Code On Time: Security

Blog

Security

Wednesday, May 30, 2012Print Subscribe

The Advanced Search Bar allows the user to combine specific search parameters in order to find data. When the search bar is first opened, the first three data fields in the grid view are displayed.

The end user can change the filter field using the field name dropdown. By default, all data fields that exist in the grid view are searchable. The user can be forced to enter a value in some search fields, while other fields may be suggested as additional options when the search bar opens for the first time. Users can also be prevented from searching by specific fields.

Start the Project Designer. Right-click on Customers / container1 / view1 / grid1 view node, and click Show All Data Fields option.

Make the following changes to the list of data fields:

Field Name	Search
CompanyName	Required
ContactName	Forbidden
ContactTitle	Forbidden
Address	Suggested
City	Suggested

Save the data fields, and select Browse on the tool bar to regenerate the web application.

When the browser window opens, navigate to the Customers page and open the advanced search bar. The data fields with Search Mode of “Required” or “Suggested” will be displayed initially.

The first field is required, and cannot be changed.

If a search is performed without entering a parameter into required Company Name field, the user will be informed that the field is required.

Fields marked as “Forbidden” are not displayed on the list of fields available for search.

Labels: Designer, Security, User Interface, Web App Generator

Thursday, May 17, 2012Print Subscribe

Limiting Access to Data Views With Roles

The visibility of a data view on a page can be controlled with Visible When expression written in JavaScript. For example, the child data view in a master-detail configuration may or may not be visible if a master field has a certain value.

Both, master and detail data views may have additional visibility requirements that have nothing to do with the data. The user identity may be a contributing factor. For example, only administrative users can see certain data views on the pages that are available to other user roles as well.

Property Roles allows introducing additional level of identity control to complement Visible When expression.

Start Project Designer for Northwind sample and select Customers page in the Project Explorer hierarchy.

Change Customers / container1 / view1 (Customers, grid) data view node.

Property	New Value
Activator	Tab
Text	Customers

Add two data views to the Customers / container1 node with the following properties.

Data View #1

Property	Value
Controller	Employees
Activator	Tab
Text	Employees
Roles	Administrators

Data View #2

Property	Value
Controller	Products
Activator	Tab
Text	Products
Roles	Administrators

Change Customers / Container2 / view2 (Orders, grid1) data view node.

Property	New Value
Roles	Administrators

Change Customers / Container2 / view3 (CustomerCustomerDemo, grid1) data view node.

Property	New Value
Roles	Administrators

This is the hierarchy of the modified Customers page.

Click Browse on the designer toolbar to generate the app. Sign in with the standard user account user/user123%.

This is the view of Customers page as seen by non-administrative user account.

Logout and sign in as admin/admin123%. This user belongs to the role Administrators.

This is how administrator sees the same page.

Labels: Application Factory, Master/Detail, Security, Workflow

Tuesday, May 15, 2012Print Subscribe

Modifying Membership Manager

Code On Time web applications designed for Internet access have an option to include a built-in Membership Manager. This tool works on top of Microsoft ASP.NET Membership to simplify user and role management in generated apps. It uses exactly the same data controller architecture as the rest of data controllers in a project.

Data controllers aspnet_Membership and aspnet_Roles are automatically created in a web application if the membership feature is enabled.

This is a typical view of Membership Manager presented if you sign in as admin and navigate to Membership page.

The data controller files can be changed in Visual Studio but the changes will be overwritten by the application generator.

Instead, consider the data controller virtualization when you need to modify the membership manager.

Select the project name on the start page of the generator and choose Develop option. Visual Studio will load the project for editing. Create a new code file Class1.cs(vb) under ~/App_Code/Security folder of your project.

Enter the following definition of the partial class MembershipBusinessRules to virtualize the data controller definition at runtime.

C#:

using System;
using MyCompany.Data;

namespace MyCompany.Security
{
    public partial class MembershipBusinessRules
    {
        public override bool SupportsVirtualization(string controllerName)
        {
            return true;
        }

        protected override void VirtualizeController(string controllerName)
        {
            // remove lookup capability from the field "UserId"
            NodeSet().SelectField("UserId")
                    .SetItemsStyle(null)
                    .SetItemsController(null)
                    .SetItemsNewView(null);
            // select "grid1" view 
            NodeSet().SelectView("grid1")
                // add data field "UserId"
                .CreateDataField("UserId")
                    .SetReadOnly(true)
                // delete data field "Comment"
                .SelectDataField("Comment")
                    .Delete();
            // select "grid1" view
            NodeSet().SelectView("grid1")
                // re-arrange the data fields
                .ArrangeDataFields("UserUserName", "Email", "UserId");
        }
    }
}

Visual Basic:

Imports MyCompany.Data
Imports System

Namespace MyCompany.Security

    Partial Public Class MembershipBusinessRules
        Public Overrides Function SupportsVirtualization(controllerName As String) As Boolean
            Return True
        End Function

        Protected Overrides Sub VirtualizeController(controllerName As String)
            ' remove lookup capability from the field "UserId"
            NodeSet().SelectField("UserId") _
                .SetItemsStyle(Nothing) _
                .SetItemsController(Nothing) _
                .SetItemsNewView(Nothing)

            ' select "grid1" view, add data field "UserId", and delete data field "Comment"
            NodeSet().SelectView("grid1") _
                .CreateDataField("UserId") _
                    .SetReadOnly(True) _
                .SelectDataField("Comment") _
                    .Delete()
            ' select "grid1" view and re-arrange the data fields
            NodeSet().SelectView("grid1") _
                .ArrangeDataFields("UserUserName", "Email", "UserId")
        End Sub
    End Class

End Namespace

The new partial class complements the standard class MembershipBusinessRulesBase included in the application framework. It is possible to override any standard methods such as SignUpUser or UpdateUser. The implementation above overrides the data controller virtualization methods only.

Save the code file and navigate to Membership Manager.

You will see the global unique ID of each user. The data field Comment is not visible anymore. The remaining data fields are re-arranged.

Labels: Business Rules/Logic, Security, Web Application Generator