Hi! 

I' not a guru but what seams  to me is : 

The data action whose output is used for a security control of the data returned from other aggregates or data actions must be called EVERY TIME this aggregates are called;

The screen actions must ignore this information and go to the server to recheck the security situation. 

 What is your opinion?

Graça

I am almost sure, that it is not secure, since execution of the Data Action on the server side every time would add additional performance penalty and the other option would be some kind of a session mechanism (since Data Actions and Aggregates run async), that caches the results of the Data Action on server side and it uses this, if it is subsequently needed again on server side. 

But it would be great, if somebody with deep knowledge of how exactly these work under the hood could clarify..

I explained to OutSystems what the issue is and I can confirm, that the pattern in the OutTracker application as described above is NOT secure.

This is the official response, that I got:

Hi Borislav,

When you fetch data from the server (queries or API calls), don’t use input parameters that have impact on the data that is returned. An attacker can change these values and fetch some other data.

For instance, if retrieving data about the current logged-in user, instead of using client-specific details consider using server-side logic to get that same information.
A common good practice is to place the GetUserId() inside the aggregate. The aggregate is running on the server, which is secured and the attacker can’t alter this query anymore to access data from other users.

This same best practice works for fetching data based on user roles or when you fetch data from the server and you send an identifier or another element that uniquely identifies an element as input parameter to the server.

We would suggest adding server-side checks to any server-side calls to make sure that the logged in user has the rights to the returned data.