Learning

January 26, 2013

The "Security Review": What to Expect

by Philip Leslie; ProOnGo Expense

If you are new to the Intuit Partner Platform, one step in the process that might have caught your eye is the security review that happens once you've finished development and internal testing. It's a checkpoint that helps maintain a high quality bar on apps that are destined for Intuit App Center or live customers, and emphasizes the unique security expectations that come with your request to access sensitive QuickBooks data.

If you've already pencilled in some time on your calendar to navigate the security scan, you are no doubt trying to size the effort involved in preparing for the scan, going through the scan, and following up to solve any vulnerabilities discovered during the scan. The purpose of this post is to give you a practical perspective on some of the time, effort, and resources that go into successfully passing the scan. As the developer of ProOnGo Expense, we've been through the scan several times, and so I'll speak from first-hand experience.

Part 1: Preparing for the Security Scan

Some startups that are launching a web app for the first time start out with the "deploy first, test second" strategy; i.e., going straight from testing on localhost to deploying to a public-facing "live server", with no intermediate "staging server". If that describes your current arrangement, it's time to graduate to a deployment strategy that provides some level of isolation on a staging or test server. Why? The security scan will definitely include attacks where the test is clearly trying to peg the CPU (sometimes on a sustained basis, sometimes momentarily):


Equally certain, is that your site will be exposed to SQL injection, XML injection, XSS attacks, and various SSL and TLS-related validation. All of these are things you'll want to experience first on a staging/test server, to harden your security in an isolated environment. Your server logs will suddenly become much more interesting than usual, with tens of thousands of requests like this trivial example:

https://example.com/yourscript.php?page=1%3Ciframe+src%3Djavascript%3Aalert%2868140%29%3E 

Although my observation is that the tests are designed to be as non-destructive as possible, the dynamic nature of the tests combines with the sheer volume and variety of test cases, makes it impossible to predict what impact they would have on your system.

At ProOnGo, here are some of the steps we take to prepare for a security scan. Our terminology is AWS-centric, but the concepts apply equally to Azure and other cloud-hosting options:
  • Web Server Machine Image & Instance: We create a machine image of our staging server, frozen at a last-known-good changelist, and we spawn a new/isolated/separate instance of the staging server to be the target of the security scan.
  • Database Image & Instance: We bring up a database instance that is conforms to the normal database schema used by our live server, but containing none of the live customer data that our production database contains. Then, we dump output containing MRU timestamps of the DB tables, so that later on we can easily determine which tables were written to (and which ones weren't) during the test.
  • Session-Handling: We isolate our session-handling infrastructure similarly; ensuring that any SESSION-related attacks are sandboxed from having any production impact (I'm looking in your direction, shared instances of memcached)
  • Outbound Network Scrub: We scrub-and-disable certain parts of our source tree that lead to calls to external service providers; i.e., just because we're going through a security scan, does not mean that our partners are prepared to. We disable certain code that triggers outbound mails, eCommerce actions, and other services.
  • Log-Clearing: We clear our web server logs, so that we don't have to wonder what portion of the logs were caused by the security scan.
While taking these and other actions, you'll also want to preview the security questionnaire. This is one of the easiest things you can do to save yourself time: if you spot anything in the questionnaire where you know or believe you have a vulnerability, save yourself some time by mitigating up front. The alternative -- failing the test, mitigating, potentially re-testing, and all of the coordination that goes along with it -- will undoubtedly delay the launch date of your production app.

Part 2: Going through the Security Scan

One of the terrific things that's happened during all of the security scans we've been party to, is that we've been able to request that the bulk of the testing happen within a particular 2-3 day time period. Further, each time we've agreed on a particular time-of-day for the test to start. That's been helpful because we can literally be viewing the tail of the web server log at the very minute that the testing is scheduled to begin, to be sure that it's off to a successful start. Although we do our best to be sure that our instances are ready for testing, there's nothing like seeing the web traffic start to flow to know that the security scan process is underway.

If you watch your web server logs and your diagnostics related to disk I/O, CPU, and memory use, you'll get the added benefit of watching to see whether your various throttling, fail-over, and/or auto-scaling triggers get tripped and whether they respond the way you designed. It can be difficult to get a full grasp of that in a post-mortem analysis; we prefer to watch this happen interactively. Another benefit of watching your logs interactively is that you start to see patterns of the kinds of attacks that are being tried, and perhaps that knowledge will help you manually scrutinize parts of the system that you know are not getting the full brunt of the testing.

