Falcon Space. Security and access control

How to check whether the user belongs to the role in the database

Using the function

dbo.sec_hasAccessByUsersRoles(@username, '', [role]) = '1' 


If roles are specified * then access is granted to all who are authorized in the system

If roles are specified all - access is granted to all users (including unauthorized users). 

In all other cases, separate access roles with commas. Example: admin, manager-only users who have the manager or admin role have access

Input data security!

1. EXTREMELY IMPORTANT!!! Don't trust data that comes to sql from the outside (for example, itemID variables in a form). They can be faked and send absolutely any data. Be sure to check the user's access by username and its roles + specific restrictions in requests: 

select * from pg_pages where forEditor='1' and id = @itemID 

Here we find the incoming itemID, but we trim the data by an additional condition (only for the editor, you can take data by pages in this case). 

2. Use the initial security settings for the components by role (the users and roles fields for pages, tables, forms, and other components).

3. To avoid XSS attack use dbo.as_antiXSS(str), to avoid entering the attacker's script using the input fields.  

Example of use:

select dbo.as_antiXSS('asd')

In this case, the input data will be processed and any HTML will be decoded. 

Learn more about XSS

Note: by default, XSS protection is enabled in all components for non-administrative roles and unauthorized users.

Also in web. config, you can set which roles can safely save HTML in the system. By default, these roles are admin, siteManager, and editor. Thus, if a normal user tries to write a script (for example, enter

Falcon Space is a functional web development platform on a narrow stack MS SQL/Bootstrap. Falcon Space Gettting started