comanage-dev - Re: [comanage-dev] REST API user
Subject: COmanage Developers List
List archive
- From: Benn Oshrin <>
- To: Ioannis Igoumenos <>
- Cc: COmanage Dev <>
- Subject: Re: [comanage-dev] REST API user
- Date: Mon, 10 Feb 2020 07:53:32 -0500
Hi Ioannis,
Since the browser cannot be trusted (for the most part, though Cake does provide form tampering detection), we must validate the username in the backend regardless. You can see this validation in Model/ApiUser.php:beforeSave(). If the user submits an invalid username, the check will fail and an error will be displayed.
The question then is how much effort should we put into the frontend to "lock down" the field? We prepopulate the prefix and put an informational advice in the field description, so most users will have enough context to do the right thing. For those who don't, after the form is submitted they will see an error message.
Proposals 1 and 3 make it harder for the user to submit an incorrect value, but (1) it should be pretty rare for this to happen and (2) it adds code that needs to be maintained. (In particular frontend code that tends to be fragile as browsers evolve.)
Proposal 2 is functionally the same as the current implementation, except without the visual cue to the user as the prefix requirement, so I do not think we should take this approach.
For the other two proposals, I'll ask Arlen (our UX lead) to comment as to whether it is worth it or not.
Thanks,
-Benn-
On 2/10/20 2:01 AM, Ioannis Igoumenos wrote:
Hi Benn,
i was working on the changes of the REST API user and i have a question.
Currently, the edit view creates the prefix but gives the opportunity to
the admin to change it. Put it simply, the prefix is editable, which i
think is not the wright path.
So, while trying to implement a non editable prefix,e.g. co_xx, i could
not decide how to present this to the user. What is you opinion?
1. Add the prefix in the text field and use javascript to disable edit
2. The username should provide only the username and we add the prefix
in the beforeSave event. In the view that we list all the API users we
will provide the full form of the username.
3. A css solution of a non editable text field/label that will be
behind/prepend the existing one. On submit we will add the prefix in the
beforeSave function.
Regards,
Ioannis
- [comanage-dev] REST API user, Ioannis Igoumenos, 02/10/2020
- Re: [comanage-dev] REST API user, Benn Oshrin, 02/10/2020
- Re: [comanage-dev] REST API user, Arlen Johnson, 02/12/2020
- Re: [comanage-dev] REST API user, Benn Oshrin, 02/10/2020
Archive powered by MHonArc 2.6.19.