We've also had situations where our throttling precautions caused us to dramatically slow or stop the acceptance of web traffic from the test, and it was helpful to catch that early on and work out a plan with the security test team to get them "the access they needed" while still taking credit for the fact that our throttling did what it was supposed to do.

We've never seen a scan take fewer than several hours, and we've never had it take more than three days, but as always "your mileage may vary".


Security-Scan-CPU-Usage


Part 3: Following-Up on the Security Scan

Sometime after the scan (likely within a week), you'll find yourself on the phone with the penetration testers that administered the scan, walking through a report of their findings. The first time (and every time since) we've appreciated the level of detail in the report. In many cases, the findings will come with an example of an HTTP request that demonstrates the defect. You may or may not have access to the same tools that the penetration testers used, but if you sharpen your cURL command-line skills, you'll have a good chance at repro'ing many of the HTTP POST, HTTP GET, TRACE, or TRACK attacks.

As for XSS attacks, you'll likely find yourself at a browser window pasting in a URL with a frightening string of characters in the params. You might need to have your web server send a "X-XSS-Protection" header, to cause your webkit browser act naive about XSS (therefore acting a little bit like an older less cautious web browser). If you are a Chrome or Firebug fan, or a fan of IE's F12 developer tools, you'll want your console, call stack, and network activity at-the-ready so that you can see the exploit in action.

For SQL injection attacks, you'll probably find yourself diffing the MRU timestamps on your SQL tables, before and after running a cURL command line or browser-based copy-and-pasted URL.

For SSL-related vulnerabilities (like weak cipher availability, CRIME, BEAST, certificate chain problems, and others), you might find yourself using one of the web-based scanners like this excellent one from Qualys, as you work to mitigate the vulnerability and test your fix.

Once you've mitigated the vulnerabilities uncovered by the penetration testers, you'll touch base again to explain your fixes, and to work together to plan any next-steps -- the eventual outcome being that you will fill out the security questionnaire to apply for production access.

See You Next Time: And, there will be a next time...

Once you are granted production access, know that the security scans will become part of the rhythm of your business -- they happen on a recurring basis. The good news is, you'll get better and more efficient and handling them over time (nine runs in, we're getting pretty good at it).

Good luck navigating the security scan process, I wish you smooth sailing and a rapid arrival on Intuit App Center -- see you there!

Comments (0) | TrackBack (0)

June 01, 2010

Flex to Excel or Excel to Flex, now that is the question!

Greetings,

Since my last challenge of getting Flex to create a PDF file using Flash Player 10 went so well, it was decided that I should tackle Excel files. This proved to be a challenge, since the library I decided to use doesn't play well with itself and I thought I was doing something wrong.

Being the lazy person I am, I tried the Google search again and came across a number of different ways to handle Excel files. I came across Sasa Radovanovic' Blog, where Sasa created an HTML file that could be imported into Excel. CFLEX.NET had an example for importing the DataGrid to Excel via the Clipboard. And finally, I found an example on the Adobe site that imported and exported data out. So I used the from Adobe as my example with a few tweaks here and there.

The example from Adobe used the as3xls Excel Library hosted on code.google.com. After doing some research, I found that the library has some issues with writing Excel files out. Excel can read the exported files, but the files are just not in the correct format. So to read the files back in, you have to open the file you exported in Excel, save the file in Excel (Excel was nice enough to correct the formatting errors), and then you can import the file back in using the library. Looking at some of the dates on the project, it does not look like the original author is updating the library. I did find Dan Wilson's site, where he has taken a fork from the original library and updated it to fix a few problems. You can either use the original or Dan 's version. Either version will work for the sample below.

If the Excel file is not in the correct format when you try to read it in, you will get an error like this one. "TypeError: Error #1009: Cannot access a property or method of a null object reference."  Open the file you are trying to import in Excel, save it, and try re-importing and see if that fixes your problem.

