Hi, thanks for the info on the ReportParameters collection, that works fine when the user has not supplied a value. However lets change the example to make it clearer. Instead of dateFormat, lets have an int which is tenantKey. This is still a hidden parameter and defines which subset of data the user can access. Normally this is a hidden parameter and is not supplied in the JSON so the server can set the value. However as the value is supplied from the client, it's possible the user can manipulate the JSON (using Fiddler for example) and attempt to supply values that they should not have access to. It's in this scenario that the server needs to be able to overwrite the supplied value and this is where I am currently stuck. Adding more parameters to control/switch the values does not help as the user can manipulate those.
I've taken your example and changed to suit this. The user now tries to hack by specifies a value using JSON from the client thus:
reportSource: { // The report can be set to a report file name (trdx report definition) // or CLR type name (report class definition). report: "Reports/tenantKey.trdx", // Parameters name value dictionary parameters: { tenantKey : 1 }},And the server tries to correct the manipulated value but it cant:
ReportSource CreateInstanceReportSource(IReportDocument report, ReportSource originalReportSource){ var instanceReportSource = newInstanceReportSource {ReportDocument = report}; instanceReportSource.Parameters.AddRange(originalReportSource.Parameters); var concreteReport = report asReport; // TODO validate here if(concreteReport != null) { AddOrSetMissingMandatoryParams(concreteReport.ReportParameters); concreteReport.ItemDataBinding += (sender, args) => { var processingReport = (Telerik.Reporting.Processing.Report)sender; // throw new SecurityException(); }; } returninstanceReportSource;}voidAddOrSetMissingMandatoryParams(ReportParameterCollection reportParams){ var tenantKey = reportParams.FirstOrDefault(rp => rp.Name == "tenantKey"); tenantKey.Value = 2;}I can't attach the trdx file here, but its pretty short:
<?xmlversion="1.0"encoding="utf-8"?><ReportWidth="6.5in"Name="Report1"xmlns="http://schemas.telerik.com/reporting/2012/3.8"> <Items> <DetailSectionHeight="2in"Name="detailSection1"> <Items> <TextBoxWidth="2in"Height="0.4in"Left="2.in"Top="0.8in"Value="= Parameters.tenantKey.Value"Name="textBox1"> <Style> <FontSize="16pt"Bold="True"/> </Style> </TextBox> </Items> </DetailSection> </Items> <StyleSheet> <StyleRule> <Style> <PaddingLeft="2pt"Right="2pt"/> </Style> <Selectors> <TypeSelectorType="TextItemBase"/> <TypeSelectorType="HtmlTextBox"/> </Selectors> </StyleRule> </StyleSheet> <PageSettings> <PageSettingsPaperKind="Letter"Landscape="False"ColumnCount="1"ColumnSpacing="0in"> <Margins> <MarginsULeft="1in"Right="1in"Top="1in"Bottom="1in"/> </Margins> </PageSettings> </PageSettings> <ReportParameters> <ReportParameterName="tenantKey"Type="Integer"Visible="True"AutoRefresh="True"> <Value> <String></String> </Value> </ReportParameter> </ReportParameters></Report>Hope that makes it clear.
Thanks for your help.