Access rules by module role and Xpath Constraint

For security reasons we are using access rules and Xpath constraints. Should the Xpath constraint (path to user) be set for each role separate or can I combine more than 1 module role for 1 Xpath Constraint? I am now facing security issues with Mendix and can I read all records of the object while the access rules and Xpath constraint are set for the module role connected to to user who is logged in. (using Xpath injection / BURP Suite)
1 answers


The xpath constraint to the user can be combined for multiple module roles. Let's say you have a user and an admin in a module as roles, then you can define the path to the user for both module roles. You do need to take something about the permissions that you define into account a the permissions cannot be empty and only contain an xpath to the user.