Reusing HTML ReportViewer

14 posts, 0 answers
  1. Mike
    Mike avatar
    9 posts
    Member since:
    May 2017

    Posted 21 Sep Link to this post

    I have an MVC application with a single page to render numerous reports based on user selection.  On the load of the page, no report is rendered until the users selects the desired report and sets some custom parameter controls then clicks a button to run the report.  In the button event handler, I am collecting the parameters and using $('#reportViewer1').telerik_ReportViewer(...); to display the report.  This works perfectly for the first run, but subsequent runs fail to reload the report, regardless of the parameter values changing.

    I have tried to test for the existence of the reportviewer as below but this didn't do the trick either.  Is there a way for me to reuse the reportviewer or destroy it and start fresh each time?

    var reportViewer = $("#reportViewer1").data("telerik_ReportViewer");
                if (reportViewer !== undefined)
                {
                    reportViewer.reportSource({
                        report: "Website.Reports.ParameterCheck, Website",
                        parameters: {
                            ...
                        }
                    });
                }
                else
                {
                    $('#reportViewer1').telerik_ReportViewer({
                        serviceUrl: "/api/reports/",
                        templateUrl: "../Reports/telerikReportViewerTemplate-FA.html",
                        //AuthenticationToken: "myToken",
                        viewMode: telerikReportViewer.ViewModes.INTERACTIVE,
                        scaleMode: telerikReportViewer.ScaleModes.SPECIFIC,
                        scale: 1.0,
                        reportSource: {
                            report: "Website.Reports.ParameterCheck, Website",
                            parameters: {
                                ...
                            }
                        },
                        ready: function () {
                            alert("refreshing");
                            this.refreshReport();
                        }
                    });
                }
  2. Mike
    Mike avatar
    9 posts
    Member since:
    May 2017

    Posted 21 Sep in reply to Mike Link to this post

    I have also tried loading a blank report on document.ready and then just setting the reportViewer.reportSource (the code in the true clause of the if in my initial post) when the button is clicked, but still no luck.
  3. Katia
    Admin
    Katia avatar
    567 posts

    Posted 26 Sep Link to this post

    Hi Mike,

    In general, there would be no need to destroy the viewer when you need to change the report. Once created, the viewer's object can be accessed as following:
    var reportViewer = $("#reportViewer1").data("telerik_ReportViewer");

    Then, changing the viewer's report sources can be achieved as following:
    reportViewer.reportSource({
                    report: 'new report identifier here'
                });

    The project attached here demonstrates how to change the reportSource of the viewer with a button click event.
    If the issue persists send us a sample project that illustrates the issue in a support ticket  #1132161.


    Regards,
    Katia
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  4. Mike
    Mike avatar
    9 posts
    Member since:
    May 2017

    Posted 26 Sep in reply to Katia Link to this post

    Thank you Katia,

    I'm not sure what I was doing wrong before, but things are working now.  Since there is not a specific report which would load with the page I have created an empty report to use in the document.ready method.  This is less than ideal, but workable since the section with the reportviewer is hidden at that point.

    I have another questions which is somewhat related.  If this needs to be a separate ticket, let me know.

    I am using custom parameter controls.  One of the parameters which I need to pass to all of the reports should never be able to changed by the user.  My custom parameters do not include this field and I am setting its value in a custom Resolver class.  However, if I would add a value for this parameter in the JSON/javascript when loading the report, it will accept that value and override the value I set in the Resolver.  Is there a way to either prevent this from occurring or intercept the parameter being passed in from the client and set it then?

    Mike

     

  5. Katia
    Admin
    Katia avatar
    567 posts

    Posted 29 Sep Link to this post

    Hi Mike,

    ReportSource.Parameters are not accessible inside custom resolver's Resolve() method. You will need to pass this parameter with reportSource.report string which will be available inside the resolver.


    Regards,
    Katia
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  6. Mike
    Mike avatar
    9 posts
    Member since:
    May 2017

    Posted 29 Sep in reply to Katia Link to this post

    Katia,

    I am able to get the value I need within the Resolve method through Identity in order to set the parameter.  What I need is to prevent that parameter from being set outside of that method.  We cannot have someone spoof a different value which they should not have access to.  

    Mike

     

  7. Katia
    Admin
    Katia avatar
    567 posts

    Posted 29 Sep Link to this post

    Hi Mike,

    You can set the Visible property of report parameter to false in Report Designer. This way it will not appear in the viewer and the end user cannot modify it.

