Skip to main content

 

 

 

Template:OutSystems/Documentation_KB/Breadcrumb_New_Layout

 

 

Template:OutSystems/OSLanguageSwitcher

 

 

 

OutSystems

Protecting OutSystems apps from access control / permissions vulnerabilities

Access Control is about making sure that only the people who are supposed to do/see something are able to.

You can grant user/role permissions to:

  • Perform actions. For example, adding a user or deleting an asset.
  • See information. For example, payroll data or health records.

How to do it with OutSystems Platform

The following sections describe the recommended actions to deal with common access control use cases with OutSystems Platform:

Protecting Actions

Use case Actions
Disable action from UI Avoid disabling actions from the UI. Disabling a widget in the UI doesn't prevent the sensitive action code to be run by forcing or forging the POST request.
Hide action from UI Avoid hiding actions from the UI. Action is still available on the page. Hiding a widget in the UI doesn't prevent the sensitive action code to be run by forcing or forging the POST request.
Validate based on Preparation check Avoid performing validations only in Preparation. If using old page or screen values (for example, having a second tab open, or in case the user clicks the back button on the browser), the server must validate if the actions can still apply instead of relying on information calculated in the Preparation
Implement a page for a role Tailor a page with actions available for that role.
Check permissions in action Before executing any code, check if the current session has permissions to do it.
Set IDs Use non-guessable IDs.

Protecting Information

Use case Actions
Display information on screens Check in Preparation if current user is allowed to view this information.