Ramifications of altering a system application's Disabled property dynamically?

Sienna Davids

Solved

Question

We've written some code to set the Disabled property of a system application using inline SQL. Is anyone able to confirm that this would behave as expected, because we're aware that amending directly via SQL can have unexpected consequences due to underlying complexities not visible at entity level?

We have opened a support ticket but Outsystems suggested we post here whilst they look into it further.

22 Feb 2023

João Marques

MVP

Solution

Replying to Sienna Davids' comment on 22 Feb 2023 15:41:21

Hi Sienna,

There are two reasons to take caution when doing this, although I think in this case you are safe. My rationale below:

Changing system tables: OutSystems leverages on these tables to compile and publish code, so you can imagine that changing these tables might cause unexpected behaviors when the compiler is expecting / changing them on the 1-click publish, for instance. However the Disabled attribute from Application is not changed other than in Service Center, so I would say this is pretty controlled;
SQL Injection: When you use an Expand Inline, the platform won't protect this parameter value, meaning that if you were filling that Expand Inline attribute to a user, you would run the risk of the user to be able to inject malicious SQL like drop tables, 1=1 filters to get more data than s/he should and so on (more info on the link I shared). That's not the case here, given that your input is filled on the server (the @SYS_Application parameter, if I remember correctly). So there's no way, the client side can tamper with this input.

Kind Regards,
João

See solution in context

22 Feb 2023

BabyBear

I am assuming you are referring to the system entity Application and it's attribute Is_Active({Application}.[Disabled])?

You should be fine if you are just updating that specific value but I do not recommend it . But you can toggle that as well in serviceCenter

22 Feb 2023

3 replies

Last reply 22 Feb 2023

Show thread

Hide thread

Sienna Davids

Yes I'm aware we can do it in Service Center, thank you, but we want it automated. I know it's not good practice to do this, but can I ask if there are any specific reasons you don't recommend this?

It's not Is_Active though, it's Application.Disabled.

22 Feb 2023

João Marques

MVP

Solution

Replying to Sienna Davids' comment on 22 Feb 2023 15:41:21

Hi Sienna,

There are two reasons to take caution when doing this, although I think in this case you are safe. My rationale below:

Changing system tables: OutSystems leverages on these tables to compile and publish code, so you can imagine that changing these tables might cause unexpected behaviors when the compiler is expecting / changing them on the 1-click publish, for instance. However the Disabled attribute from Application is not changed other than in Service Center, so I would say this is pretty controlled;
SQL Injection: When you use an Expand Inline, the platform won't protect this parameter value, meaning that if you were filling that Expand Inline attribute to a user, you would run the risk of the user to be able to inject malicious SQL like drop tables, 1=1 filters to get more data than s/he should and so on (more info on the link I shared). That's not the case here, given that your input is filled on the server (the @SYS_Application parameter, if I remember correctly). So there's no way, the client side can tamper with this input.

Kind Regards,
João

22 Feb 2023

Sienna Davids

Replying to João Marques' comment on 22 Feb 2023 16:52:25

Yes that's correct (although it's OS@SystemApplication), so I think in this case we should be ok, which is great.

Many thanks to you all for your help, much appreciated!

22 Feb 2023

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.

See the full guidelines