I am creating a web app and I'm not sure how should I name the page that the user uses to set its preferences, I called it set-my-preferences but I'm wondering if it should be set-your-preferences.
Is there a naming convention for the urls relative to the user?
Should I use first (my) or second (your) person in the url?
PS: I doubt this question has not been asked already but I googled it and looked for it on stackoverflow and could not find anything
I suggest using set-my-preferences because it involves the user because they are more focused if a thing is about them. From my personal experience this has worked best for me.
Related
I was tempted to ask this in academia stack, but I thought the question too technically specific.
For an assignment which specifies that students create websites, how do you detect if an online service (like Wix, simvoly or website.com) has been used to create these sites? Or is there a specific instruction that one could give that would be able to distinguish handwritten from template?
I have thought about asking that a specific comment be inserted in markup, but if it's possible for these services to output html there's nothing stopping someone from adding a comment like this after the fact. While really specific markup or code can be searched online to detect plagiarism, if the code is really generic this becomes quite difficult.
It depends on the service. Some services create specific files or directories, but in general html code generation is really good nowadays, so it is not easy to detect.
You could check the href attribute to see if there are some external files excluded the students forgot to download.
It's the first time that I have had to set up a MediaWiki site and I am relatively new to it as a whole.
My problem is that users can upload files (only images in my case) without selecting one of the licenses in the drop down box on the Special:upload page, I have defined licenses though under MediaWiki:Licenses so there are licenses select-able. I would like the upload warning function to tell users that a license is required to upload a file (the same way you are warned the name is to short or whatever). The user must first pick a license before being able to continue.
I have searched around quite a bit and it doesn't seem as easy a changing a variable somewhere. If the solution is something that I should have known I apologize for posting a stupid question...
Well, I've not checked again but this is not really possible with MediaWiki:Licenses alone IIRC. You can however easily set MediaWiki:Licenses to that the default/fallback "license"/tag is something clearly bad like {{DELETEME}} and then set up an AbuseFilter rule to prevent the upload in question. AbuseFilter is very useful, so I recommend trying it anyway.
Alternatively, you can install the UploadWizard, which is very cumbersome to configure but is quite good at enforcing Wikimedia-specific habits like template/copyright paranoia. ;-) Then you can set $wgUploadNavigationUrl to point to UploadWizard, or even restrict Special:Upload visits to privileged users.
I've recently inherited a ASP.NET MVC 4 code base. One problem I noted was the use of some database ids (ints) in the urls as well in html form submissions. The code in its present state is exploitable through both URL tinkering and creating custom HTML posts with different numbers.
Now while I can easily fix the URL problems by using session state or additional auth checks i'm less sure about the database ids that get embedded into the HTML that the site spits out (i.e. I give them a drop down to fill). When the ids come back in a post how can I be sure I put them there as valid options?
What is considered "best practice" in terms of addressing this problem?
While I appreciate I could just "GUID it up" I'm hesitant to do so because I find them a pain in the ass to work with when debugging databases.
Do I have a choice here? Must I GUID to prevent easy guessing of ids or is there some kind of DRY mechanism I can use to validate the usage of ids as they come back into the site?
UPDATE: A commenter asked about the exploits I'm expecting. Lets say I spit out a HTML form with a drop down list of all the locations one can import "treasure" from. The id of the locations that the user owns are 1,2 and 3, these are provided in the HTML. But the user examines the html, fiddles with it and decides to put together a POST with the id of 4 selected. 4 is not his location, its someone else's.
Validate the ID passed against the IDs the user can modify.
It may seem tedious, but this is really the only way to make sure the user has access to what they're trying to modify. Using GUIDs without validation is security by obscurity: sure guessing them is hard, but you can potentially guess them given enough resources.
You can do this at the top of the controller before you do anything else with the posted data. If there's a violation, just throw an exception and have your global exception handler deal with it; you don't need to handle it in a pretty way since you can safely assume that the user is tampering with data in an unsupported way.
The issue you describe is known as "insecure direct object references," and the OWASP group recommends two policies for dealing with this issue:
using session-based indirect object references, and
validating all accesses to object references.
An example of Suggestion #1 would be that instead of having dropdown options 1, 2, and 3, you assign each option a GUID that is associated with the original ID in a map in the user's session. When you get a POST from that user, you check to see what object the given ID was supposed to be tied to. OWASP's ESAPI has some libraries to help with this in various languages.
But in many cases Suggestion #1 is actually counterproductive. For example, in many cases you want to have URLs that can be copy/pasted from one user to another. Process #2 is generally seen as the most foolproof way to address this issue.
You are describing Broken Access Control with Insecure Ids. Once you've identified the threat and decided which Ids are owned by certain users, ensure checks are in place for this server side.
I recently discovered this very useful Netbeans tutorial for creating a simple JSF 2 CRUD application http://netbeans.org/kb/docs/web/jsf20-crud.html. The final product has somewhat limited usability as one is confronted with a myriad of web pages. I would like an example of how to consolidate the Create and Edit forms (using the same project if possible). This seems more in keeping with how a person would actually enter such information and would reduce the risk of data entry mistakes. Why enter a client and their billing address on separate screens? One should be able to add or remove addresses, if need be, on the client's edit form. Or if a new client has multiple addresses, enter them all on the client's create form. The application just seemed incomplete with no further tips on how to improve it. If one has knows of a useful book that covers this, then I would gladly read that as well. Thanks.
I didn't realize the complexity of my problem and found that I couldn't get what I needed using JSF2 with the information resources available. Through my searches, I also found that many others were asking about Master-Detail CRUD applications, which I then learned was what I needed, but in slightly different ways and not getting any solid examples. A problem properly stated is half solved and I didn't know the problem statement. Armed with more knowledge, I was shocked to find that the answers were not readily available outside of some videos on YouTube showcasing Oracle ADF. In the end, I was able to quickly build the application I desired using the Play! Framework. In a way, by not having my question answered I was able to find a solution that would prove to be a better fit for my needs; though I would have gladly bought a cookbook if someone had pointed one out.
Terminology: What do you call this type of web gui feature?
I'm trying to research on a gui interaction where the user chooses an option, and the next set of options are loaded based on the previous.
I'm calling it cascading, but that doesn't seem to be right.
Example below:
User chooses company A
company A services load
user chooses service 1
serivce 1 loads, with only options company A wants
...cycle continues...
Silly question probably, but I am tired of getting all these search results that have nothing to do with what I'm after. Thanks in advance for any guidance.
If it matters, I'm thinking of using jquery for this, with C#/asp.net backend. Chose not to include those in the topic tags as I didn't think the language would change the terminology.
I think you're right with cascading if I understand you properly, ASP.Net/AJAX example here:
http://www.asp.net/ajax/ajaxcontroltoolkit/Samples/CascadingDropDown/CascadingDropDown.aspx