In Salesforce I have an account. On that account I have a couple of fields that are populated from the PHP SDK after some processes run in the background. The PHP SDK updates a field on certain conditions, when that happens I also would like to lock down that field to read-only. Can I do this from the PHP SDK?
You want your "lock" on database (or in this case - on Salesforce) level, not on the PHP SDK level. Because otherwise malicious user will just grab Data Loader or Excel Connector and go on with his update bypassing your lock ;)
Try out the Salesforce Validation Rules or (if your logic is complex) a "before update" trigger.
Example validation rule could look like:
condition:
AND(
ISPICKVAL(PRIORVALUE(Type),"Technology Partner"),
ISCHANGED(Type),
$Profile.Name <> "System Administrator"
)
error message to be displayed:
After Type has been set to "Technology partner" only Administrators can modify this field.
This is just a starting point, feel free to experiment and fine-tune. You can also disable this rule after migration.
Check out the Validation Rules functions help page or intro to Validation Rules for more goodies. The ISCHANGED() function should be especially useful for you.
Related
I've implemented the PHP library against a Sentry onpremise installation into a project which is working great, I have no problems with the functionality when its set up to work.
What I'd like to do is determine when for any reason the actual sentry recording fails, however struggling to find where in the application flow Sentry returns something that can be utilised to determine 'recording success'.
I've forced a failure by changing the DSN address being used in the Raven_Client construct to an invalid URL and can confirm events are NOT being recorded - which is expected.
The Sentry Raven_Client exposes a method getLastEventID() which seems to contain an ID at the creation of the event itself, and not upon successful submission to the server (which I expected it to be, and had done a check on to display my error page).
There is also a getLastError() method, which is null at the point my application (CodeIgniter) has entered the My_Exceptions::show_exception() method to display an error page to the client.
The SentryID is populated, and the error is null, and I'm not sure what else there is available to check on to know that the error report actually failed to be recorded.
The reason I want to do this is so that I can show a different view to the user (that doesn't say 'Support have been notified'; as they haven't) and also the functionality to check that $sentryEventId and show a custom feedback form obviously needs to be hidden as the sentryEventId is invalid and the feedback wont go anywhere.
If you are on version 1.10.0 of the Sentry PHP SDK and are not using any async way of sending the events (the default) the getLastEventID() will be null if the send action fails.
See also the PR that introduced this change.
I am wondering about the security of my application. I'm simply using twig loop to display all of my records in database. And everything is all right when I make separate site to display the details and there are buttons to e.g. delete this thing. It usually happens DELETE method and somebody can display only own details. But I want to have button to delete specific record in basic view where every records displayed e.g. next to title of item.
I cant do this by CreateFormBuilder because I cannot send the current id of the item from the form (or I just don't know how to do it). But is it secure? Everyone can change the id parameter of button and delete other record.
I can use AJAX and simply button in twig but this is the same case. Everyone can change e.g. data-id parameter in button and delete other record.
What I should to do in this situation? How you usually solve this problem?
Summarising I want to make a secure button to delete item next to each displayed record.
Have a nice day!
One of the way to secure AJAX routes is to use JWT (json-Web-Token) (see this : https://jwt.io/) instead of random string token. This token is crypted with the user's information to ensure the person who clicked on the button is allowed to do someting (and the token is send with the request in header of the request).
Anyway, you have to send something to identify the id of the element you want to erase or modify in your database. I would personnaly implement this JWT system, but the access to the page where you can see and click on these buttons must be protected too. This way, you can assume that the users don't have bad intentions.
Theis bundle (https://github.com/lexik/LexikJWTAuthenticationBundle/blob/master/Resources/doc/index.md#getting-started) can help you to implement this on symfony very easily (i'm new to this framework and i did this in a few hours - just a thing: if you use Apache, don't forget to allow override in your Apache configurations to allow the .htaccess of symfony to do his job, or headers will be strip by Apache - it makes me several hours to find why things did not work !).
Hope this will help !
It really boils down to what kind of app you want to build:
more traditional app - with full page refresh/navigation cycle
AJAX based - with all sorts of async calls to your server
In any case you choose, it is your responsibility to check whether the current user is authorized to make any change (deletion included) to an object. This comes as especially important in case of id being integer, which is predictable.