Enjoy,

William Lorfing

<?xml version="1.0" encoding="utf-8"?>
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute">
    <mx:Script>
    <![CDATA[
        // Taken from http://cookbooks.adobe.com/post_Import_Export_data_in_out_of_a_Datagrid_in_Flex-17223.html
        //
        import com.as3xls.xls.Cell;
        import mx.collections.ArrayCollection;
          
        import com.as3xls.xls.Sheet;
        import com.as3xls.xls.ExcelFile;
        import mx.controls.dataGridClasses.DataGridColumn;
                 
        private var fileReference:FileReference;
        private var sheet:Sheet;
             
        [Bindable]
        private var fields:Array = new Array(); 
        private var ItemDGDataProvider:ArrayCollection = new ArrayCollection([
            {name:"Item1",value:"21",qty:"3",cost:"12.21"},
            {name:"Item2",value:"20",qty:"4",cost:"12.22"},
            {name:"Item3",value:"22",qty:"5",cost:"12.23"},
            {name:"Item4",value:"23",qty:"2",cost:"12.24"}
            ]);
          
        [Bindable]
        private var rebateDGDataProvider:ArrayCollection = new ArrayCollection();
     
        private function browseAndUpload():void
        {
            fileReference = new FileReference();
            fileReference.addEventListener(Event.SELECT,fileReference_Select);
            fileReference.addEventListener(Event.CANCEL,fileReference_Cancel);
            fileReference.browse();
        }
        private function fileReference_Select(event:Event):void
        {
            fileReference.addEventListener(ProgressEvent.PROGRESS,fileReference_Progress);
            fileReference.addEventListener(Event.COMPLETE,fileReference_Complete);
            fileReference.addEventListener(IOErrorEvent.IO_ERROR, onLoadError);
            fileReference.load();  
        }
        private function fileReference_Cancel(event:Event):void
        {
            fileReference = null;
        }
        private function fileReference_Progress(event:ProgressEvent):void
        {
            progressBar.visible = true;
            progressBar.includeInLayout = true;
        }
        private function onLoadError():void
        {
               /*body not implemented*/
        }
        private function fileReference_Complete(event:Event):void
        {
            var fileData:ByteArray  = fileReference.data;
            var excelFile:ExcelFile = new ExcelFile();
            var noOfRows:int;
            var noOfColumns:int;
            if(fileData!=null && fileData.length > 0){
                    excelFile.loadFromByteArray(fileData);
                    var sheet:Sheet = excelFile.sheets[0];
                    if(sheet!=null)
                       {
                        noOfRows=sheet.rows;
                        noOfColumns = sheet.cols;
                        for(var row:int = 0; row<noOfRows;row++)
                        {
                            var cellObject:Object ={};
                            for(var col:int=0;col<noOfColumns;col++)
                            {
                                var cell:Cell = new Cell();
                                var cellValue:String = new String();
                                cell = sheet.getCell(row,col);
                                if(cell!=null)
                                {
                                    cellValue =(cell.value).toString();
                                    addProperty(cellObject,col,cellValue);
                                }
                            }// inner for loop ends
                         
                            rebateDGDataProvider.addItem(cellObject);
                        } //for loop ends
                    } //if sheet  
                } //if filedata
            progressBar.visible = false;
            progressBar.includeInLayout =false;
            rebateScheduleDG.includeInLayout = true;
            rebateScheduleDG.visible = true;
            fileReference = null;
        }
        private function addProperty(cellObject:Object,index:int,cellValue:String):void
        {
            if(index == 0)
                cellObject.cost = cellValue;
            else if(index == 1)
                cellObject.name = cellValue;
            else if(index == 2)
                cellObject.qty = cellValue;
            else if(index == 3)
                cellObject.value = cellValue;
        }
     
        private function exportToExcel():void
        {
            sheet = new Sheet();
            var dataProviderCollection:ArrayCollection = rebateByItemDG.dataProvider as ArrayCollection;
            var rowCount:int =  dataProviderCollection.length;
            sheet.resize(rowCount+4,10);
            sheet.setCell(0,0,"Item Name");
            sheet.setCell(0,1,"Item Cost");
            sheet.setCell(0,2,"Item Qty");
            sheet.setCell(0,3,"Item Price");
            var columns:Array = rebateByItemDG.columns; 
            var i:int = 0; 
            for each (var field:DataGridColumn in columns){ 
                fields.push(field.dataField.toString());
                sheet.setCell(0,i,field.dataField.toString()); 
                i++; 
            }
                                   
            for(var r:int=0;r<rowCount;r++)
            {
                var record:Object = dataProviderCollection.getItemAt(r);
                /*insert record starting from row no 2 else
                    headers will be overwritten*/
                insertRecordInSheet(r+2,sheet,record);
            }
            var xls:ExcelFile = new ExcelFile();
            xls.sheets.addItem(sheet);
           
