是否隐藏服务器控件? [英] Is Hiding Server Controls Enough ?
本文介绍了是否隐藏服务器控件?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在考虑昨天开发一个工作流程应用程序,并且考虑了不同的方法,而不是限制
特定的机票(表格)行动。任何上述阶段。
我在其他系统上使用的一种方法是阻止出现动作按钮
。例如,如果一个人没有管理员的角色,那么将阻止一个
删除不是由自己创建的票证。
但是,它确实在我看来,有可能手动
构建页面中已经呈现给
客户端的按钮代码。
如果你有一个可见= false的按钮(不是HTML隐藏),那么可以通过手动添加标签/ id来调用后端函数
等这个按钮?
我想我可以体验,但我想知道是否有即时回答
可用?
-
最好的问候
无与伦比的Mr Newbie o?o
解决方案
没有 - 隐藏是不够的,因为有人可以简单地重建你隐藏的
elemtns。
至少你需要使用某种形式的访问控制,验证谁是谁b $ b登录用户用户然后根据那个
角色显示控件。
-
问候
John Timney
ASP.NET MVP
微软区域总监
"新手先生 <他** @ now.com>在留言中写道
新闻:%2 **************** @ TK2MSFTNGP09.phx.gbl ...我是我们正在考虑昨天开发一个工作流程应用程序,并且正在考虑不同的方法,而不是在任何一个阶段限制票证(表格)上的具体行动。
一个我在其他系统上使用的方法是防止出现动作按钮。例如,如果一个人没有管理员的角色,那么将无法删除一个不是由自己创建的故障单。
然而,我确实发现有可能手动构建已经呈现给客户的页面中的按钮代码。
如果你有一个可见= false的按钮(不是HTML隐藏),那么
是否可以通过手动为此按钮添加
标签/ ID等来调用后端功能?
我想我可以体验,但我想知道是否有即时回答
可用?
-
最好的问候
独特的Mr Newbie o?o
好的,谢谢你的回复。我打算使用访问控制,但我认为
也许我没有让自己清楚。
让我们说我们有两个用户''Jon''和''莎拉''。 John可能删除任何内容
但是''Sarah''可能只会删除自己的作品。
在呈现表单之前,控制逻辑确定此文档
属于''Jon''但是'Sarah'已经打开了它。因此,
逻辑将删除按钮的Visible属性设置为False,因此它不会呈现给客户端。
然而,''莎拉'今天感觉很邪恶,并决定输入她之前在她自己的文件上看到的标签并加载页面,或者至少某种方式
设法将此对象添加到显示的文档中并调用其单击
事件
这将激活此服务器端单击事件按钮无论
是否已显示?
问新手先生。 。 。
" John Timney(MVP)" < TI ***** @ despammed.com>在留言中写道
news:%2 **************** @ TK2MSFTNGP12.phx.gbl ...no - 隐藏是不够的,因为有人可以简单地重建你隐藏的
至少你需要使用某种形式的访问控制,以验证谁登录用户用户是否然后根据该角色显示控件。
-
问候
John Timney
ASP.NET MVP
微软区域总监
Mr Newbie <他** @ now.com>在消息中写道
新闻:%2 **************** @ TK2MSFTNGP09.phx.gbl ...我正在考虑开发一个昨天的工作流程应用程序正在考虑不同的方法,而不是在任何所述阶段限制票证(表格)上的具体行动。
我使用过的一种方法在其他系统上是为了防止出现动作按钮。例如,如果一个人没有管理员的角色,就会阻止一个人自己删除未创建的故障单。
然而,我确实发现了有可能手动构建已经呈现给客户的页面中的按钮代码。
如果你有一个可见的按钮= false(不是HTML)隐藏),然后
是否可以通过手动添加
标签/ ID等来调用后端功能?
我想我可以体验,但我想知道如果有即时回答?
-
最好的问候
独特的Mr Newbie o?o
Yo Mr. Newbie,
这会激活此按钮的服务器端点击事件,无论
是如果它已被显示?
