zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-05-01 20:47:52 +02:00
Code Issues Projects Releases Packages Wiki Activity
google-nomulus/java/google/registry/ui/js/resource.js
guyben 6bddd5a8cb Send the "resource" ID in each resource action 
This is an intermediate CL, part of the Registrar Console cleanup.

TL;DR:
- the current state: resource.js points to a resource TYPE on the server (only registrars can be resources right now), but the specific resource is selected based on the user (we select the "first resource of this type that the user has access to)
- new state: resource.js points to a SPECIFIC resource (TYPE + ID).

In this CL the server still chooses the resource like before (first one that user has access to) but we make sure the returned resource is the same one we requested.

In a subsequent CL we will use the requested ID to load the resource, and then make sure the user has access to that resource.

---------------------------

When loading the RegistrarConsole HTML page, the server determines which clientId belongs to the user ("guesses" it by looking for the first registrar that has this user as contact). It sends the relevant clientId back with the page load.

However, this information isn't currently used in the JS requests to read / update the registrar. Instead, currently the client ID is guessed again for each JS access to the server. It is also saved again in the client's "session" cookie.

As a result, it is theoretically possible to have the JS access a different clientID than the original page load (not likely, since it requires a single user registered for multiple registrars AND that the contacts change for the original registrar).

So our goal is to only have a single clientID "value" instead of the 3 we currently have for JS requests (the one from the initial page load, the one saved in the session cookie, the one guessed on the JS request)

As a first step, we send over the "initial page load" clientId on every JS request, and make sure the "session + guessed" value is equal to that one. Later we will remove the "session+guessed" values from the RegistrarSettings, using the "initial page load" clientID instead.

In addition to the "nicer code" implications, having the clientID from the initial page load always used means it'll be easy to have a clientID selection option for users who have access to multiple clientIDs (such as admins)

SECURITY NOTE:the choice of clientID has no security implication since we make sure the user has access to the clientID no matter how we actually choose the clientID on every single server request.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=214459506
2018-10-03 11:55:50 -04:00

81 lines
2.4 KiB
JavaScript
Raw Blame History

// Copyright 2017 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
goog.provide('registry.Resource');
goog.require('goog.json');
goog.require('registry.Session');
goog.forwardDeclare('goog.Uri');
/**
* Provide a CRUD view of a server resource.
*
* @param {!goog.Uri} baseUri Target RESTful resource.
* @param {string} id the ID of the target resource
* @param {string} xsrfToken Security token to pass back to the server.
* @extends {registry.Session}
* @constructor
*/
registry.Resource = function(baseUri, id, xsrfToken) {
registry.Resource.base(this, 'constructor', baseUri, xsrfToken,
registry.Session.ContentType.JSON);
/** @const @private {string} the ID of the target resource. */
this.id_ = id;
};
goog.inherits(registry.Resource, registry.Session);
/**
* Get the resource from the server.
*
* @param {!Object} args Params for server.
* @param {!Function} callback for retrieved resource.
*/
registry.Resource.prototype.read = function(args, callback) {
this.send_('read', args, callback);
};
/**
* Update the resource on the server.
*
* @param {!Object} args params for server.
* @param {!Function} callback on success.
* @throws {!Exception} if the 'op' field is set on args.
*/
registry.Resource.prototype.update = function(args, callback) {
this.send_('update', args, callback);
};
/**
* RESTful access to resources on the server.
*
* @param {string} opCode One of (create|read|update)
* @param {!Object} argsObj arguments for the operation.
* @param {!Function} callback For XhrIo result throws.
* @private
*/
registry.Resource.prototype.send_ =
function(opCode, argsObj, callback) {
// NB: must be declared this way in order to avoid compiler renaming
var req = {};
req['op'] = opCode;
req['args'] = argsObj;
req['id'] = this.id_;
this.sendXhrIo(goog.json.serialize(req), callback);
};
Reference in a new issue View git blame Copy permalink