            var bytes: ByteArray = xls.saveToByteArray();
            var fr:FileReference = new FileReference();
            fr.save(bytes,"SampleExport.xls");
        }
     
        private function insertRecordInSheet(row:int,sheet:Sheet, record:Object):void
        { 
            var colCount:int = rebateByItemDG.columnCount; 
            for(var c:int; c < colCount; c++) 
            { 
                var i:int = 0; 
                for each(var field:String in fields){ 
                    for each (var value:String in record){ 
                        if (record[field].toString() == value) 
                            sheet.setCell(row,i,value); 
                        } // if 
                        i++; 
                    } // for record 
                } // for fields 
            } // for colCount 
        
    ]]>
    </mx:Script>
   
        <mx:FormItem label="Do you want to import your items from Excel?" fontWeight="bold">
                <mx:Form>
                    <mx:FormItem label="Browse you excel file" fontWeight="bold">
                        <mx:Button label="Browse" click="browseAndUpload()"/>
                    <mx:HBox>
                        <mx:ProgressBar id="progressBar" includeInLayout="false" visible="false"
                            indeterminate="true"/>
                    </mx:HBox>
                    </mx:FormItem>
                    <mx:DataGrid id="rebateScheduleDG" includeInLayout="false" visible="false"
                            dataProvider="{rebateDGDataProvider}" width="100%"/>
                </mx:Form>
                            <mx:FormItem label="Export Datagrid items to Excel?" fontWeight="bold">
                <mx:Form>
                    <mx:HBox width="100%" verticalAlign="middle">
                        <mx:DataGrid id="rebateByItemDG" includeInLayout="true" visible="true"
                            dataProvider="{ItemDGDataProvider}" width="100%" editable="true"/>
                        <mx:Button label="Export To Excel" click="exportToExcel();"/>
                    </mx:HBox>
                </mx:Form>
            </mx:FormItem>

            </mx:FormItem>

</mx:Application>

Comments (11) | TrackBack (0)

April 27, 2010

Ruby web apps and the Intuit Partner Platform

Editor's note: The following is a guest post by Zack Chandler who has been active in the Ruby on Rails and Intuit developer community for a number of years.

As recently as five years ago the majority of developers considered the Ruby programming language arcane and obscure. Then the Ruby on Rails web framework burst on the scene and seemly overnight became a must-consider choice when building web apps.

I began working with Ruby on Rails before the 1.0 release and have been amazed at the progress of the framework and growth of the community. Not long after that I began developing integrations between Ruby web apps and QuickBooks via the QuickBooks Web Connector and QuickBooks Online via the QBO API.

New to the QuickBooks ecosystem, I quickly learned there were additional benefits beyond simply adding the “QuickBooks integration” checkbox on a feature tour. Specifically the QuickBooks Marketplace quickly proved itself to be a valuable channel for lead-generation.

Fast-forward to 2010 and Ruby developers have even greater reason to be excited with Intuit’s current integration opportunities.

Ruby web apps apps targeting small to medium-sized businesses are launching daily. Humm… guess which accounting system most small to medium-sized businesses use (hint: rhymes with “fast cooks”)?

Meanwhile Intuit has re-imagined their entire developer offering and launched the ambitious Intuit Partner Platform. To a Ruby developer with no former experience with QuickBooks integration I would simply say that the most exciting parts of IPP are:

I recently did a deep-dive into IPP and came away thoroughly excited. I’ve posted a quickstart tutorial entitled Intuit Partner Platform for Ruby Web Applications on my Depixelate blog which will hopefully help other Rubyists get started with IPP.

The future is indeed bright for those Ruby developers wishing to both co-market and integrate with Intuit data through the cloud.

Comments (1) | TrackBack (0)

April 22, 2010

How to get Flex to produce a PDF file using Flash Player 10

Hi. My name is William Lorfing and I a Development Support Engineer for the Intuit Developer Network.

I have been with Intuit for over a year now and one of the questions that comes up from time to time is to show an example of how to get a Flex app to produce a PDF file.

My thoughts were, "that shouldn't be too hard!". Now where do I find that code on Google? Ok, it was a little harder than I thought. I am new to Flex, so I had to work through getting the environment set up and figuring out how to load the external libraries. Another problem was that if you were using Flash Player 9, you couldn't create the PDF on the client, but had to use the server to do this. With Flash Player 10, they allowed you to write files locally, so this was the way I went.

