Falcon Space. Security and access control
How to check whether the user belongs to the role in the database
Using the function
dbo.sec_hasAccessByUsersRoles(@username, '', [role]) = '1'
If roles are specified * then access is granted to all who are authorized in the system
If roles are specified all - access is granted to all users (including unauthorized users).
In all other cases, separate access roles with commas. Example: admin, manager-only users who have the manager or admin role have access
Input data security!
1. EXTREMELY IMPORTANT!!! Don't trust data that comes to sql from the outside (for example, itemID variables in a form). They can be faked and send absolutely any data. Be sure to check the user's access by username and its roles + specific restrictions in requests:
select * from pg_pages where forEditor='1' and id = @itemID
Here we find the incoming itemID, but we trim the data by an additional condition (only for the editor, you can take data by pages in this case).
2. Use the initial security settings for the components by role (the users and roles fields for pages, tables, forms, and other components).
3. To avoid XSS attack use dbo.as_antiXSS(str), to avoid entering the attacker's script using the input fields.
Example of use:
In this case, the input data will be processed and any HTML will be decoded.
Note: by default, XSS protection is enabled in all components for non-administrative roles and unauthorized users.
Also in web. config, you can set which roles can safely save HTML in the system. By default, these roles are admin, siteManager, and editor. Thus, if a normal user tries to write a script (for example, enter
- Falcon Space Foundation
- Basic components
- Falcon Space Features Falcon Space. Localization Falcon Space. Geolocation Falcon Space. Security and access control Falcon Space. PWA applications Dragging elements on a page (Drag n Drop) Copying text to the clipboard Connecting to MySQL and other databases
- Коммуникация с пользователем
- Дизайн, стилизация
- Additional component
- Продвижение, SEO
- Системные моменты
- HOWTO Tables
- HOWTO Forms
- Working with SQL
- HOWTO JS
- HOWTO Layout
- Solve problems
Falcon Space Platform
This is a reduction in the cost of ownership
at the expense of fewer people to support
This is a quick change
while using the program
This is a modern interface
full adaptation for mobile devices