I am giving the Guest user Full read and full write access to one or two of our entities as some web users have to create these entities. Is this Safe?

1
Hi All I am giving the "Guest" user Full read and full write access to one or two of our entities as some web users have to create these entities. Is this Safe?  Will somebody who knows what very are doing be able to create millions of entities. I have a username and device id that has to be setup in our system before i let the web user create anything. These are part of the deeplink url. Can you use a sniffer to see what entities are open to a Guest user and create entities without using mendix? How would i make this more secure? Regards, Patrick   
asked
1 answers
1

Patrick,

If these are ‘production’ entities (i.e. they contain information required for the application to function or are entities that maintain critical business information, I would not open them directly to anonymous users.  At a minimum, I would have the Deeplink create objects using an interim entity and institute an approval process where named users (maybe admins) of your application would need to review and approve the anonymously created objects before they are copied to the actual entity.  This would maintain some distance between anonymous users and your core data.

I don’t think a sniffer could uncover what entities are being created (the microflow actions called by a deeplink are not exposed in any way).  But a hacker could easily call a deeplink repeatedly in an attempt to overwhelm your app, without knowing specifically what the deeplink does.  

Hope that helps,

Mike

answered