    Regards,
    Katia
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  8. Mike
    Mike avatar
    9 posts
    Member since:
    May 2017

    Posted 29 Sep in reply to Katia Link to this post

    Katia,

    We are using a custom UI to provide the parameters for the report and sending them over through javascript.  We do not have UI to set this parameter, but if the value is present in the JSON for the ReportSource parameters, it will accept that value and overwrite the one set in the Resolver.  Is there a way to prevent that?

    Mike

  9. Katia
    Admin
    Katia avatar
    567 posts

    Posted 29 Sep Link to this post

    Hi Mike,

    No you cannot prevent the overriding of those values, ReportSource.Parameters are applied to the already resolved ReportSource object returned by the resolver's Resolve() method.

    You need to make sure the correct values are passed with ReportSource.Parameters or are set in report's ReportParameters collection.


    Regards,
    Katia
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  10. Mike
    Mike avatar
    9 posts
    Member since:
    May 2017

    Posted 29 Sep in reply to Katia Link to this post

    Katia,

    Is there no other place within the REST service calls where we would have a chance to intercept this value?  I would think that this is something should be addressed somewhere.  For our scenario, this value would be the client's ID.  If someone is able to spoof this value by making a request to the REST service, they would be able to view retrieve data for another client.  Maybe I am going about this incorrectly.  I would think that there is some way to close this security hole.

    Mike

  11. Mike
    Mike avatar
    9 posts
    Member since:
    May 2017

    Posted 03 Oct in reply to Mike Link to this post

    Katia,

    Any word on this?  This is currently a huge concern moving forward with Telerik Reporting and we need to be able to resolve this as soon as possible.

    Mike

  12. Katia
    Admin
    Katia avatar
    567 posts

    Posted 04 Oct Link to this post

    Hi Mike,

    To protect the data shown in the report you can use the value of report parameter in the data-retrieval logic (Using Parameters with Data Source objects) or in report events (Using Report Events).
    To avoid overriding of the parameter value set in resolver by reportSource.parameters values, do not provide an option to set these values in the viewer (set Visible property of the parameter to false).

    The custom report resolver is executed on the server, after the client sends a report string. This is the place where you can set the parameter value without the client knowing about it. 

    Further approaches for securing the service methods are provided in support ticket #1131296 which you raised earlier.

    Note that your current subscription allows you to open support tickets, you can submit one from this page after logging to your account that has an assigned subscription.
    Submitting a support ticket guarantees you a response time according to your support plan. We do not always have a chance to reply in timely manner in forums. Thus, for urgent issues it is better to use the ticketing system.


    Regards,
    Katia
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  13. Mike
    Mike avatar
    9 posts
    Member since:
    May 2017

    Posted 04 Oct in reply to Katia Link to this post

    Katia,

    I think I found a solution to this.  Since this parameter was necessary for our reports to run yet critical that the value could not be altered by a user, we needed something downstream of the Resolver class we had defined.  In tracing through the requests to the REST service, and looking at the methods for the ReportsControllerBase, we were able to override the CreateInstance method and set our value there.  From what we determine through Fiddler, at this point there were no longer any requests which dealt with the parameters and are fairly confident that there would be no way for a user to alter any of the requests to the REST service and change this value.

    public override HttpResponseMessage CreateInstance(string clientID, ClientReportSource reportSource)
    {
        reportSource.ParameterValues["ClientID"] = User.Identity.GetUserClientID();
        return base.CreateInstance(clientID, reportSource);
    }
  14. Mike
    Mike avatar
    9 posts
    Member since:
    May 2017

    Posted 04 Oct in reply to Katia Link to this post

    Katia,

    Since the parameter we were trying to set was necessary for the reports to run but critical that the value not be changed by a user in any way during requests to the REST service, we needed something downstream from the Resolver which we had defined.  By watching the requests in Fiddler and looking at the methods for the ReportControllerBase we ended up overriding the CreateInstance method in the ReportController to set the parameter there.  We are fairly certain that none of the request to the REST service after this deal with the parameters and feel that this should ensure that this parameter's value is set by us and cannot be altered when making requests to the REST service.

    public override HttpResponseMessage CreateInstance(string clientID, ClientReportSource reportSource)
    {
        reportSource.ParameterValues["CustomerID"] = User.Identity.GetUserCustomerID();
        return base.CreateInstance(clientID, reportSource);
    }

     

    Mike

Back to Top