Well, Google was helpful and took me to Holly Schinsky's Devgirl's Weblog where she created a Flex script for creating a PDF file for Adobe's Tour de Flex. So, this is where I will begin my journey.

I started by creating a new Flex Project and importing the Open Source AlivePDF library from http://code.google.com. (This might not have been the correct way to do it, but it worked for me.) I tried using the RC version, but for some reason it didn't work, so I ended up downloading the latest SVN version and that worked.

I wanted to start simple, so I created a basic UI with a multi-line text box and a save button. The save button then called a couple of functions from the AlivePDF library to create the PDF pages and then a call to the FileReference save method and poof you have a PDF file.

Building a PDF file using the AlivePDF library, is much like designing a graphical interface. You put your text fields and graphics at certain positions on the page and the library takes care of the rest. I am not good at UI's so I stuck with the basic and just put the text from the Flex text box into the PDF.

Here is what the I came up with.

<?xml version="1.0" encoding="utf-8"?>
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute" >

    <mx:Script>
        <![CDATA[

        import flash.display.*;
        import flash.events.*;
        import flash.net.*;
        import flash.text.*;
       
        import org.alivepdf.pdf.PDF;
        import org.alivepdf.layout.Orientation;
        import org.alivepdf.layout.Size;
        import org.alivepdf.layout.Unit;
        import org.alivepdf.saving.Method;
       
        import flash.utils.ByteArray;

        protected var frPDF:PDF;

        private function onSave(e:Event):void
        {
            frPDF = new PDF(Orientation.PORTRAIT, Unit.MM, Size.LETTER);
            frPDF.addPage();
            frPDF.addMultiCell(200,5,desc.text);
            var bytes:ByteArray = frPDF.save(Method.LOCAL);
            var f:FileReference = new FileReference();
            f.save(bytes,"sample.pdf");
             
        }
        ]]>

    </mx:Script>   

    <mx:Label top="10" left="10" text="Enter text, then press Save to PDF." />   
    <mx:HBox width="100%" height="100%" top="40" left="10" >
   
        <mx:Canvas top="10" left="10" width="300" height="100%">
            <mx:Label text="Description:" y="2"/>
            <mx:TextArea id="desc" y="18" height="133" width="205"/>   
        </mx:Canvas>
    </mx:HBox>
   
    <mx:HBox top="205" left="50">
        <mx:Button horizontalCenter="0" click="onSave(event)" label="Save to PDF" id="savePDFBtn"/>
    </mx:HBox>
   
</mx:Application>

There are a lot of different methods in the AlivePDF library, so have fun and play around with some of them.

Thanks,

William

Comments (1) | TrackBack (0)

April 12, 2010

Welcome Flex 4 (And for IPP Native Developers...Now What?)

Hello!!  My name is Anjali Kucheria and I’ve recently become a Developer Relations Engineer at the Intuit Partner Platform (IPP) team.  I’ve been a Flex Developer for some time now, specifically focused on the user-interface, styling and skinning aspects of development. I’m super enthused about my new role.  I’m also very excited about the launch of Adobe's new Flex SDK. I’m sure Flex developers will rejoice in  the enhancements in this new release!

Recently, Adobe released its much-awaited  version of the Flex Framework (Flex 4). Developed under the code name ''Gumbo", Adobe has enhanced the framework in several ways (Note: The Flex 4 development environment will be known henceforth as Adobe Flash Builder (previously known as Adobe Flex Builder):

•    Bridging the gap between designers and developers.  Adobe has built a new, comprehensive UI framework known as Spark.  Spark lies on top of the existing MX architecture, allowing the MX components to easily integrate with the new Spark components.  Spark also carries with it a new approach to skinning.  At a high-level, the new framework provides a clear delineation between the “look” of a component and the wiring behind a component.  For more information see  brief overview of the Spark architecture and component set".

•    Did you find yourself constantly struggling with the idea of States in Flex 3? Have no fear, With Flex 4, Adobe promises to unravel some of the complexities surrounding this often confusing, but also useful concept.  No longer will you need to use the <mx:SetProperty> for changes to button properties; Flex 4 denotes states simply by a dot notation   within the original component. For a more detailed explanation see: Flex 3 vs Flex 4 State Management.

