Hi,
Is there a sequrity issue in SC9? If I want to take some action, like filter a query according to what user is logged in so I use the variable [usr_login].
The problem is that if I then run the form with parameters: /Formname/?usr_login=admin I get the filter according to being admin! I tried any combination of POST, GET Global and it makes no differense.
As soon as I use the variable it gets public and can be changed with url parameter.
So how can I securely find out what user is logged in and take actions?
Yes this is a security issue. However solvable by going to your application(s), go to application section, and set the global variable to ‘session’ and uncheck get and post. That will hide the variable from the url. (Should be set that way by default, but …)
Thank you aducom, but that’s just it! It still accepts the variable and changes its value! :eek:
One workaround that appears to work is to put this in an internal library and call the function to get the logged in user:
function getuser()
{
return [usr_login];
}
That hides the variable and it cannot be set… But I must test some more…
That does look more serious than I thought! I never use these variables, but use personal global variables. I think that is the reason why I haven’t found it, but it will have the same issue. But the variable name is unknown. But I like your work-around,.