16
Views
8
Comments
Check role in server action necessary
Question

I have a special "Admin"-Role in my Application (Reactive Web). Only users with this admin role have access to the admin screen to add recods in a special database table. To add or update a record I created a server action. Is it necessary to check the role in the server action again to be sure that only a user with the admin role can manipulate the data of this entity? Or is it enough to check the role on the screen properties an uncheck all other roles?

Rank: #683

Hi Thorsten,

Are you calling the add or update a record server action in that screen only?

If Yes, it is enough to check the role on the screen properties an uncheck all other roles, so it will only allow the user who has Admin role to access the screen and take action on the screen

Regards,
  Krushna

Rank: #273

It's always a safer option to validate all data server side, especially security. And especially with Reactive web, where so much is done client side. You'd think if you can't open the screen, there's no way to "push the button".

But behind any save button, is just a request to the server, and a hacker can just execute that same request or a very similar one without ever using the screen.

There was a talk about this very topic on NextStep, by Remco Dekkinga, which you can watch on demand: https://www.outsystems.com/nextstep/


Hi Krushna,

yes, I'll call the server action only in this screen. So I can be sure that no user without the admin role can call my server action even if the end user manipulates the javascript on the client side and do the call without the admin role?

Hi,

I reactivate, I usually use this validation every time I call a server side action:


And this way I do one more validation if that user has the necessary role to access that function.


Cheers

Thank you for your Information. I'm worried that the user can still call my server action without the required role just by manipulate the javascript. So it is better to check the role in the server action again.


For safety's sake, I do that. Alias I have a boundary layer (a module) between FrontEnd and the server side, which the only thing it does is to do this validation. There is no call on the front end to the server that does not have this type of validation.

mvp_badge
MVP
Rank: #74

Hi Thorsten,

Let me just add that several aspects with regard to securing Reactive Web Applications are basically summed up in these reactive web security best practices.

I would suggest you go through them and see if they satisfy your concerns.

Regards,

Nordin