•    Flex 4 allows you to connect to data services seamlessly.  For those who’ve done this with prior Flex releases, you will be pleasantly surprised with the new simplicity and intuitiveness.  The provided wizard interface eliminates common errors and misunderstandings and allows you to simply enter the required URLs.  To learn more, see Flex 4 & Data Wizards Make Life Easy.

•    Flex 4 allows for far more flexibility with layouts than in previous versions. Flex 4 introduces   layout objects which separates the layout logic from the component itself,  allowing far more design ingenuity. 

•    Flex 4 simplifies 2 way binding greatly.  All that a developer needs to do is add the ‘@’ character to the property that is to be bound.  For example to bind the text property of one Text areato another,  it can be done like this:

<mx:TextArea id=”textArea1”/>

<mx:TextArea id=”textArea2” text=’@{testArea1.text}’ />

What does this mean to IPP "Native" Developers?

We’ve developed a two-phased approach to transition our developers to the Flex 4 SDK and Adobe Flash Builder 4. What you can expect in the coming months:

•    We will be supporting Adobe Flash Builder 4(FB4) with the IPP SDK tools.  Initially, we will support FB4 with the Flex 3 SDK only.  If you choose to upgrade to FB4, you will automatically be upgraded to JVM 1.6.  For those who develop on a Mac and choose to upgrade to FB4, please be sure you run, or upgrade to, Snow Leopard.  Your application will not be backwards compatible.   Our recommended install is during this phase is Eclipse (Ganyanede 3.4/Galileo 3.5) with Flex 3.4 SDK and the Flash Builder 4 plugin.

•    Subsequently, we will support the Flex 4 SDK.  Once this upgrade occurs, your application can fully utilize the Fx and Spark component architecture (along with the existing Mx components) along with the state, layout and other Flex 4 SDK enhancements.

More details about IPP’s integration and support of the new Flex tools and SDK will be furnished upon the IPP tools 2.7 release.

In the meantime, we invite you to comment, ask questions/concerns you may have with regards to the Flex 4 and we will provide the necessary guidance. Also, please visit the forums IPP developer forums which is a great resource to post your questions as well as see other developers concerns and questions and the solutions. 

thanks!

Anjali.

Comments (2) | TrackBack (0)

January 08, 2010

3 New Live IPP Technical Webinars for January - Register Now!

We’ve got 3 great live webinars in January discussing technical aspects of IPP: “What’s New in 2.4 of IPP”, “IPP Intuit Data Services (IDS) Deep Dive" and “Enhancing your Federated Application”. We’ve also got live IPP Developer Support sessions every two weeks, the next one on Jan 12.

Registration details are below…see you there!

Intuit Partner Platform: What's New in v2.4 of IPP

Deep dive look at the new data and features released in v2.4 of the Intuit Partner Platform

Register for Session: 

Intuit Partner Platform: Intuit Data Services (IDS) Deep Dive

Deep Dive into the connecting your Intuit Partner Platform Application with QuickBooks data via IPP Intuit Data Services (IDS) API).

Register for Session:

Intuit Partner Platform: Enhancing your Federated Application

Already have a SaaS application and need help with the Federation process?  Want to know what's involved to create a federated App?  Then join us for a deep dive look at the enhancing your Federated IPP Application.

Register for Session: 

Intuit Partner Platform Real Time Support

Real Time Support and Q&A with the Intuit Partner Platform Architect's and Engineers. Have your questions answered live!

Register for session:

Comments (0) | TrackBack (0)

March 18, 2009

Flex 3 in Action: Ch. 23 Debugging, Functional and Unit Testing in Flex

Manning Publications has posted a free pdf of Chapter 23 from their book called "Flex 3 in Action". Chapter 23 includes Debugging, profiling, 3rd party tools, unit testing, and functional testing of Flex Applications.

Flex 3 in Action
Chapter 23
Manning Publishing
http://www.manning.com/ahmed/Flex3-sample-chapter-23.pdf


From the author's blog

Happy Coding,

Jarred

Comments (0) | TrackBack (0)

March 17, 2009

How to manage Relationships between tables in QuickBase for IPP?

How do we handle QuickBase relationships using the Intuit Partner Platform Flex SDK Plugin?

The QuickBase Missing Manual describes the mechanics for creating relationships between tables as well as common use-case relationships. For example, you can think of a one-to-many relation between projects and tasks where each task in the tasks table is linked to a specific project in the projects table. The projects table is referred to as the Master table and the tasks table as the Details table. QuickBase uses the master's key field or the record id# to relate the records between the master and details table.