不,不会。如果你正确地完成它将需要很多技能才能完成这样的事情。也就是说,使用HtmlInputButton
控件或Button WebControl(用作命令按钮最好,因为
这不会创建提交按钮,并且可以完成工作
更难以成为潜在的黑客)。这些控件使用JavaScript将隐藏表单字段中的信息发送回服务器。因此,Sarah的第一个障碍就是不仅要在HTML中添加一个Delete按钮,而且还要在隐藏的表单字段中添加相应的信息。她还需要在隐藏的ViewState
表单字段中输入正确的信息,以欺骗服务器重现Page类和
控制好像其先前的状态包含按钮。这是因为
HTTP是无状态的。如果页面被回发,服务器依赖来自客户端的请求
来重现其状态。每次请求都必须从头开始构建页面。
Sarah唯一的办法就是在John拥有后立即使用计算机
以她想要的状态加载页面,并将HTML复制到另一个文件
她可以隐藏在某个地方。然后,当约翰离开时,她可以在其中输入John的信息,然后合并HTML以创建她需要的状态
。当然,这可以由聪明的开发人员解释为
。
简而言之,使用服务器控件确实是你最好的选择。 />
-
HTH,
Kevin Spencer
Microsoft MVP
..Net开发商
观看时钟永不沸腾。
Mr Newbie <他** @ now.com>在消息中写道
新闻:O6 ************** @ tk2msftngp13.phx.gbl ...好的,谢谢你的回复。我打算使用访问控制,但我认为
或许我没有让自己清楚。
让我们说我们有两个用户''Jon''和''Sarah''。 John可能会删除任何内容,但Sarah可能只删除自己的作品。
在表单呈现之前,控制逻辑确定此
文档属于'' Jon''但是'Sarah'打开了它。
因此,逻辑将''Delete''按钮的Visible属性设置为
False,因此它不会呈现给客户端。
然而,''莎拉'今天感觉很邪恶,并且决定在她自己的文件上输入她之前看过的标签,并加载页面,或者至少以某种方式
设法将此对象添加到显示的文档中并调用其单击事件
这是否会激活此按钮的服务器端单击事件,无论是否已经显示与否?
关于新手先生。 。 。
" John Timney(MVP)" < TI ***** @ despammed.com>在消息中写道
新闻:%2 **************** @ TK2MSFTNGP12.phx.gbl ...没有 - 隐藏不够,因为有人可以简单地重建您隐藏的
至少您需要使用某种形式的访问控制,以验证登录用户用户是谁,然后是否根据该角色显示控件。
-
问候
John Timney
ASP.NET MVP 微软区域总监
Mr Newbie <他** @ now.com>在消息中写道
新闻:%2 **************** @ TK2MSFTNGP09.phx.gbl ...我正在考虑开发一个昨天的工作流程应用程序正在考虑不同的方法,而不是在任何所述阶段限制票证(表格)上的具体行动。
我使用过的一种方法在其他系统上是为了防止出现动作按钮。例如,如果一个人没有管理员的角色,就会阻止一个人自己删除未创建的故障单。
然而,我确实发现了有可能手动构建已经呈现给客户的页面中的按钮代码。
如果你有一个可见的按钮= false(不是HTML)隐藏),然后
是否可以通过手动添加
标签/ ID等来调用后端功能?
我想我可以体验,但我想知道如果有即时回答?
-
最好的问候
独特的Mr Newbie o?o
I was thinking about developing a workflow application yesterday and was
musing over the different approaches than one could take in restricting
specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action buttons
appearing. For example, if one did not have the Role of Administrator, one
would be prevented from deleting a ticket not created by oneself.
However, it did occur to me that there was a possibility of manually
constructing the button code in the page which has been rendered to the
client.
If you have a button which was visible=false ( Not HTML hidden ), then would
it be possible to invoke the backend function by manually adding the tag/id
etc for this button ?
I guess I could experiement, but I wondered if there was an instant answer
available ?
--
Best Regards
The Inimitable Mr Newbie o?o
解决方案
no - hiding is not enough,as someone could simply reconstruct your hidden
elemtns.
At the least you need to use some form of access control, to verify who the
logged in user user is and then display the controls or not based on that
role.
--
Regards
John Timney
ASP.NET MVP
Microsoft Regional Director
"Mr Newbie" <he**@now.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...I was thinking about developing a workflow application yesterday and was
musing over the different approaches than one could take in restricting
specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action buttons
appearing. For example, if one did not have the Role of Administrator, one
would be prevented from deleting a ticket not created by oneself.
However, it did occur to me that there was a possibility of manually
constructing the button code in the page which has been rendered to the
client.
If you have a button which was visible=false ( Not HTML hidden ), then
would it be possible to invoke the backend function by manually adding the
tag/id etc for this button ?
I guess I could experiement, but I wondered if there was an instant answer
available ?
--
Best Regards
The Inimitable Mr Newbie o?o
OK, thanks for the reply. I do intend to use access control but I think
perhaps I didnt make myself clear enough.
Lets say that we have two users ''Jon'' and ''Sarah''. John may delete anything
but ''Sarah'' may only delete her own work.