So, first, make sure your routes are protected from anonymous users, and second, make sure that you put in place permission strategy which allows/denies user's specific action.
Most of the permission-related stuff can be achived via Voters, but if you are really in need of heavy-lifting you can turn to ACL.
Hope this helps...
I am looking to create a setup for my website that a webmaster can complete to setup the required features of the webserver, such as the database, an administrator account, etc.
What I have planned so far is a $_GET variable will automatically be assigned (if not already!) to the user, the $_GET variable will be called something such as $_GET['step'] to represent what step the user is on. This will also allow me to easily display the specific form(s) for that specific step. For example, display the 'Database Setup' form on step 1, but then on step 2 display the 'Create an Administrator' form. I would do this by using switch statements.
However, if there was an error with the information that the user has given, such as a connection cannot be established with the given information, how would I check the information that was inputted and then display an error to the user, forcing them to change the information in the form, if they have been redirected to step 2 when they submitted the form?
Thanks,
Kieron
EDIT: Here is a Pastebin link to what I have so far: http://pastebin.com/Y6YSTrgR
I couldn't put it directly in this post as it wasn't formatting properly.
You've not shared enough technical detail for this question to be helpful, however if I understand you correctly then you could save each step into the session so that you can go back if necessary. This way you could persist the data if the user finishes the last step. If the user doesn't finish the last step, nothing has changed on the server.
Really you need to tell us more about the system, such as which framework you're using (if any) and describe more about how the overall process should work.
I am using a simple PHP API that takes requests and connects to a MySQL DB to store/retrieve user information. Example: Login is done using a HTTP POST to the API with username and password.
How do I prevent people from flooding my API with requests, potentially making thousands of accounts in a few seconds.
Thanks
You could serve a token generated and remembered on the server side which is rendered with your forms and validated when the form is sent back to your server. That prevents the user from just generating new post requests without actually requesting the according form from your server since they need the according token generated on your server to get it through.
Then there is the mentioned captcha which would be way too much for a login form from my point but when it comes to things like registering a new user the captcha in combination with the token sounds very good to me.
UPDATE
I Just found this article which is about floot protection of script execution in general. I think their approach is good as is the ip tracking provided you have the ability to use memcache or something similar to speed the checks up.
First, when registering a user, also save her IP address at the time of registration in the DB.
If the IP already exists within 45 minutes of previous registration, reject the request.
Another method is the Captcha, I personally prefer a different method that I found to be even more effective against robots.
Instead of asking the user to "type what they see in an image", and verify they are humans (or robots with sophisticated image processing),
Add another field (for example city), and make it hidden with javascript.
The robots would submit that field to the server, and humans would not.
Note that the robots must run the javascript in order to know what fields are hidden, and this is a time consuming process that they usually don't do.
(see turing halting problem)
I am working on a module in PyroCMS which uses Codeigniter. In this module users submit some sort of order at front-end and the moderator of the site will be notified and checks the order at the back-end, then he updates the row and the user is notified about the change. All done right now.
I am going to make things a little automatic. The process of supplying the order which is an electronic good like document file, etc is to search the other server ( ftp ) for the order and bring it to the main server.
So, I propose this workflow:
insert the row to the table ( front-end )
initialize the robot to search the ftp server and set a flag that the
robot is processing the order.
if found: transfer the file to the server and update the row and
flag.
if not found update the flag and let the manager do the rest of the
job.
Now, The thing is that I think it is not a good idea to put the robot code into the same controller and fire the robotic task with the http request from user. I mean, the form is submitted and I just want to insert the row and end the process and notify the user that it is submitted, then the robotic task should be done at the background.
Now we can update the workflow like:
insert the new row
notify the user that your order is submitted. and let user go.
run the background process (trigger it) to search the ftp server and
update the row upon success or do nothing upon error.
how can I do this type of background proccess? any idea or experience?
You can put your robot code to other php file and then run that php file using the php's system or exec command after successfull form submission. This will run like new php thread.
Hope this helps.