Yes, but you should reduce exposure on every surface and in every process. This makes for a more robust system overall. You never know who else may work on a system down the line. If someone breaks something in a silent, overlooked fashion, it's better to have overlapping layers of security and authorization that provide redundancy.
∞ Andy Badera ∞ +1 518-641-1280 ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me: http://www.google.com/search?q=andrew%20badera On Thu, Sep 17, 2009 at 10:37 AM, Juan M. Oviedo <[email protected]> wrote: > > Well, I would validate the User in the Busines Layer to make sure he/she has > permission to do something, there are tools to disable buttons and stuff > like that. (IE Developer tool). > > Juan M. Oviedo > > > >> Date: Wed, 16 Sep 2009 09:05:06 -0700 >> Subject: [DotNetDevelopment] Re: "Failed to load view state" >> From: [email protected] >> To: [email protected] >> >> >> Why disable would be a security issue? >> >> On Sep 15, 3:23 pm, "Juan M. Oviedo" <[email protected]> wrote: >> > Disable??? That would be a security issue! >> > >> > Juan M. Oviedo >> > >> > Date: Mon, 14 Sep 2009 20:41:59 +0200 >> > Subject: [DotNetDevelopment] Re: "Failed to load view state" >> > From: [email protected] >> > To: [email protected] >> > >> > Well, it looks like that is the problem...Try not to hide it, but to >> > disable it :) >> > >> > 2009/9/14 Ana <[email protected]> >> > >> > I came back to the page I was working before to see if I find what is >> > >> > firing this error message. I just realized that, even though I'm not >> > >> > creating controls dynamically, I'm showing/hiding controls dynamically >> > >> > in the FormView. For instance, some fields can only be updated if the >> > >> > user is the administrator; when the user is not the administrator, >> > >> > what I'm doing is hide the control (usually a TextBox). Can this be >> > >> > the reason why I'm having the error message? >> > >> > Thanks, >> > >> > Ana >> > >> > On Sep 14, 9:48 am, Ana <[email protected]> wrote: >> > >> > > Hi, >> > >> > > Apparently what was happening was that in the EditItemTemplate the >> > > formView had a Label, but in the InsertItemTemplate and ItemTemplate >> > > this Label was not there. I removed the Label from the >> > > EditItemTemplate and the error message is not being fired anymore. Can >> > > anyone give me more details about this? >> > >> > > Thanks, >> > >> > > Ana >> > >> > > On Sep 14, 9:32 am, Ana <[email protected]> wrote: >> > >> > > > This problem is really driving me nuts! I'm working in a diferent >> > > > page >> > > > now, and am having the same problem (always associated with a >> > > > formview). In the page I'm working now, the problem happened when I >> > > > updated a record. I updated a record in the FormView, the GridView >> > > > was >> > > > bound correctly, but when I tried to update another record the "fail >> > > > to load view state" error was fired again. >> > > > I'm not creating any controls dinamically. I can't understand what >> > > > is >> > > > happening at all! >> > > > I don't think that make EnableEventValidation="false" is the better >> > > > way to solve this problem. As you said, Raghupathi, "we are giving a >> > > > way to hacker to intrude by disabling the event validation". >> > > > Anyone here already had this problem and can help me with this? I >> > > > appreciate all help! >> > >> > > > Thanks, >> > >> > > > Ana >> > >> > > > On Sep 9, 11:55 pm, Raghupathi Kamuni <[email protected]> wrote: >> > >> > > > > To solve this problem, >> > >> > > > > <pages enableEventValidation="false"/> in Web.Config or, >> > > > > <%@ Page EnableEventValidation="false" %> in a page attribute >> > >> > > > > By doing this, we are giving a way to hacker to intrude by >> > > > > disabling the >> > > > > event validation. >> > >> > > > > This can be prevented by use of RegisterForEventValidation methods >> > > > > of >> > > > > ClientScriptManager class >> > >> > > > > We need to register the server control ID with the all the >> > > > > possible values >> > > > > that can be posted by JavaScript by that control in Render Event >> > > > > of the page >> > > > > using >> > >> > > > > ClientScript.RegisterForEventValidation() >> > >> > > > > Check out this for the relavant >> > > > > articlehttp://www.codedigest.com/Articles/ASPNET/221_Using_JavaScript_Effect... >> > >> > > > > On Wed, Sep 9, 2009 at 11:24 PM, Raghupathi Kamuni >> > > > > <[email protected]>wrote: >> > >> > > > > > ViewState and Dynamic Control >> > > > > >http://geekswithblogs.net/FrostRed/archive/2007/02/17/106547.aspx >> > >> > > > > >> > > > > > >http://weblogs.asp.net/alessandro/archive/2008/01/04/failed-to-load-v... >> > >> > > > > > On Wed, Sep 9, 2009 at 11:01 PM, Ana >> > > > > > <[email protected]> wrote: >> > >> > > > > >> Hi, >> > >> > > > > >> In my page I have a Gridview and a FormView. For each row in >> > > > > >> the >> > > > > >> GridView, there's a linkButton *Details* that shows the >> > > > > >> FormView with >> > > > > >> the information about the selected record in the GridView. >> > > > > >> In the FormView, users are able to edit and delete records. >> > > > > >> However, >> > > > > >> every time I cancel the editing of a record and try to see the >> > > > > >> formview for this record (clicking in *Details* on the >> > > > > >> GridView), I >> > > > > >> have the following error message: >> > >> > > > > >> -- >> > > > > >> Failed to load viewstate. The control tree into which >> > > > > >> viewstate is >> > > > > >> being loaded must match the control tree that was used to save >> > > > > >> viewstate during the previous request. For example, when >> > > > > >> adding >> > > > > >> controls dynamically, the controls added during a post-back >> > > > > >> must match >> > > > > >> the type and position of the controls added during the initial >> > > > > >> request. >> > > > > >> -- >> > >> > > > > >> What is happening here? Why this error message in being fired? >> > >> > > > > >> Thanks in advance, >> > >> > > > > >> Ana >