Before the form is rendered, the control logic determines that this document
belongs to ''Jon'' but that it is ''Sarah'' who has opened it. Therfore the
logic sets the Visible property of the ''Delete'' button to False so it is
not rendered to the client.
However, ''Sarah'' is feeling evil today and decides to enter the tags she''s
seen before on her own documents and loads the page, or at least somehow
manages to add this object into the document displayed and invoke its click
event
Will this activate the Server side click event for this button regardless of
if it has been displayed or not ?
Regards Mr Newbie . . .
"John Timney ( MVP )" <ti*****@despammed.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...no - hiding is not enough,as someone could simply reconstruct your hidden
elemtns.
At the least you need to use some form of access control, to verify who
the logged in user user is and then display the controls or not based on
that role.
--
Regards
John Timney
ASP.NET MVP
Microsoft Regional Director
"Mr Newbie" <he**@now.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...I was thinking about developing a workflow application yesterday and was
musing over the different approaches than one could take in restricting
specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action
buttons appearing. For example, if one did not have the Role of
Administrator, one would be prevented from deleting a ticket not created
by oneself.
However, it did occur to me that there was a possibility of manually
constructing the button code in the page which has been rendered to the
client.
If you have a button which was visible=false ( Not HTML hidden ), then
would it be possible to invoke the backend function by manually adding
the tag/id etc for this button ?
I guess I could experiement, but I wondered if there was an instant
answer available ?
--
Best Regards
The Inimitable Mr Newbie o?o
Yo Mr. Newbie,
Will this activate the Server side click event for this button regardless
of if it has been displayed or not ?
No it will not. It would require a great deal of skill to accomplish
something like this, if you do it correctly. That is, use an HtmlInputButton
Control or a Button WebControl (used as a Command Button would be best, as
this does not create a Submit button, and makes the job more difficult for
the would-be hacker). These controls use JavaScript to send information
about themselves in hidden form fields back to the server. So, the first
obstacle for Sarah would be not only to add a Delete button the the HTML,
but also to add the appropriate information into the hidden form fields. She
would also have to enter the correct information into the hidden ViewState
form field, in order to trick the server into reproducing the Page class and
Controls as if its previous state had included the button. This is because
HTTP is stateless. The server relies on the Request coming from the client
to reproduce its State if the Page is posted back. It has to build the Page
from scratch with each Request.
Sarah''s only resort would be to get on to the computer right after John has
loaded the page in the state she wants, and to copy the HTML to another file
she could hide somewhere. Then, when John is gone, she could pull up the
page with John''s information in it, and merge the HTML to create the state
she needs. Of course, this could be accounted for by a clever developer as
well.
In short, using Server Controls would indeed be your best bet.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
A watched clock never boils.
"Mr Newbie" <he**@now.com> wrote in message
news:O6**************@tk2msftngp13.phx.gbl... OK, thanks for the reply. I do intend to use access control but I think
perhaps I didnt make myself clear enough.
Lets say that we have two users ''Jon'' and ''Sarah''. John may delete
anything but ''Sarah'' may only delete her own work.
Before the form is rendered, the control logic determines that this
document belongs to ''Jon'' but that it is ''Sarah'' who has opened it.
Therfore the logic sets the Visible property of the ''Delete'' button to
False so it is not rendered to the client.
However, ''Sarah'' is feeling evil today and decides to enter the tags she''s
seen before on her own documents and loads the page, or at least somehow
manages to add this object into the document displayed and invoke its
click event
Will this activate the Server side click event for this button regardless
of if it has been displayed or not ?
Regards Mr Newbie . . .
"John Timney ( MVP )" <ti*****@despammed.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...no - hiding is not enough,as someone could simply reconstruct your hidden
elemtns.
At the least you need to use some form of access control, to verify who
the logged in user user is and then display the controls or not based on
that role.
--
Regards
John Timney
ASP.NET MVP
Microsoft Regional Director
"Mr Newbie" <he**@now.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...I was thinking about developing a workflow application yesterday and was
musing over the different approaches than one could take in restricting
specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action
buttons appearing. For example, if one did not have the Role of
Administrator, one would be prevented from deleting a ticket not created
by oneself.
However, it did occur to me that there was a possibility of manually
constructing the button code in the page which has been rendered to the
client.
If you have a button which was visible=false ( Not HTML hidden ), then
would it be possible to invoke the backend function by manually adding
the tag/id etc for this button ?
I guess I could experiement, but I wondered if there was an instant
answer available ?
--
Best Regards
The Inimitable Mr Newbie o?o
这篇关于是否隐藏服务器控件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
