Question

Access rules by module role and Xpath Constraint

0

For security reasons we are using access rules and Xpath constraints. Should the Xpath constraint (path to user) be set for each role separate or can I combine more than 1 module role for 1 Xpath Constraint? I am now facing security issues with Mendix and can I read all records of the object while the access rules and Xpath constraint are set for the module role connected to to user who is logged in. (using Xpath injection / BURP Suite)

asked 2014-06-26

Theo Swart

1 answers

Erwin 't Hoen · Answer 1 · 2014-06-26

Theo,

The xpath constraint to the user can be combined for multiple module roles. Let's say you have a user and an admin in a module as roles, then you can define the path to the user for both module roles. You do need to take something about the permissions that you define into account a the permissions cannot be empty and only contain an xpath to the user.