- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-22-2013 08:47 AM
I created a custom application for our information security group and there are two issues that I could use help with.
#1 If a non-permissioned user gains access to a URL they can open a page. That page will immediately redirect them but the page is open for a split-second before the redirect. Does anyone know of a way to keep the page from even populating in the first place.
#2 Is related to #1. If a user (ITIL) has a ticket number they can perform a global search and the page will open and then redirect. So, I need to prevent the search from even happening.
My business rules, which are before query and just check for the user role and redirect if there is a problem, are not doing the job.
Do you have any strategy to help me lock down the tables in this application so that users won't be able to access the secure data via a hyperlink or global search?
And if it should be a business rule can you provide an example?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-22-2013 05:53 PM
You'll still need to use an ACL for that behavior--I've never had an ACL allow access, regardless of the manner in which access was requested.
Given your complex requirements, you'll probably have to script the ACL rule, and it sounds like you're familiar with the concepts involved. We NEVER recommend writing an on/query business rule--they can impact performance, and ACLs are still better.
In similar situations (Group A shouldn't see Group B's tickets and vice versa), we combine all ROW/read ACLs into a single one.
NOTE: make sure you combine your "cheap" access checks (those in the current object or a part of the session, or likely cached) first. Roles and session variables (like "gs.getUserID()") are cached:
answer = shouldReadTicket();
function shouldReadTicket(){
var u = gs.getUserID();
if (gs.hasRole('itil_admin') || current.caller_id == u || current.opened_by == u){
return true;
}
if (gs.getUser().isMemberOf(current.assignment_group + '')){
return true;
}
return false;
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-22-2013 05:53 PM
You'll still need to use an ACL for that behavior--I've never had an ACL allow access, regardless of the manner in which access was requested.
Given your complex requirements, you'll probably have to script the ACL rule, and it sounds like you're familiar with the concepts involved. We NEVER recommend writing an on/query business rule--they can impact performance, and ACLs are still better.
In similar situations (Group A shouldn't see Group B's tickets and vice versa), we combine all ROW/read ACLs into a single one.
NOTE: make sure you combine your "cheap" access checks (those in the current object or a part of the session, or likely cached) first. Roles and session variables (like "gs.getUserID()") are cached:
answer = shouldReadTicket();
function shouldReadTicket(){
var u = gs.getUserID();
if (gs.hasRole('itil_admin') || current.caller_id == u || current.opened_by == u){
return true;
}
if (gs.getUser().isMemberOf(current.assignment_group + '')){
return true;
}
return false;
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-29-2013 07:21 AM
Thank you Valor. Got it working.
