System default action "Login" should be hidden from public use because it does not ask for password

By Tapas Dixit on 26 Dec 2017

Recently we identified that one of the developers is able to use the System "Login" action and is using it to get into the environment even as an administrator and is able to access critical components like Users and other applications as admin.

He had done this without any wrong intentions but we from the COE Team here in Schneider feel it can be misused.

Hence we suggest to somehow hide this action from end developers to even see it.

I have raised a support ticket for this. CaseId=2035898

Some Excerpts:

"It will not be possible to go through every warnings or open applications to check if developers are misusing this feature. And above this we from the platform COE will be able to check this when the application is moving from Dev/QA to higher environments like Pre-Prod and Production. We will not validate “on a daily basis” what the developers are doing in the lower environments like Dev and QA.

 

It is important to understand the Schneider landscape how we use OutSystems. We are from the Platform COE here in Schneider and we are well versed with the platform. But there are many regional teams who are novice in OutSystems and may unknowingly cause mistakes. For the success of OutSystems we have to entertain these set of developers who are joining in huge numbers to this community. OutSystems in Schneider will be a success only if we have this huge vibrating community.

 

Our belief is the platform should be robust enough to not allow any developer to play with this feature which is allowing any end user to even login to the platform as the platform Administrator. Hence our sincere request is to see how this can be avoided at the platform level."

Hello Tapas.

IMO the problem is that your developer should not have access to a production environment.

As with any other environment, you cannot stop a developer from misusing the system, if that's his/her intention. Remember that the developer has read/write access to the database, and is also able to publish new versions, therefore enabling him/her to inject code into the environment. With those privileges, he/she could easily change the access control of an entire application, grant privileges to any user or even change their passwords. Also, remember that the system Login is there for a reason - in many cases the password is held with a third party system, or the authentication uses a token other than the password.

Your suggestion of a fix to the problem is similar to prohibiting a chef to use a knife, because he could eventually kill a customer with it. If you have that worry, you need to hire better chefs.

Justin James27 Dec 2017

This is a REQUIRED action for anyone building a multi-tenant application where you need a global administration system with a "Login As this user" functionality.

As Leonardo says, the problem is that you have a bad employee.

J.Ja

Rui Covelo30 Dec 2017

Hello!


At OutSystems we constantly strive for the perfect balance between flexibility, power, ease of use and security.


In this case, the Login action without any authentication allows developers, for example, to build their own authentication methods.


As you know, you can rely on different authentication methods for logging in a user. The most common is a simple password comparison but you could implement some other method, maybe token based like oauth or something completely different. The Login action is to be used AFTER authentication.


So I cannot agree to simply hide that action as we would lose that flexibility.


On the other hand, we are definitely  interested in ideas for ways to give power to the developers without compromising security.


For example, we have recently implemented warning messages that you get when using some dangerous coding patterns. I think using the Login action is one of them.


Still, developers have the responsibility of writing the code, reading and understanding the warnings.