Ayende @ Rahien

Jimmy Bogard commented on Reviewing OSS Project: Whiteboard Chat–setup belongs in the initializer

Mon, 14 Mar 2011 12:41:19 GMT

@Jeff There's some pointless configuration there - the Time member configuration isn't needed, AutoMapper can handle object->string w/o configuration. The second one I'd argue isn't needed either, you could just name the destination member OwnerName and be done with it.

Jeff commented on Reviewing OSS Project: Whiteboard Chat–setup belongs in the initializer

Sun, 13 Mar 2011 05:00:48 GMT

What benefit do you get from using AutoMapper at all in the scenario? Looks like somebody is using it just for the sake of using it...

Christopher Wright commented on Reviewing OSS Project: Whiteboard Chat–setup belongs in the initializer

Sat, 12 Mar 2011 21:31:10 GMT

I really want a preview function for these comments. The essence is providing a lastPost value of DateTime.MinValue (or something else very far in the past). If you're guaranteeing that boards have a limited lifecycle in terms of number of updates, though, that wouldn't be so bad.

Christopher Wright commented on Reviewing OSS Project: Whiteboard Chat–setup belongs in the initializer

Sat, 12 Mar 2011 21:29:13 GMT

GET [whiteboard/getlatestpost](http://whiteboard/getlatestpost?boardId=something&lastPost=0001-01-01) This is a problem since a single call can create arbitrary amounts of work. If you require multiple calls, then you can have a firewall rule limiting the number of simultaneous connections from a given source or the number of connections from a source per minute. That guarantees that you can use the majority of server resources to process legitimate requests. If it's a single call, though, you're going to tie up an unbounded amount of memory and DB resources with no way to throttle individual users. Also, your title for the next post kind of gave it away. Though since I've been reading your blog, the phrase "unbounded result set" is baked into my cerebellum, and it's also the major player in most of my nightmares.

Corey commented on Reviewing OSS Project: Whiteboard Chat–setup belongs in the initializer

Sat, 12 Mar 2011 17:24:42 GMT

Using AutoMapper like this ends up littering the code-base with a ton of dependency on AutoMapper. You could easily reduce that dependency to one place with an extension method. posts.Map(update.Posts);

kshitij commented on Reviewing OSS Project: Whiteboard Chat–setup belongs in the initializer

Sat, 12 Mar 2011 14:11:46 GMT

What did automapper really them? Syntax for mapping seems quite verbose. Seems like all it avoided was a foreach on the posts. Couldn't they have just created a mapper class of type IMapper instantiated it once?

Nick commented on Reviewing OSS Project: Whiteboard Chat–setup belongs in the initializer

Fri, 11 Mar 2011 20:52:21 GMT

Escaping output is usually handled by the view engine, pete. I don't think you could call that one a bug. But if they don't output encode in the view then you're right.

Nick commented on Reviewing OSS Project: Whiteboard Chat–setup belongs in the initializer

Fri, 11 Mar 2011 20:51:00 GMT

There are actually 2 security vulnerabilities. If no anti-forgery token is required (you can set this globally in MVC 3 with special filters) then they are open to csrf attacks. I think the main point would be the passing around of ID's though as the poster above says. Pretty obvious.

Corey commented on Reviewing OSS Project: Whiteboard Chat–setup belongs in the initializer

Fri, 11 Mar 2011 13:59:04 GMT

Once authenticated you can pass in whatever id's you want and there is no restriction to the logged in user.

Ryan Heath commented on Reviewing OSS Project: Whiteboard Chat–setup belongs in the initializer

Fri, 11 Mar 2011 13:43:16 GMT

I think escaping is a responsibility of the view. In this case the conversion to Json. It bothers me more that Time is converted to string. -- .ForMember(dest => dest.Time, opt => opt.MapFrom(src => src.Time.ToString())) // Ryan

Pete commented on Reviewing OSS Project: Whiteboard Chat–setup belongs in the initializer

Fri, 11 Mar 2011 12:39:49 GMT

At first, I didn't like that "lastPost" input string was being sent to the Model if there was no updates - always a bad idea to echo user input to your output - but that looks safe as the "Parse" method is effectively validating user input (it will throw if the string is not a date string) Next thing is that you are not escaping output: Owner.Name is not being escaped on output. Rule of thumb is to ALWAYS "validate input, escape output" and that will catch _alot_ of security issues.

Walter Poch commented on Reviewing OSS Project: Whiteboard Chat–setup belongs in the initializer

Fri, 11 Mar 2011 11:20:28 GMT

I'm not sure how the system behaves but if there are some limitations in wich board a user can see, the security check is missing and the boardId is passed directly to the _postRepository, which isn't responsible of security concerns.

Ryan Heath commented on Reviewing OSS Project: Whiteboard Chat–setup belongs in the initializer

Fri, 11 Mar 2011 10:57:28 GMT

DateTime lastPostDateTime = DateTime.Parse(lastPost); They could have used DateTime.TryParse/.TryParseExact or change the type from string to DateTime. DateTime.Parse will throw exceptions when lastPost cannot be parsed. Ironically, in my spoken language 'lastPost' means 'menace' :) // Ryan