Hello all,
I have a serious security problem because of the missing link between activity and a form.
Let me explaing with an example:
Process Steps:
Activity_1 -> Activity_2 -> Activity_3
(requests travel) (approves) (books travel)
Process data Fields: (should be written in this activities)
- Location - Approver Name - Travel booked (y/n)
- Amount - Approved (y/n)
The different client events call this forms:
- Form_01.aspx - Form_02.aspx - Form_03.aspx
Now the problem:
User 3 clicks in his worklist on the "Book travel" activity. A browser opens up for example with this url "http://server/travelrequest/form_03.aspx?sn=server,25,41".
Now to trick the system all he has to do is copy & paste the url and change the form number ("http://server/travelrequest/form_02.aspx?sn=server,25,41"). He could now finish the event changing for example the approval (which is stored normaly in step 2 = form_02
Is there any way to query for example on page load - which activity SHOULD correspond to the SN=server,25,41 ? So you could stop the load of the page.
Thanks for any suggestions,
Andrea Ravasi
Page 1 / 1
How about putting some process data to indicate which activity has been completed and not allow going directly to a page?
Hello Peter,
this would work, but it is quite a nasty workaround. You would loose a lot flexibility, especially when changing the processflow later on. It also could cause strange behaviour when changing the current activity from the K2.Net Service Account, blocking the process.
Linking the forms to process instance data is just not the right way, there has to be a way to query the process instance activity to check if it is the right form.
Regards,
Andrea Ravasi
this would work, but it is quite a nasty workaround. You would loose a lot flexibility, especially when changing the processflow later on. It also could cause strange behaviour when changing the current activity from the K2.Net Service Account, blocking the process.
Linking the forms to process instance data is just not the right way, there has to be a way to query the process instance activity to check if it is the right form.
Regards,
Andrea Ravasi
Hello everyone again,
I just found the solution, perhaps someone is interested. For me this is very important as security in our case is very important.
I run this on Page_Load in each form to ensure that the form is the correct one
[C# Syntax]
string expectedActivity = "Test";
string sn = Context.Request.QueryString["sn"];
SourceCode.K2ROM.WorklistItem wi = conn.OpenWorklistItem(sn, "ASP");
string activityName = wi.ActivityInstanceDestination.Name;
if (activityName != expectedActivity) {
// Error handling
}
Regards,
Andrea Ravasi
I just found the solution, perhaps someone is interested. For me this is very important as security in our case is very important.
I run this on Page_Load in each form to ensure that the form is the correct one
[C# Syntax]
string expectedActivity = "Test";
string sn = Context.Request.QueryString["sn"];
SourceCode.K2ROM.WorklistItem wi = conn.OpenWorklistItem(sn, "ASP");
string activityName = wi.ActivityInstanceDestination.Name;
if (activityName != expectedActivity) {
// Error handling
}
Regards,
Andrea Ravasi
Thanks, that should come in handy.
That seems like something that should be in the regular SmartForm template to have that security in each page?
That seems like something that should be in the regular SmartForm template to have that security in each page?
Actually I think that SmartForms do NOT check this by default - you have the property "Activity", but if I remember correctly there was no error when you use the form in another activity.
Anyway I need this check in every page, as I do not want to inherit from SmartForm (I do not need any SmartForm functionality)
Regards,
Andrea
Anyway I need this check in every page, as I do not want to inherit from SmartForm (I do not need any SmartForm functionality)
Regards,
Andrea
Reply
View our Community Site Map
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.