Note that within QuickBase the only type of relationship you can directly define is 1:many though within your application you can implement a 1:1 relationship by having a back reference many:1 relationship from master to detail and implementing your business logic to enforce the 1:1 nature of the intended relationship. 

Why implement a relationship in the first place?  Quite simply, because once you have a relationship, QuickBase can do a lot of work for you:  fields from the master can be automatically reflected into the details rows (effectively an Inner Left Join for you SQL-nuts) so you don’t need to go look up the master record when you have a detail record in-hand and just need a couple of fields from the master record on a regular basis; and fields from the details table can be summarized in the master record using a variety of summary operators such as Average, Count, Maximum, etc.; they can even be summarized with the equivalent of a “where” clause to summarize only a subset of the details records (i.e. total task hours assigned to the current user).

How does this work with the IPP Flex SDK Plugin? Using DTOs and some of the APIs in the Kingussie framework we can simplify the task of adding records, maintaining relationships and refreshing summary fields.

I have a Developers table as the master table and a Ratings table as the details table. There can be many Ratings records for a single developer and the summary field which is the average rating in the Developers table keeps track of this.

The challenges are

How do we add a record to the ratings table and relate it to a developer record?

How do we refresh the summary field of the developer record in the view when a ratings record related to the developer is added? Normal refresh mechanisms such as those implemented by the QuickBaseDTOArrayCollection will not detect changes to the developer record if all that changed were details records summarized by the developer record, so our app needs to “know” that it has changed something that influences other records and force a refresh.

To add a Ratings record, we first relate it to the Developer record and add it.

                  rating.populateDTO();

                  // Relate the Ratings record to the Developers record

                  model.ratingsDTO.Relateddeveloper = Number(model.developersDTO.rid);
                  var addRatingEvent: QuickBaseEventStoreRecord = new
                       QuickBaseEventStoreRecord(model.RatingsDTO,
                       new KingussieEventCallBack(doRefreshRating));
           
                  addRatingEvent.dispatch();

Where rating is a simple IDNForm.

               <widgets:IDNForm id="rating" dto="{model.ratingsDTO}">
                   <widgets:IDNField fieldLabel="Enter Rating:" fieldName="Rating"/>     
               </widgets:IDNForm>

To refresh the view using the Kingussie event chaining, we define a method doRefreshRating which essentially refreshes the parent record and thereby updates the summary field.

           public function doRefreshRating(data:Object): void
           {
                  // refresh the parent record now
                  var refreshDeveloperEvent: QuickBaseEventRefreshRecord = new
                       QuickBaseEventRefreshRecord(model.developersDTO);
                  refreshDeveloperEvent.dispatch();

                 // refresh the ratings DTO
                  model.ratingsDTO = new Ratings_DTO();
           }

In conclusion, we looked at how to handle relationships between tables, what is a Master table and a Details table, how to link records between the tables and how to automatically refresh summary fields in the parent record.

Comments (0) | TrackBack (0)

March 06, 2009

How is the QuickBaseDTOArrayCollection different from an ArrayCollection?

Apart from the name, there are some important properties and methods that make it more useful in the context of writing your Flex code.

You can leverage the framework and use QuickBaseDTOArrayCollection to keep your data up to date and avoid having to do the low-level programming to acheive the same otherwise.

I'll try and explain this with some very simple code snippets.

The following is defined in the model.

         public var developersDTO: Developers_DTO = new Developers_DTO();
         public var developersList:  QuickBaseDTOArrayCollection ;

where the Developers_DTO is the Data Transfer Object for an individual record and it handles the marshalling and umarshalling of the fields of the record. It is automatically generated as part of the project when you use the "Generate data transfer objects" as part of the IPP plugin.

I instantiate this list in the view in the initPanel() or as appropriate. This indicates what fields of the record you want to retrieve.

model.developersList = new QuickBaseDTOArrayCollection
                   (Developers_DTO, true, "",
                   "Name.Company.EmailContact...", // fields are dot-separated. Not all shown
                   "",
                   "");

You initialize the list, which essentially populates the list, something along the lines of below.

                   model.developersList.initData();

This populated list can then be used as a dataProvider in a DataGrid just like a regular ArrayCollection, through the magic of Flex databinding and the QuickBaseDTOArraycollection's own magic of updating itself when data on the server changes. So, whenever a record is added, updated or deleted by any user (not necessarily the current user) this is reflected in the view.

