Thursday, January 21, 2010

Add more security on the server actions

Openbiz framework makes it open for browser client to invoke the server object method through Ajax call. Of course, developers can add rules to protect different actions (e.g. use UpdateCondition and DeleteCondition in 2.3 and use ACL control in Cubi), people may want to have some easier approach to filter out unsafe actions triggered from the browser.

Here is the proposal for so called "safe actions filter" on Openbiz 2.4. This will be released in the 2.4 SVN before Feb.

First, only Form object method calls from browser are allowed. Other objects method calls are blocked by the controller.

Second, EadyForm class will have a new method
public function getMethodsWhiteList()
This method returns a list of methods that are exposed to browser client. By default EasyForm will compose the list with:
  • All methods that are defined in the form metadata EventHandlers. Say you have 2 EventHandlers of 2 button elements on user.AccountForm. They link to methods "editAccount" and "resetPassword". Then only these 2 methods are in the white list.
  • Some safe methods like "selectRecord" which is usually not linking to a event handler.
When an server action is invoked (through Ajax for example), the controller will check if the target object is a form object, then check if the called method is in the white list. This approach will give more security on the server side logic.

getMethodsWhiteList() can be overrided by your any form class to implement custom logic.

No comments:

Post a Comment