good tutorial as well, I'm pretty desperate to figure this out. SHoudl I just use ViewBag?
If you making <a></a> Through Html Helper then you globally set the querystring in function that can be later used for know the last view user visit.
As Balachandra mention you can use ReturnUrl inside the Request object.
Some other idea which can help you are
Request.Server["HTTP_REFERER"]
Request.UrlReferrer
A another simple algorithm to solve this issue is making JavaScript cookie to know what is current url. and last url. it's only take 2 url to remember in cookie.
When you want to know last referrer then you can easily look in user cookie to know the referrer.
If you want to know the url refeffer in inside Action then make a ActionFilter and just call this code
HttpContext.Current.Request.UrlReferrer.ToString()
In ASP.NET MVC we have TempData which used to pass Data from Views to Views. From this post http://www.rachelappel.com/when-to-use-viewbag-viewdata-or-tempdata-in-asp.net-mvc-3-applications You can get better explanation.
This are enough Tricks to pass the data from Views to Views. For Example TempData will help you to store current url and you can get same information on next view. Remember that TempData is based on Session so it doesn't store the information for long time. For me TempData look perfect solution that you need to use for your own solution.
If you enable asp.net mvc authentication and try to browse any page in application, it will redirect user to login page with 'ReturnUrl' querystring parameter. This parameter holds the name of previous page from where user redirected from.
You can use similar approach even after login as well.
Is there a REST rule or best practice to update/create a specific property on a resource? For example say I have a user resource.
/users (GET) gets all users, POST create a new one, and put /users/(id) updates the user with that id.
Lets say I need to update a status for that person. I could just pass that in the PUT request, but problem is I want to delete the status as well. Usually with PUT I have only been updating the values passed, ie if you put with firstName=Bob I would update that persons firstName but I would not delete his lastName just because it was not passed in. As well as I would not delete status if it was not passed. So I need a way to delete status.
So I was thinking status was just another resource. But a very uncomplicated one.
/users/(id)/status POST to create a new status? Problem I am trying to wrap my head around is that status is just a simple name, like 'away' or 'vacation'. Seems weird to do /users/(id)/status with a body of status=away. Ie status appears in URL and in body, seems wrong. Also with this approach POST and PUT would be identical. Maybe that is ok.
I feel like I have the simple cases of REST down but this one is stumping me.
Typically you would use PUT to create a new resource if you can describe it fully and as though it were a resource location. Use POST (with data) to update any portion of the resource that is hidden. Since status does not identify the resource, I think you should use POST.
Adding example:
POST /users HTTP/1.1
<user id="someID" >
<status>newStatus</status>
</user>
Hi I'm am trying to get the list of issues from a JIRA server using the SOAP API provided by JIRA.
I'm trying to filter the issues based on a custom field (and latter I will want to set that custom field).
If I get the list of issue it returns the custom fields for those issues along with them (I get customfieldId, key, values for each custom field) and I can get the custom field with getCustomFields methods provided by the API (to look for the ID of the field with a given name).
The issue I have is that if I login with an account that is not an admin (using the API) I can't call the getCustomFields method (it throws an exception saying I have to be an admin to do that).
My question is: Is there any other way to know which is the ID of the custom field I desire that can be done using a normal user account?
Also if you know how to set a custom field for an issue, it would also be very helpful :) (I would also like to be able to do it with a regular user account).
You have to be an admin to get a list of custom fields. Any 'normal' account can act on the custom fields via the API provided the user knows the customfield ID.
You can set the value of a custom field too, even with a 'normal' account. Again, the user needs the appropriate permissions to do this. Example provided here.
More here and here.
You can also use getFieldsForEdit(token, issueKey), which will return RemoteField[] for all fields available for edit on that issue (even if it has not yet been defined on the issue). It does not require admin permissions, but because it has the word "Edit" in the method, it does require that you have permission to edit the issue (which means, e.g., if the issue is status=Closed, it will raise an exception unless you allow editing closed issues. Unfortunately, I have yet to find a way to retrieve the RemoteField[] list (in order to map id to name), so getCustomFields() and getFieldsForEdit() appear to be the only options.
Have you tried getting a list of issues from the project, picking one, zeroing out the data, and using that as a template? That might work.
SOAP is being deprecated in favor of the REST API, which also has a better method to get this information