Code On Time: security

Blog

security

Tuesday, May 15, 2012Print Subscribe

Code On Time web applications designed for Internet access have an option to include a built-in Membership Manager. This tool works on top of Microsoft ASP.NET Membership to simplify user and role management in generated apps. It uses exactly the same data controller architecture as the rest of data controllers in a project.

Data controllers aspnet_Membership and aspnet_Roles are automatically created in a web application if the membership feature is enabled.

This is a typical view of Membership Manager presented if you sign in as admin and navigate to Membership page.

The data controller files can be changed in Visual Studio but the changes will be overwritten by the application generator.

Instead, consider the data controller virtualization when you need to modify the membership manager.

Select the project name on the start page of the generator and choose Develop option. Visual Studio will load the project for editing. Create a new code file Class1.cs(vb) under ~/App_Code/Security folder of your project.

Enter the following definition of the partial class MembershipBusinessRules to virtualize the data controller definition at runtime.

C#:

using System;
using MyCompany.Data;

namespace MyCompany.Security
{
    public partial class MembershipBusinessRules
    {
        public override bool SupportsVirtualization(string controllerName)
        {
            return true;
        }

        protected override void VirtualizeController(string controllerName)
        {
            // remove lookup capability from the field "UserId"
            NodeSet().SelectField("UserId")
                    .SetItemsStyle(null)
                    .SetItemsController(null)
                    .SetItemsNewView(null);
            // select "grid1" view 
            NodeSet().SelectView("grid1")
                // add data field "UserId"
                .CreateDataField("UserId")
                    .SetReadOnly(true)
                // delete data field "Comment"
                .SelectDataField("Comment")
                    .Delete();
            // select "grid1" view
            NodeSet().SelectView("grid1")
                // re-arrange the data fields
                .ArrangeDataFields("UserUserName", "Email", "UserId");
        }
    }
}

Visual Basic:

Imports MyCompany.Data
Imports System

Namespace MyCompany.Security

    Partial Public Class MembershipBusinessRules
        Public Overrides Function SupportsVirtualization(controllerName As String) As Boolean
            Return True
        End Function

        Protected Overrides Sub VirtualizeController(controllerName As String)
            ' remove lookup capability from the field "UserId"
            NodeSet().SelectField("UserId") _
                .SetItemsStyle(Nothing) _
                .SetItemsController(Nothing) _
                .SetItemsNewView(Nothing)

            ' select "grid1" view, add data field "UserId", and delete data field "Comment"
            NodeSet().SelectView("grid1") _
                .CreateDataField("UserId") _
                    .SetReadOnly(True) _
                .SelectDataField("Comment") _
                    .Delete()
            ' select "grid1" view and re-arrange the data fields
            NodeSet().SelectView("grid1") _
                .ArrangeDataFields("UserUserName", "Email", "UserId")
        End Sub
    End Class

End Namespace

The new partial class complements the standard class MembershipBusinessRulesBase included in the application framework. It is possible to override any standard methods such as SignUpUser or UpdateUser. The implementation above overrides the data controller virtualization methods only.

Save the code file and navigate to Membership Manager.

You will see the global unique ID of each user. The data field Comment is not visible anymore. The remaining data fields are re-arranged.

Labels: Business Rules/Logic, Security, Web Application Generator

Friday, May 4, 2012Print Subscribe

Rapidly Find Data Using Quick Find

The simplest method to search for data in Code On Time web applications is Quick Find.

Quick Find is located on the left side of the action bar above grid views. It allows searching for values in the visible fields. The application will split the search text by spaces and use each word as a filtering parameter when executing a query.

For example, let’s find any customer that contains the text “owner”. Enter the text in the Quick Find, and press Enter on your keyboard. You can see that we now have a list of records that contain “owner” in the Contact Title field.

Let’s find all owners in Mexico. In the Quick Find box, type “owner mexico”, and press Enter on your keyboard. This will fetch a shorter list. All data rows will contain both words in the fields. For example, “owner” is found in Contact Title, and “mexico” is found in Country.

The order of words in the query does not matter. For example, search for “france owner”. The search will find all three owners from France.

You can also search for numeric values in any field of the record. Switch to the Products page, and search for “40”. The first product has “40” in Units On Order. The second product has a Unit Price of “40”. The third product has “40” in Quantity Per Unit.

Numbers and words can be mixed in the search query. Search for “40 biscuit”. The search query found two records that have those parameters.

The user input is never incorporated in the SQL text, eliminating possibility of an SQL Injection attack. Search for “drop database”. No records will be found, and the database will not be dropped. The application framework will include parameter names in the query and pass the user-entered criteria as parameter values.

You can clear any filter by either clicking on the “x” icon on the right side of the filter detail bar, or by clicking on the filter description.

Developers can also configure “hidden” fields to participate in the Quick Find.

Labels: Security, User Interface, Web Application Generator

Friday, April 13, 2012Print Subscribe

Permalinks Feature

Often, multiple users may need to provide a link or bookmark to a specific record. Code On Time applications offer the ability to create permanent links for a record.

First, you need to select a record.

In the top left corner of the page, click on the Permalink option.

A textbox will appear to the right side of the link, containing the URL (permanent link) for the record. If you mouse over the permalink, you will see information about the record matching the info provided in the Summary area on the left side of the page. You can copy this link to the clipboard and share it with anyone via email or an instant messaging service.

The icon immediately to the right of the textbox allows you to add the link to your Bookmarks.

You can close the permalink textbox by either clicking on Permalink again or selecting the the far right Close icon.

If you access the permalink via bookmark or click on one received from another application user, you will see the following prompt to log in to the web application.

The application will automatically redirect you to the correct page and select the record, provided that you have permission to access the application and see the data.

You can enable Permalinks in the Project Wizard.

Labels: Features, Security, Web Application Generator