[+Adding security team] @Security team: In the above first approach, we suppose to store widget state details in the URL hash as the given example. Can this be a security loophole since it exposes some of the data (ex. search criteria) used by the widgets via the URL?
*Lasantha Samarakoon* | Software Engineer WSO2, Inc. #20, Palm Grove, Colombo 03, Sri Lanka Mobile: +94 (71) 214 1576 Email: [email protected] Web: www.wso2.com lean . enterprise . middleware On Fri, May 5, 2017 at 11:35 AM, Lasantha Samarakoon <[email protected]> wrote: > [Dashboard] Sharing a dashboard > > Hi all, > > I am currently working on dashboard sharing feature in UUF dashboard > component which will allow a user to share a dashboard with current state > (i.e. selected field values, chart drill-downs, etc.). To implement this we > need to maintain the state of each widget somewhere and retrieve those on > dashboard restoring process. The same feature has been implemented in the > previous dashboard version and it worked as follows. > > In the dashboard 2.0.0 the gadget state is persisted in the URL hash. The > dashboard exposes a client side API[1] for gadgets to persist and retrieve > data in URL hash. > > *APIs:* > > wso2.gadgets.state.setGadgetState(state, callback); > > wso2.gadgets.state.getGadgetState(callback); > > wso2.gadgets.state.getGlobalState(callback); > > wso2.gadgets.state.setGlobalState(key, state, callback); > > Once the states are saved the URL will looks like; > > https://dashboard.example.com/portal/dashboard/my-dashboard# > /gadget-a/{data of gadget-a}/gadget-b/{data of gadget-b > > One of the main advantage of this approach is that a user can simply copy > the URL and share. If the permission has been granted others can view the > dashboard with exact state. > > In addition to the above approach there was another approach has come up > in our discussions to implement this feature, i.e. using the database as a > persistence medium for widget states. > > *Using database as persistence medium:* > > In this approach we need to introduce a new button to save the current > state of the dashboard in the database and provide a sharable link to > restore (somewhat similar to how the Google docs works). The sharable link > will looks like; > > https://dashboard.example.com/portal/shared/<KEY> > > The <KEY> in the above URL can be used to fetch the state with other > meta-info from the database and restore the dashboard. Drawbacks of this > approach are as follows. > > 1. User has to perform an extra action to get the sharable link. > 2. Database will persist data for each share, so sometimes purging > will be needed. > > Appreciate your comments on above to finalize the approach we are going to > use on UUF dashboard component. > > [1] https://github.com/wso2/carbon-dashboards/blob/2.0.x/ > components/shindig-wso2-features/src/main/javascript/ > wso2features/state/state.js > > > Thanks, > > *Lasantha Samarakoon* | Software Engineer > WSO2, Inc. > #20, Palm Grove, Colombo 03, Sri Lanka > Mobile: +94 (71) 214 1576 <+94%2071%20214%201576> > Email: [email protected] > Web: www.wso2.com > > lean . enterprise . middleware >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
