Skip to main content
OutSystems

Protecting OutSystems apps from access control / permissions vulnerabilities

Access Control is about making sure that only the people who are supposed to do/see something are able to.

You can grant user/role permissions to:

  • Perform actions. For example, adding a user or deleting an asset.
  • See information. For example, payroll data or health records.

How to do it with OutSystems Platform

The following sections describe the recommended actions to deal with common access control use cases with OutSystems Platform:

Protecting actions

Use case Actions
Disable action from UI

Avoid disabling actions from the UI

Disabling a widget in the UI doesn't prevent the sensitive action code to be run by forcing or forging the POST request.

Hide action from UI

Avoid hiding actions from the UI

Action is still available in the page. Hiding a widget in the UI doesn't prevent the sensitive action code to be run by forcing or forging the POST request.

Validate based on Preparation check

Avoid performing validations only in Preparation

Validating the access in Preparation only will not protect against tampered ViewStates.

Implement a page for a role

Tailor a page with actions available for that role.

Check permissions in action

Before executing any code, check if the current session has permissions to do it.

Set IDs Use non-guessable IDs.

Protecting information

Use case Actions
Display information on screens Check in Preparation if current user is allowed to view this information.

More information

To learn how to protect your OutSystems apps against other common types of attacks, check how OutSystems Platfom helps you develop secure applications.