          <mx:DataGrid id="developersViewGrid" change="true" wordWrap="true" dataProvider="{model.developersList}"

You can also force the update when you know things have changed (i.e. because you stored a record in the current client) as below

          model.developersList.forceUpdate();

Most importantly, by using the QuickBaseDTOArrayCollection to keep your data up to date, your application is imposing the smallest possible burden on the server, in particular, if data isn't changing, you aren't touching the database, and therefore are reducing your usage charges.

It's certainly possible to duplicate the functionality of the QuickBaseDTOArrayCollection yourself using a standard ArrayCollection, but why do all that low-level programming yourself?  Focus on your business logic and let the framework take care of the wiring for you.

You can get more details in the Programmer's Guide.

Comments (0) | TrackBack (0)

March 04, 2009

Setting Up a Co-Development IPP Project in Flex Builder

Hello IPP developers, my name is Jarred Keneally and I am a developer support engineer for the Intuit Partner Platform. After receiving quite a few inquiries as to the best way to setup a co-development IPP project, I though I would blog about the way to do that.

You should know we are working on exciting new developer tools to manage your IPP Projects in release 1.4. Until that release arrives, here is what you can do in the meantime. Please keep in mind this process is only temporary.

These are the steps that are typical of a new IPP project in Flex Builder:

1. Someone creates a “build” account on workplace (hereafter referred to as “build engineer”)

2. Build engineer creates a database using the native workplace UI

3. Build engineer creates a new Flex project in Flex Builder

4. Build engineer converts said Flex application to an IPP Application by Adding the IPP framework to the new project

5. Build engineer configures the IPP Project using the wizard

a. Calls the Project 1.0

b. Creates and/or Assigns an AppToken

c. Points to, the dbid from Step #2 to create the Development Master (normally, they’ll always just use Find DBID here)

d. Saves the IPP Project

6. Build engineer runs the DTO generator.

7. Build engineer adds all of the files to CVS/P4, excepting binaries and the DevEnvironment.xml (shouldn’t be one at this point if my memory is correct)

8. Build engineer invites his team, DevA, DevB and DevC to be admins to the Development Master (same dbid as is found in the IPP Project editor wizard)

9. STOP: Combine all logins under Build Engineers Account: All workplace logins that want to deploy this app need to be added to the build engineers account. This process is only temporary.

a. Please submit a support incident with build engineers email and the emails of the other Workplace logins to be added to the account. Click Here to Submit an Incident

10. DevA, DevB, DevC check out source code from CVS/P4

11. DevA, DevB, DevC build code and deploy to their dev environments… This will create their development sandboxes.  It will also create the DevEnvironment.xml file

12. DevA, DevB, DevC make enhancements that they check back into CVS/P4, etc, but they never check in the DevEnvironment.xml file

13. When a Q/A build is desired (or any other deployment or publishing operation) then Build Engineer comes back into the picture

14. Build Engineer checks out all code and deploys to Q/A, Stage, or publish.

*When someone changes the schema, it will be the schema of the dev master. That person must regen the DTOs and check them in.  The other devs must then refresh their project with those new DTO files.  The Dev Instance DBs will get updated automatically.

**The schemaVersion is what triggers the whole thing.  Until there is a difference between the compiled version (SchemaVersion.as) and the sandbox’s schemaVersion dbVar, no schemaUpdate command will be executed.  This is exactly the desired behavior because a developer may be in the middle of a task and not want his sandbox to be updated.  So long as he doesn’t sync code his wishes will be law.

***In Dev the QAR is deployed to the sandbox and never to the master.  In the other environments the exact opposite is true—you deploy the QAR to the master and when running the application the executable is automagically pulled from the master.  It is this difference that allows multiple developers to have different code bases

****Technically any of the developers can deploy to Q/A (etc) but this is probably poor practice.  Future versions of the tools will have role assignments to enforce the concept of an “authorized” deployment manager.  Every developer, however, can deploy to his/her development sandbox as that is limited to their own development area.  If they want, they can also start over this away simply by deleting the DevEnvironment.xml file and doing a Synch operation, or by running the IPP Project wizard and re-cloning the Development Master.

Happy Coding

Jarred

Comments (0) | TrackBack (0)

Next »