Best Practice for security

  • 19 March 2019
  • 3 replies
  • 4 views
A
Badge +10

Looking for some advice or best practices on how to keep forms & functionality secure and / or hidden from users.
Running into test cases where an advanced user was able to bypass some of the show/hide rule logic in the IE Developer Tools.

 

Base functionality needed: 
Certain users in a K2 role (App Admin) can see different items - tabs & buttons -  than a regular standard user.
Forms are not editable to standard user but are for the App Admin.

Specific buttons are visible based on advanced conditions


IE Developer Tool issues:
Advanced user was able to manipulate the system enough to where they saw the tabs even though not in the K2 Role.  allowing them the functionality of editing all records and seeing all buttons. 


We have on the form initialization rules that if hidden datalabel has a value (the name of user in K2 role) then show or allow the edit state accordingly.

Not sure how to further security the forms and keep the functionality as set and remove the possibility from hacking.

 

Any suggestions?

 

 

 

3 replies

A

Hello,


 


You may want to look into the Authorization Framework. 


https://help.k2.com/onlinehelp/k2cloud/userguide/update_7/default.htm#authorizationframework/authorization-framework-overview.htm


 


We could block that user from seeing that view at all and being able to access it either from Designer or at Runtime. 

A
Badge +10

I think perhaps I didn't explain that well enough.

 

My security & authorization is working how it should on a normal user / admin role level.
Regular users see specific tabs on the page & filtered appropriately
Admin users see specific tabs on the page & filtered appropriately based on Role

 

HOWEVER, I had a tester go into the IE Developer Tools / Debugger and starting unchecking the style coding that does the show / hide of tabs and such.   Which then opened up all tabs / functionality to him on the form itself.

 

So what I need help with is locking down everything so users can't use the Developer Tools to bypass the role security I have setup.   Does that make sense? 

 

We aren't running into any issues on the K2 Designer.  

 

M
Badge +10

Likley the best practice that will resolve these issues for you is verifying security prior to data load.

If you move the rules that check security, to occur before your form retrieves sensitive data from smartobjects, the user will still be able to show/hide elements in developer tools, but no data will be present for them to see.

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings