SmartClient Version: v8.3p_2013-06-22/PowerEdition Deployment (built 2013-06-22)
if I add a criteria in a remove or update operation, say
and then execute an update:
it isn't used in the sql where clause:
why? I think that it must be used, even if the primary key is present, because, quoting from operationBinding.criteria docs:
and the primary key could be guessed by an attacker.
if I add a criteria in a remove or update operation, say
Code:
<operationBinding operationType="update">
<criteria fieldName="LISTINO_TYPE" operator="equals" value="1"></criteria>
</operationBinding>
Code:
JPC_LISTINI.updateData({ID_REC:465725, DESCRIZIONE:'TEST UPDATE'})
Code:
2013-06-28 15:39:43,798 INFO SQLDriver [builtinApplication.JPC_LISTINI_update] Executing SQL update on 'dbJpcEP': UPDATE DBSALES.JPC_LISTINI SET DESCRIZIONE='TEST UPDATE', ID_REC=465725 WHERE (JPC_LISTINI.ID_REC=465725)
Code:
The effect of this is to apply any criteria specifed here as additional constraints on top of what the user has specified, and of course, the user is unable to affect this. Thus, this is a suitable and convenient place to enforce rules such as "Users can only ever see their own records".
Comment