Sunday, 20 March 2016

Hacking SharePoint input field Validation


Problem: Here is an easy way to step around SharePoint 2013's input field validation for a drop down list.  Any list contains a drop-down list (configured to only allowed to chose values from the drop down list), using Internet Explorer (IE) developer tools and amending the DOM, when posting the form, the change value is inserted into the list.
Replication Steps:
  1. Open IE go to the list to add a new list item (the list must have a drop down field column), hit Fn+F12 to open the IE Dev toolbar.
  2. In the "DOM Explorer" tab select the "Select element" icon (top left).
  3. Click on the drop down control i.e. "Primary/Secondary" input control as shown below.
  4. Edit the DOM value for the item selected to some crazy text and save the form.
  5. Open the item in view mode and you will see the crazy data as shown below circled in red in the bottom picture.  


Project Server 2013 Overview Notes

Project Server 2013 is a Service Application and part of SharePoint Server 2013.  You install the on-prem. version on a SP2013 farm and need to follow the best practices for your SharePoint farm.
  • A Project Web Application (PWA) is a a single site collection.  
  • Consider storing each PWA in it's own content database.
  • Each PWA site collection is made up of multiple projects (each project has it's own SharePoint sub site).
  • Project 2013 online or a project server 2013 on-prem are the hosting options.
  • OData services for reporting, Excel can be used to create and view reports.  This is the approach to use on Project Server Online.  Each PWA instance on-prem. can add OLAP cubes from the PWA manage SSAS screen, once the default cubes are generated, it easy to query using Excel or SSRS (assuming you have the infrastructure). 
  • A single Project Web App database for each Project Server 2013 instance whereas in Project Server 2010, each instance had 4 Project Server databases (Draft, Publish, Reporting, and Archive).
  • Upgrade to Project Server 2016 from Project Server 2013 only.
  • PWA manages security and WSSSync manages the security syncronisation with the SharePoint project sub sites.
  • No user management in PWA, now all done in SharePoint assuming SharePointPermissionMode.  SharePointPermissionMode done in SP not in PWA (What ProjectPermsissionMode), pref SharePoint permissions mode.  oldproj server guys prefer ProjectPermissionMode say it gives more fine grained security control.
  • PWA Security explained https://technet.microsoft.com/en-gb/library/fp161361.aspx
  • To access Project Server 2013 with the Project Server client application (desktop software) you can't use the Standard edition but need the pro edition (Microsoft Project Server professional 2013).
FluentBooks from FluentPro looks good for ALM between environments and PWA instances:
  • Desktop tool - Offline Management - download configuration & then uploads configuration to the new PWA
  • Is there anything to install on the farm? No
  • Ports needed? 80 or 443 Uses web Services (PSI & CSOM when uploading change).
  • Highly configurable such as mapping account between domains as we move environments.


Archiving between 2 PWA instances using FluentBooks
================================

  1. Download/Export projects into a FBB file(s), new project professional client.  Gets the Project data.
  2. Download SharePoint sub sites
  3. Upload FBB file to archive PWA 
  4. Upload sub-sites into the archive PWA


More Info:
https://technet.microsoft.com/en-us/library/ff631142.aspx  Project Server 2013 and SharePoint Security
https://www.fluentpro.com/productsfluentbooks.htmll  FluentBooks website

Alternative:  
Bamboo Solutions appear to have a good Project Management Solution that has gone thru several iterations.  Project Manager Central sits on SharePoint 2007, SP2010 or SP2013.  Similar concept to Project Server, Portfolio site is a site collections and then project sites are sub-sites.  There is also an option to have Department sites whereby a sub site is created that subscribes to multiple project sites.

Sunday, 13 March 2016

How Browser Cookies work in SharePoint

Overview:  SharePoint by default uses disk-based persistence using a FedAuth Cookie.  In most enterprise clients there are multiple different application and authentication providers.  Cookies can be set for session persistence in multiple ways and as the application world is walking toward SSO is becoming even more prevalent for unexpected behaviour to happen with cookies.

Thoughts:
  • Cookies that keep are responsible for authentication can be stored for the browser sessions either on Disk or in session.
  • By default, SharePoint uses disk-based authentication for the user's session using the FedAuth cookie.  Switching to session based persistence should not be undertaken without considerable forethought.
  • Watch out for IE's odd behaviour relating to session whereby domain level permissions are passed down to sub-domains.

More Info:
http://erik.io/blog/2014/03/04/definitive-guide-to-cookie-domains 
http://blogs.msdn.com/b/ieinternals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx
https://blogs.msdn.microsoft.com/ie/2009/05/06/session-cookies-sessionstorage-and-ie8-or-how-can-i-log-into-two-webmail-accounts-at-the-same-time/