I'm writing a service in "C" and I'd like to display a warning window once the user tries to stop the service ( With "OK" and "Cancel" Buttons ).
Is there any specific windows API available to achieve this?
Any other simple ways are there to achieve??
No, this is not possible. Windows services are unable to interact directly with the user's desktop, so they will be unable to show a user interface of any kind.
This shouldn't really be a big deal, though. You have to have adequate permissions to stop and start a service, and by default, only Administrators have those rights. If you don't want users inadvertently stopping your service, then you should take advantage of permissions to solve that problem for you.
You stop a service with Service control panel; your service normally doesn't have access to this control panel process, so you can't override it's UI and present a dialog asking OK/Cancel.
I just learned the hard way that any calls made to the UI from a service will cause it to hang. MSDN does have a page here on work arounds.
If you don't want anybody to be able to stop the service, just tell the service manager that you don't accept stop messages. You could instead provide an application that stops the service (using some form of IPC) and that application could present as many warning messages as you wanted.
On the other hand, this will annoy your users, and it is unlikely to be necessary. By default, only administrators can stop services, and people are unlikely to try to stop your service without a good reason.
Related
In attached image button is disabled by default based on access, however if i delete the property highlighted it gets enabled & user can able to perform actions.
Please do provide solution to restrict it.
Please see image attached related to issue with chrome Developer tool
You can't stop the user from doing that. Its their browser, and it's entirely in their control. Any user can manipulate the page in any way they choose, and run any script they choose from the console, etc etc. If the have the knowledge and inclination, they can do as they please. If they want to change the page to try and make a malicious or incorrect submission of they data, they can.
The mitigation you can (and must) put in place is to check and sanitise all data coming into your server-side API to guard against what is coming from the client being malicious or otherwise inappropriate.
Bear in mind your API just accepts HTTP requests, there's nothing to say a client even needs to use your web app to make requests, they could use a tool like PostMan or any other HTTP client to attack it. They can bypass the browser completely. So you have to apply all permissions, data checking etc on the server first to ensure security. If you then apply it on the browser-based web app, that's nice but you have to regard it as just a usability feature - it can never provide any real security.
well, as all html code in the browser you cannot prevent it from being manipulated, never trust the client and check the access of this action in the backend.
Keep in mind that even if the button is disabled, a developer can rebuild the request of this form and send it without using any user interface.
There is an alternative way that you can do in this kind of situation. You must unbind the event when the button is disabled and bind it again when the button is enabled. It will solve your problem.
Much better sanitize it in server side.
I am creating an Angular 1 SPA. Certain controls are only visible to users with certain permissions. This is based on scope variables set by server api calls.
It occurred to me that if I could access these variables through a browsers dev console, I could change their values.
I tried this for example:
angular.element($0).scope().$parent.myUserInfo.accessType = "admin"
angular.element($0).scope().$apply()
And sure enough, the admin controls popped up on the page even though I was not logged in as an admin. Is there a best practice to stop this or am I going about it completely wrong?
The authentication always have to be made on the server side.
I don't know what you are trying to do, but if the user interacts with some webService/Rest API, etc... the server should disallow such interactions.
If the accessType property of your scope is just a way for you to know which UI you should display to the user, and the authentication/session mechanism is correctly handled by the server, that should not be a problem.
However, you cannot disallow the user to play with the dev console, so you'd better handle the authentication correctly.
I am not sure if there is a way of protecting values in $scope.
But as JavaScript is executed client-side and it is therefore be possible for users to modify said code, I would always verify permissions server-side. Then it wouldn't matter if users enable the admin controls client-side as they have no permission to use the api calls.
I am trying to develop a solution to following problem. I need to store in db information about time when user logged in and is on page. Currently I am writing to db when user login and logout with WCF service, but how to deal with situation when user closes window or goes to other webpage.
I am wondering if threaded function which calls every user every minute to check if he's alive is a good solution. Any help will be nice. Thanks.
If You can wait for data a bit(depending on Your aplication usage), You could save data to IsolatedStorage, and send it when user starts application again. It's pretty simple solution, but You will have to wait for data and some data will be lost, if user don't open application again(Again, depends on Your app).
Other solution would be sending data from JavaScript (How to call WCF from JS) during OnUnload or OnBeforeUnload event. Or even doing a simple HttpRequest from JS to some aspx site, passing time in query.
EDIT: Another thread is a nice idea(I have solution like this in my current project) but running it too often can clog IIS (depend on number of users, bandwidth etc). It also will prevent Session from timing out, even if user does nothing (that's main purpose for using this solution in my project).
I have a Silverlight application from which I have to call a ASHX file, something like this GetFile.ashx?orderId=4
The problem is that I want to allow this call to be made only through the application, and thus I thought of using some sort of authentication (sending the username+pass from silverlight) when calling the ashx file. I don't want to add them in the query string. Any other suggestions?
Thank you
The easy answer is to turn on ASP.Net authorization by whatever means are suitable for you.
If your users log in through an AuthenticationService in the Silverlight client, or through an ASP.Net page, you will be able to access the CurrentUser object from the HttpContext in your handler and from there do whatever checks you want.
The following link should get you started on finding more info if you need MSDN
I'm working on a 100% ExtJS application; the browser downloads all the JavaScript and a single HTML file once; everything runs in the browser after that.
When all the panels are rendered at startup (i.e., when Ext.onReady() fires) I need some panels to be hidden depending on the user's permissions. Is there a common/best practice for configuring the GUI at startup depending on user permissions?
I think one solution might be to have some panels hidden by default. An AJAX call could be made at startup to get user permissions, and then panels could be un-hidden depending on those permissions. However, I suspect there are better solutions.
Any tips would be greatly appreciated.
Note: I understand that the front-end javascript can't be trusted as the sole mechanism for security checks and that the backend application would need to verify all the actions received from the front-end.
Why not just write a server-side script that outputs privileged client-side code based on the user's authentication status? Instead of having your client-side code fetch permission data and branch on them, just have the client-side hit a script that outputs the appropriate javascript.
So if you've got a special "SuperAdminPanel" component, the only way the client ever sees the code is if they hit your authentication-aware user-js script, and are recognized as a super-admin.
In the general case, such a script could just echo out the appropriate script for the currently-authenticated user's level. It could easily be extended to pass code or configuration specific to individual users, as well.