none
Verify User Input - Custom Code Security Problem

    Question

  • MSDN showed some techniques to verify user input on Reports.  A couple of them have interaction with the user via MsgBox.  One technique involves creating a boolean function that interacts with the user and returns True/False based on user response.  The function is placed in the CODE section in Report Properties, then it's called indirectly in a VISIBILITY property.

    When the function hits the MsgBox line it throws error "Request for the permission of type 'System.Security.Permissions.UIPermission, mscorlib,...".  I've included the assemblies System.Security, and System.Windows.Forms, in addition I've modified the rssrvpolicy.config to make all Code Groups "FullTrust".  No luck so far.

    If I get it working, I'm wondering if this MsgBox will appear at the client, or will it appear on the Report Server only.

    Here's the Function:
    Public Function VerifyUserInput (NumEntered as Integer) as Boolean
        Dim prompt as String, usrResponse as MsgBoxResult
        prompt = ""
        usrResponse = MsgBoxResult.No
        If (NumEntered > 60 OR NumEntered < 0) Then
            prompt = "You entered " & Str(NumEntered) & ", want to continue?"
            usrResponse = MsgBox(prompt,4,"Input Verification")
            If usrResponse = MsgBoxResult.Yes Then
                Return TRUE
            Else
                Return FALSE
            End If
        Else
            Return FALSE
        End If
    End Function
    Thursday, November 26, 2009 6:13 PM

Answers

  • This request comes up for time to time and although there may be some very creative and convoluted method to do this, it will come with trade-offs and may not be secure and maintainable.  The bottom line is that Reporting Services was not designed to support this type of prompt.  Many have tried and I have yet to see it done realiably.   There are two methods you can use:

    • Build a custom winforms or web application to validate the user, display the msgbox and then open the report.  This method will not integrate with the Report Manager or SharePoint hosted reports.
    • Take a screen capture or create an image that looks exactly like a msgbox and place in on the report.  Use a conditional expression for the Hidden property to display it on the report.  Not sure if you can stack a separate image of the OK button over the top of the msgbox image, though.

    Paul Turley, MVP [Hitachi Consulting] SQLServerBIBlog.com
    • Marked as answer by mcinmx01 Friday, November 27, 2009 5:09 AM
    Friday, November 27, 2009 4:15 AM
    Moderator