Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    12.0p possible to disable SQLsqlIncludeFromDynamic?

    Hi Isomorphic,

    I just saw the SQLsqlIncludeFromDynamic sample (v12.0p_2020-04-10) and wanted to ask if it is possible to disable this behavior (and if you might want do this by default).
    I really did not expect this to be possible and I do think this might pose some kind of security hole, doesn't it?
    If you don't use fieldLevel Declarative Security everywhere (and not only on operationBinding level), this might open ways to get columns which were not intended to be used.

    Best regards
    Blama

    #2
    Yes, the property used to request joins is dsRequest.additionalOutputs and we document there that there is a server setting to turn it off.

    If you mean you have some DataSources where you protected certain fields from being viewed *solely* by replacing the default fetch operation, that's not a great practice - first of all if the field is entirely server-side, if you don't mark it as such then the field definition is delivered to the client. Second if a developer created an includeFrom from another DataSource, if there were field-level security rules, those would be enforced, but not if the only security is via the default fetch operationBinding.

    Comment


      #3
      Hi Isomorphic,

      thank you, that's good to know. I will set this, as I don't use the feature.

      Yes, declarative security is very powerful when used fully. We didn't in the beginning.

      IMHO you should emphasize this more in the QSG: "Do use declarative security".
      It and the power also for the GUI become clearer in your last Reify blog post, but at least I did not use this (and DynamicDSGenerator) enough at the beginning.

      Best regards
      Blama

      Comment

      Working...
      X