Security Question

JoOfMetL posted on Tuesday, February 05, 2008

Hi,

I have this Code :

public static Currency GetCurrency(Guid id) {
         if (!CanGetObject())
                throw new System.Security.SecurityException("User not authorized to view a Currency");
            return DataPortal.Fetch<Currency>(new Criteria(id));
        }

So The Security is applied in the CanGetObject

I use a web service host to get my object.

If someone knows the Type Of my object he can write code to get my Object. whitout the securty ?

For instance, he can write :

public static Currency GetCurrency(Guid id) {
            return DataPortal.Fetch<Currency>(new Criteria(id));
}

So no security is applied.

This is a mistake on my part ?

Thank you.

ajj3085 replied on Tuesday, February 05, 2008

Well, that's always a risk in 2-tier deployment.  You probably would need to include some code in the DP_F to filter our results that can't be seen by the user.  The static method check isn't meant to be the only security in your system.

JoOfMetL replied on Tuesday, February 05, 2008

Do you hava a example to show me  when you speak to filter the result of the data according to user ?

Thank you

ajj3085 replied on Wednesday, February 06, 2008

Well, I have documents, which are quotes, orders, etc.  In the DataPortal_Fetch, if the user does not have permission to see orders, for example, I add " and DocumentType != 'O'" to the sql query.

JoOfMetL replied on Wednesday, February 06, 2008

So For instance, in the DataPortalFetch, I Can Add:

private void DataPortal_Fetch(Criteria criteria) {
            if (!CanGetObject())
                throw new System.Security.SecurityException("User not authorized to view a Currency");

            using (SqlConnection cn = new SqlConnection(Database.Connection)) {
                cn.Open();

                ExecuteFetch(cn, criteria);
            }//using
        }


?